Staying Up to Date Isn’t a Nice-to-Have for MSPs. It’s the Job

Every MSP says they want to “stay up to date”.

Most even believe they are.

But in reality, a lot of MSPs are running today’s clients on yesterday’s knowledge — and hoping no one notices.

The uncomfortable truth is this:
staying current isn’t something you do on the side of your job as an MSP. It is the job.

And the gap between MSPs who understand that and those who don’t is widening fast.

The pace has changed (whether you like it or not)

There was a time when “keeping up” meant:

Doing a certification every few years
Skimming a release note once a quarter
Learning a product properly before it changed again

That world is gone.

Microsoft 365 doesn’t evolve annually. It evolves weekly.
Security threats don’t wait for your next training day.
AI capabilities don’t roll out neatly in versions you can plan for.

And pretending otherwise doesn’t slow any of it down — it just leaves you reacting instead of leading.

The real risk isn’t being behind — it’s thinking you’re not

Most MSPs aren’t failing because they don’t care.

They’re failing because they assume:

“We’ve always done it this way”
“That feature probably isn’t relevant for SMB”
“We’ll look at that later once it’s stable”

Meanwhile, the platform moves on.
Licensing changes.
Security defaults shift.
New expectations appear — often without warning.

Clients don’t see this as “Microsoft changing things again”.

They see it as you not knowing.

Staying up to date isn’t about consuming more content

This is where many MSPs get it wrong.

They try to solve the problem by:

Subscribing to more blogs
Following more people on LinkedIn
Sitting through more webinars
Saving more tabs “to read later”

That doesn’t create currency.
It creates noise.

Staying up to date is not about volume.
It’s about signal.

The question isn’t “what’s new?”
It’s “what actually matters for my clients and my service model?”

The difference between awareness and application

Knowing that something exists is not the same as knowing what to do with it.

An MSP who is genuinely up to date can answer questions like:

Does this change affect Business Premium customers today?
Is this a security uplift, a licensing trap, or a distraction?
Does this replace an existing tool or sit alongside it?
Is this worth operationalising, or just watching for now?

That’s the difference between reading updates and understanding impact.

And impact is what clients pay for.

Systems beat motivation — every time

No MSP stays current by “trying harder”.

They stay current because they build systems that make it unavoidable.

That usually means:

Scheduled time that is protected, not leftover
Repeatable review processes (not random learning)
Peer discussion, not solo interpretation
Turning learning into standards, checklists, and runbooks

If staying up to date relies on motivation, it will fail the moment things get busy — which is always.

If it’s baked into how you operate, it compounds.

Why this matters more now than ever

AI, security, compliance, identity, device management — all of it is converging.

What used to be “advanced” is quickly becoming expected.

Clients won’t ask you if you’ve kept up.
They’ll assume you have.

And when something goes wrong — a breach, a compliance issue, a missed capability — the question won’t be “why didn’t Microsoft tell us?”

It will be “why didn’t our MSP know?”

Staying current is how you stop competing on price

Here’s the part most MSPs miss.

Staying up to date isn’t just about risk reduction.
It’s how you move out of commodity territory.

When you understand what’s changing and why it matters:

You stop selling “support” and start selling guidance
You stop reacting to tickets and start shaping decisions
You stop being compared on hourly rates

Currency creates confidence.
Confidence creates trust.
Trust creates margin.

The uncomfortable but honest conclusion

You don’t get to opt out of staying current anymore.

You can only choose how intentionally you do it.

Because in today’s Microsoft ecosystem, falling behind doesn’t look dramatic.
It looks subtle.
Gradual.
Quiet.

Until one day, you realise you’re no longer leading your clients —
you’re just trying to keep up with them.

And by then, the gap is much harder to close.

Updating and patching software with Intune

Part 1: Vulnerability Remediation (Primarily via Microsoft Defender for Endpoint Integration)

Intune itself isn’t a vulnerability scanner. For this, you’ll leverage Microsoft Defender for Endpoint’s (MDE) Threat & Vulnerability Management (TVM) capabilities. The magic happens when MDE is integrated with Intune.

Onboard Devices to MDE:
- Ensure your devices are onboarded to Microsoft Defender for Endpoint. This can be done via an Intune policy (Endpoint security > Microsoft Defender for Endpoint > “Connect Windows devices…”).
Enable MDE-Intune Connection:
- In the Microsoft Defender portal (security.microsoft.com): Go to Settings > Endpoints > Advanced features.
- Turn ON “Microsoft Intune connection.”
- In the Microsoft Intune admin center (intune.microsoft.com): Go to Endpoint security > Microsoft Defender for Endpoint.
- Ensure “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations” is ON.
How Remediation Works:
- Vulnerability Identification: MDE’s TVM continuously scans your enrolled devices for software vulnerabilities and misconfigurations.
- Security Recommendations: MDE provides prioritized security recommendations. For many software vulnerabilities, the recommendation will be to “Update software.”
- Remediation Tasks in Intune:
  - For certain recommendations, MDE can create a “security task” in Intune.
  - You’ll see these tasks in Intune under Endpoint security > Vulnerability management > Recommendations (or Security tasks in older views).
  - You can then “Accept” the risk or “Request remediation.” If you request remediation, Intune might:
    - Guide you to update the application (if it’s a managed app).
    - Guide you to create/modify a configuration profile (e.g., for an OS setting).
- “Automatic” Remediation through Patching (see Part 2): The most common way to “automatically” remediate software vulnerabilities is by keeping the software patched. If you have robust patching (as described below), new versions of software that fix vulnerabilities will be deployed, effectively remediating them.
- Configuration Changes: For vulnerabilities related to misconfigurations (e.g., an insecure setting), MDE will recommend changing the setting. You can then create or modify an Intune configuration profile (e.g., Attack Surface Reduction rules, Security Baselines) to enforce the secure setting across devices.

Part 2: Regular Software Patching via Intune

Intune offers several ways to patch software:

Windows Updates (OS Patching):
- This is the most straightforward.
- Go to Devices > Windows > Update rings for Windows 10 and later.
- Create profiles to define:
  - Servicing channel: (e.g., General Availability Channel)
  - Quality update deferral period: How long to wait after Microsoft releases a monthly quality update.
  - Feature update deferral period: How long to wait for major Windows version upgrades.
  - Driver updates: Allow/block.
  - Microsoft product updates: (e.g., Office updates, if not managed separately).
  - User experience settings: Active hours, restart deadlines, notifications.
- Tip: Use multiple rings (e.g., Pilot, Broad) to test updates before wide deployment.
- Feature Updates: Use Devices > Windows > Feature updates for Windows 10 and later to control deployment of specific Windows versions (e.g., move everyone to 22H2).
- Expedited Updates: For critical zero-day patches, use Devices > Windows > Quality updates for Windows 10 and later (under Windows Update (preview)) to deploy specific KBs quickly, overriding deferrals.
Microsoft 365 Apps (formerly Office 365 ProPlus):
- Go to Apps > All apps > Add. Select Windows 10 and later > Microsoft 365 Apps.
- Configure the app suite. Key settings for patching:
  - Update Channel: (e.g., Current Channel, Monthly Enterprise Channel). This determines update frequency.
  - Automatically remove other versions: Yes.
  - Use shared computer activation: If applicable.
- Intune will then manage the deployment and ensure the apps stay on the selected update channel, receiving updates directly from the Office CDN.
- You can also use Configuration Profiles (Devices > Configuration Profiles > Create Profile > Windows 10 and later > Settings catalog and search for “Office” or “Update”) for more granular control over M365 App updates (e.g., update deadlines).
Third-Party Application Patching: This is often the most challenging area.
- Win32 App Management (Supersedence):
  - This is the most common Intune-native method.
  - When a new version of a third-party app is released (e.g., Adobe Reader, Chrome, 7-Zip):
    1. Package the new version as a Win32 app (using the Microsoft Win32 Content Prep Tool).
    2. Upload it to Intune.
    3. In the app’s properties, go to Supersedence.
    4. Add the older version(s) of the app that this new version should replace.
    5. Choose “Uninstall previous version.”
    6. Assign the new app to the same groups as the old app (or your target groups).
  - When devices check in, Intune will see the supersedence rule, uninstall the old version, and install the new one.
  - This requires manual effort to package each new version but automates the deployment.
- Microsoft Store Apps (New Experience with Winget integration):
  - Intune is increasingly integrating with winget (Windows Package Manager).
  - Go to Apps > Windows > Add. Select Microsoft Store app (new).
  - You can search the Store or Winget repository. If an app is available via Winget and you deploy it, Intune can help keep it updated if the app publisher supports winget upgrade properly and you deploy the “latest” version. This is still evolving.
- Enterprise App Catalog (Preview):
  - Apps > Windows > Windows catalog app (Win32) (Preview)
  - This provides a curated list of common enterprise apps that Microsoft packages and makes available. The idea is that Microsoft will also handle updating these apps in the catalog, simplifying your patching for these specific titles. This is a very promising feature.
- Third-Party Patch Management Solutions:
  - Many organizations use dedicated third-party patching tools that integrate with Intune (e.g., Patch My PC, ManageEngine Patch Manager Plus, Ivanti Security Controls).
  - These tools typically:
    - Monitor vendor feeds for new patches.
    - Automatically package them as Win32 apps (or their own format).
    - Publish them to Intune (or their own distribution system controlled by Intune).
    - Handle supersedence.
  - This significantly reduces the manual effort for third-party patching.
- PowerShell Scripts (Proactive Remediations or Win32 Apps):
  - For apps not easily packaged or without good supersedence options, you can use:
    - Proactive Remediations: (Requires appropriate licensing – typically E3 + MDE P1/P2 or E5)
      - A detection script checks if a vulnerable version is present or if a patch is needed.
      - A remediation script runs if the detection script indicates an issue (e.g., downloads and installs the update).
    - Win32 App with Scripts: Package a script as a Win32 app. The “install” command could be your patching script, and the detection method checks if the patch was successful.

Key Considerations & Best Practices:

Testing: Always test patches in a pilot group before broad deployment.
Phased Rollouts: Use Intune’s assignment filters and group staggering for gradual rollouts.
User Communication: Inform users about upcoming updates and potential reboots, especially if deadlines are enforced.
Monitoring: Regularly check Intune’s reporting for update compliance (e.g., Reports > Windows updates, app installation status).
Licensing: Some features (like Proactive Remediations or Defender for Endpoint) require specific Microsoft 365 licenses (e.g., E3, E5, or add-ons).

By combining MDE for vulnerability identification and Intune for deploying OS, Microsoft app, and third-party app updates, you can create a fairly robust system for managing vulnerabilities and patching. For extensive third-party app patching, a dedicated third-party tool integrated with Intune is often the most efficient solution.

Need to Know podcast–Episode 278

In this episode I round up the major updates from Microsoft Ignite November 2021 as well as having a chat with Phil Meyer, Partner Technology Strategist – Hosting and Cloud from Microsoft about things like the new Microsoft commerce platform. Plenty of great information in this episode, so listen in and share around.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-278-phil-meyer/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Resources

Phil Meyer – Linkedin, philme@microsoft.com