Microsoft Intune: Windows Quality Update management policies

🚨 The Signal: Intune now allows granular management of Windows quality updates, including non-security and out-of-band patches. This enables precise control over update approvals and rollout, enhancing patch management and reducing operational risk.

The Impact

Security teams and Intune admins are affected, gaining enhanced control over OS patching, reducing exposure to unpatched vulnerabilities.

• Security Teams: Improved ability to enforce OS patching policies, reducing attack surface.
• Intune Admins: New capabilities for granular update management, requiring policy configuration.
• Organisations: Better compliance with patching requirements, strengthening overall security posture.

The Action

1. Navigate to Microsoft Intune admin center > Devices > Windows > Quality Updates.
2. Create a new Windows quality update policy.
3. Define automatic approval rules for specific update types (e.g., non-security, out-of-band).
4. Configure rollout options, including deferral periods and assignment groups.
5. Assign the policy to relevant Windows device groups.

Domain: Intune · Impact: high · Workload: Intune · Essential Eight: Patch Operating Systems · ISM: ISM-1407, ISM-1501, ISM-1621, ISM-1622, ISM-1623, ISM-1654, ISM-1655, ISM-1694, ISM-1695, ISM-1696, ISM-1701, ISM-1702, ISM-1877, ISM-1889, ISM-1902