Tag: Updates

Updating and patching software with Intune

image

Part 1: Vulnerability Remediation (Primarily via Microsoft Defender for Endpoint Integration)

Intune itself isn’t a vulnerability scanner. For this, you’ll leverage Microsoft Defender for Endpoint’s (MDE) Threat & Vulnerability Management (TVM) capabilities. The magic happens when MDE is integrated with Intune.

  1. Onboard Devices to MDE:

    • Ensure your devices are onboarded to Microsoft Defender for Endpoint. This can be done via an Intune policy (Endpoint security > Microsoft Defender for Endpoint > “Connect Windows devices…”).

  2. Enable MDE-Intune Connection:

    • In the Microsoft Defender portal (security.microsoft.com): Go to Settings > Endpoints > Advanced features.

    • Turn ON “Microsoft Intune connection.”

    • In the Microsoft Intune admin center (intune.microsoft.com): Go to Endpoint security > Microsoft Defender for Endpoint.

    • Ensure “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations” is ON.

  3. How Remediation Works:

    • Vulnerability Identification: MDE’s TVM continuously scans your enrolled devices for software vulnerabilities and misconfigurations.

    • Security Recommendations: MDE provides prioritized security recommendations. For many software vulnerabilities, the recommendation will be to “Update software.”

    • Remediation Tasks in Intune:
      • For certain recommendations, MDE can create a “security task” in Intune.

      • You’ll see these tasks in Intune under Endpoint security > Vulnerability management > Recommendations (or Security tasks in older views).

      • You can then “Accept” the risk or “Request remediation.” If you request remediation, Intune might:

        • Guide you to update the application (if it’s a managed app).

        • Guide you to create/modify a configuration profile (e.g., for an OS setting).
    • “Automatic” Remediation through Patching (see Part 2): The most common way to “automatically” remediate software vulnerabilities is by keeping the software patched. If you have robust patching (as described below), new versions of software that fix vulnerabilities will be deployed, effectively remediating them.

    • Configuration Changes: For vulnerabilities related to misconfigurations (e.g., an insecure setting), MDE will recommend changing the setting. You can then create or modify an Intune configuration profile (e.g., Attack Surface Reduction rules, Security Baselines) to enforce the secure setting across devices.

Part 2: Regular Software Patching via Intune

Intune offers several ways to patch software:

  1. Windows Updates (OS Patching):

    • This is the most straightforward.

    • Go to Devices > Windows > Update rings for Windows 10 and later.

    • Create profiles to define:

      • Servicing channel: (e.g., General Availability Channel)

      • Quality update deferral period: How long to wait after Microsoft releases a monthly quality update.

      • Feature update deferral period: How long to wait for major Windows version upgrades.

      • Driver updates: Allow/block.

      • Microsoft product updates: (e.g., Office updates, if not managed separately).

      • User experience settings: Active hours, restart deadlines, notifications.
    • Tip: Use multiple rings (e.g., Pilot, Broad) to test updates before wide deployment.

    • Feature Updates: Use Devices > Windows > Feature updates for Windows 10 and later to control deployment of specific Windows versions (e.g., move everyone to 22H2).

    • Expedited Updates: For critical zero-day patches, use Devices > Windows > Quality updates for Windows 10 and later (under Windows Update (preview)) to deploy specific KBs quickly, overriding deferrals.

  2. Microsoft 365 Apps (formerly Office 365 ProPlus):

    • Go to Apps > All apps > Add. Select Windows 10 and later > Microsoft 365 Apps.

    • Configure the app suite. Key settings for patching:

      • Update Channel: (e.g., Current Channel, Monthly Enterprise Channel). This determines update frequency.

      • Automatically remove other versions: Yes.

      • Use shared computer activation: If applicable.
    • Intune will then manage the deployment and ensure the apps stay on the selected update channel, receiving updates directly from the Office CDN.

    • You can also use Configuration Profiles (Devices > Configuration Profiles > Create Profile > Windows 10 and later > Settings catalog and search for “Office” or “Update”) for more granular control over M365 App updates (e.g., update deadlines).

  3. Third-Party Application Patching: This is often the most challenging area.

    • Win32 App Management (Supersedence):
      • This is the most common Intune-native method.

      • When a new version of a third-party app is released (e.g., Adobe Reader, Chrome, 7-Zip):

        1. Package the new version as a Win32 app (using the Microsoft Win32 Content Prep Tool).

        2. Upload it to Intune.

        3. In the app’s properties, go to Supersedence.

        4. Add the older version(s) of the app that this new version should replace.

        5. Choose “Uninstall previous version.”

        6. Assign the new app to the same groups as the old app (or your target groups).
      • When devices check in, Intune will see the supersedence rule, uninstall the old version, and install the new one.

      • This requires manual effort to package each new version but automates the deployment.
    • Microsoft Store Apps (New Experience with Winget integration):
      • Intune is increasingly integrating with winget (Windows Package Manager).

      • Go to Apps > Windows > Add. Select Microsoft Store app (new).

      • You can search the Store or Winget repository. If an app is available via Winget and you deploy it, Intune can help keep it updated if the app publisher supports winget upgrade properly and you deploy the “latest” version. This is still evolving.
    • Enterprise App Catalog (Preview):
      • Apps > Windows > Windows catalog app (Win32) (Preview)
      • This provides a curated list of common enterprise apps that Microsoft packages and makes available. The idea is that Microsoft will also handle updating these apps in the catalog, simplifying your patching for these specific titles. This is a very promising feature.
    • Third-Party Patch Management Solutions:
      • Many organizations use dedicated third-party patching tools that integrate with Intune (e.g., Patch My PC, ManageEngine Patch Manager Plus, Ivanti Security Controls).

      • These tools typically:

        • Monitor vendor feeds for new patches.

        • Automatically package them as Win32 apps (or their own format).

        • Publish them to Intune (or their own distribution system controlled by Intune).

        • Handle supersedence.
      • This significantly reduces the manual effort for third-party patching.
    • PowerShell Scripts (Proactive Remediations or Win32 Apps):
      • For apps not easily packaged or without good supersedence options, you can use:

        • Proactive Remediations: (Requires appropriate licensing – typically E3 + MDE P1/P2 or E5)

          • A detection script checks if a vulnerable version is present or if a patch is needed.

          • A remediation script runs if the detection script indicates an issue (e.g., downloads and installs the update).
        • Win32 App with Scripts: Package a script as a Win32 app. The “install” command could be your patching script, and the detection method checks if the patch was successful.

Key Considerations & Best Practices:

  • Testing: Always test patches in a pilot group before broad deployment.

  • Phased Rollouts: Use Intune’s assignment filters and group staggering for gradual rollouts.

  • User Communication: Inform users about upcoming updates and potential reboots, especially if deadlines are enforced.

  • Monitoring: Regularly check Intune’s reporting for update compliance (e.g., Reports > Windows updates, app installation status).

  • Licensing: Some features (like Proactive Remediations or Defender for Endpoint) require specific Microsoft 365 licenses (e.g., E3, E5, or add-ons).

By combining MDE for vulnerability identification and Intune for deploying OS, Microsoft app, and third-party app updates, you can create a fairly robust system for managing vulnerabilities and patching. For extensive third-party app patching, a dedicated third-party tool integrated with Intune is often the most efficient solution.

Need to Know podcast–Episode 278

In this episode I round up the major updates from Microsoft Ignite November 2021 as well as having a chat with Phil Meyer, Partner Technology Strategist – Hosting and Cloud from Microsoft about things like the new Microsoft commerce platform. Plenty of great information in this episode, so listen in and share around.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-278-phil-meyer/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Resources

Phil Meyer – Linkedin, philme@microsoft.com

Ignite November 2021 book of news

Introducing Microsoft Defender for Business

Windows 365 Business will offer Windows 11 and admin capabilities

Change your SharePoint domain name (preview)

Rich, secure content and collaboration for hybrid work – Ignite 2021 announcements

New Power Platform capabilities announced at Microsoft Ignite

Introducing Microsoft Loop

Q&A in Teams is in Public Preview

Microsoft Ignite Fall 2021: Innovations coming to Microsoft Teams