Skip to content
Support
  • There are no suggestions because the search field is empty.

Zero Day Vulnerability and What's Managed by Devicie

Overview

This document will cover expectations about zero day vulnerability patching and what Devicie can help you patch.

The document will cover:

  • Windows OS updates
  • Devicie back catalogue applications
  • Intune applications
  • Microsoft store apps
  • Third-party applications

Windows Operating System Patches

Devicie deploys a set of Windows update policies to all customers depending on their requirements and needs. Windows updates are typically deployed to a pilot, UAT, and production groups.

In the even of a zero day vulnerability, customers may way to patch the OS vulnerability as soon as possible without waiting for the standard patching process.

There are 2 way Windows updates can be published to patch zero day vulnerabilities:

Out of band updates

Out of band updates are updates released by Microsoft outside of the normal "Patch Tuesday" patching cycle which happens on the second Tuesday of the month.

Out of band updates can be deployed from Intune using the "Quality updates for Windows 10 and later" feature. They do not follow the standard deferrals and restart notifications as normal Windows updates.

Once the quality update profile has been assigned, it will start to roll out to all targeted devices in the environment without any delays. The "days to wait before restart" can be set to (0 days, 1 day, 2 days) and the device will restart with 15 minutes warning. Users will not be able to schedule a restart and the restart will not wait until the device is outside of business hours.

Patch Tuesday updates

Patch Tuesday updates can be deployed in a urgent manner using the "Quality updates for Windows 10 and later", Similar to out of band updates, updates will start to roll out to all targeted devices in the environment without any delays. The "days to wait before restart" can be set to (0 days, 1 day, 2 days) and the device will restart with 15 minutes warning. Users will not be able to schedule a restart and the restart will not wait until the device is outside of business hours.

Note

Devicie recommends that all operating system patches are deployed and tested on a subset of pilot users before they are assigned to the rest of the production environment.

Back Catalogue Applications

Devicie provides an extensive list of back catalogue applications to customers. Devicie guarantees that applications deployed through the back catalogue are patched and deployed to users within 48 hours of the version release date, unless otherwise specified by the customer.
Customers can opt in for a longer delay period for production devices, as well as different delays to target different groups of users such as pilot, UAT and production.

Some applications such as Google Chrome require the user to close the application in order for the update to complete. Devicie cannot force close an application on the end users' devices. Customers need to notify their end users should a software require a restart in order to update.

Devicie's product does not have a vulnerability scanner built into it. Devicie does not guarantee that the latest version of a deployed software if not vulnerable.

Should a customer find the latest version of a software to be vulnerable, they must contact Devicie to have that version removed and for the previous, non-vulnerable, version to be assigned to the devices.

Intune applications

Intune applications are apps that Devicie may acquire and assigning for you on your tenant. The applications are not packaged, maintained, or updated by Devicie. They are managed and maintained by dedicated teams at Microsoft. The applications are Microsoft 365 Apps and Edge.

Microsoft 365 Apps

While Devicie doesn't maintain this application for you, we will help you deploy Office templates and setup "OneDrive Known Folder Redirect".

Updates to the application are usually configured to install using the "Monthly Enterprise Channel", unless otherwise is requested by the customer. The monthly enterprise channel updates are released on the 2nd Tuesday of the month along with the Windows updates.

Microsoft Office applications will update following the channel release set in Intune. They do however require Microsoft Office applications to be closed in order for the update to take place.

There is currently no native Intune integration to force update Microsoft Office applications. If a zero day vulnerability is discovered in the Office products, Microsoft recommends that you follow the below guide to force updates on the apps:

Update Microsoft 365 using administrative templates in Microsoft Intune | Microsoft Learn

Important

Adding the version to the "Update version" field may result in Office versions getting stuck on the version specified. You need to deploy the policy with the "Update version" blank so that the policy doesn't hard code the version into the device.

Note: Forcing the Microsoft Office applications to update will force close the applications and start the update as soon as the policy is received to the devices.

Devicie recommends that Microsoft Office patches are deployed and tested on a subset of pilot users before they are assigned to the rest of the production environment.

Microsoft Edge for Windows 10 and later

Microsoft Edge updates are typically set to update to the "Stable" version, unless otherwise is requested by the customer.

While Microsoft Edge updates will install on the device, they will not finish installing until the application is closed and reopened or until the device has rebooted.

If a zero day vulnerability is discovered in the browser, you need to notify your end users to close and reopen the browser for the update to finish installing.

Microsoft store apps

Devicie only deploys Company Portal as part of the onboarding process. Devicie does not support the installation, maintenance, or updates of Microsoft Store apps.

Any issues with an app should be referred to Microsoft of the application publisher.

Third Party Apps

Third party apps include Bespoke applications packaged by Devicie, or line of business apps packaged internally by the customer's own team.

Devicie does not maintain or scan third party applications for vulnerabilities. Devicie can help you patch a bespoke application by creating a new bespoke app with a version that patches the vulnarability. Bespoke applications are charged per package. If an application requires to be uninstalled, an Uninstall bespoke application would need to be packaged to remove the vulnerable version.