| title | Windows Update policies are enforced to reduce risk from unpatched vulnerabilities |
|---|---|
| ms.author | brenduns |
| author | brenduns |
| ms.topic | include |
| ms.date | 09/02/2025 |
| ms.custom | Intune-Secure-Recommendation |
If Windows Update policies aren't enforced across all corporate Windows devices, threat actors can exploit unpatched vulnerabilities to gain unauthorized access, escalate privileges, and move laterally within the environment. The attack chain often begins with device compromise via phishing, malware, or exploitation of known vulnerabilities, and is followed by attempts to bypass security controls. Without enforced update policies, attackers leverage outdated software to persist in the environment, increasing the risk of privilege escalation and domain-wide compromise.
Enforcing Windows Update policies ensures timely patching of security flaws, disrupting attacker persistence, and reducing the risk of widespread compromise.
Remediation action
Start with Manage Windows software updates in Intune to understand the available Windows Update policy types and how to configure them.
Intune includes the following Windows update policy type:
- Windows quality updates policy - to install the regular monthly updates for Windows.
- Expedite updates policy - to quickly install critical security patches.
- Feature updates policy
- Update rings policy - to manage how and when devices install feature and quality updates.
- Windows driver updates - to update hardware components.