Microsoft Intune: Windows Quality Update management policies

🚨 The Signal: Intune now allows granular management of Windows quality updates, including non-security and out-of-band patches. This enables more precise control over update deployment, directly impacting an organisation's patching posture and ability to respond to emerging threats.

The Impact

Security teams and Intune administrators are affected by enhanced control over Windows patching, reducing the risk of unpatched vulnerabilities.

• Security Teams: Reduced risk from unpatched OS vulnerabilities.
• Intune Administrators: Increased control over update deployment schedules.
• Compliance Officers: Improved ability to demonstrate patching compliance.
• End Users: Potentially fewer unexpected reboots from non-security updates.

The Action

1. Navigate to Microsoft Intune admin center > Devices > Windows > Quality Updates.
2. Create a new 'Windows quality update policy' or modify existing ones.
3. Configure 'Update types to automatically approve' for security, non-security, and out-of-band updates.
4. Define 'Rollout options' including deferral periods and assignment groups.
5. Review and assign policies to relevant Windows device groups.

Domain: Intune · Impact: high · Workload: Intune · Essential Eight: Patch Operating Systems · ISM: ISM-1407, ISM-1501, ISM-1621, ISM-1622, ISM-1623, ISM-1654, ISM-1655, ISM-1694, ISM-1695, ISM-1696, ISM-1701, ISM-1702, ISM-1877, ISM-1889, ISM-1902