Cyber Essentials and patch management (WSUS, Intune, third-party)

Cyber Essentials and patch management (WSUS, Intune, third-party)

Cyber Essentials v3.3 requires that high or critical vulnerabilities in operating systems, applications, firmware, and third-party software are patched within 14 days of vendor release. Evidence of this is one of the most-sampled areas of the assessment - assessors will ask you to name a recent high-severity CVE, show when Microsoft / Apple / Google / Adobe released the patch, and prove your environment applied it within the window. The commonest failure is not missing the patch - it's not being able to prove it, because the tooling doesn't expose a clean "deployed date per device per CVE" report.

1. What Cyber Essentials actually requires

• Supported OS and applications only. No Windows 10 21H2 and earlier, no macOS 12 and earlier, no RHEL 7, no Ubuntu 18.04. End-of-support means the control fails.
• Automatic updates enabled where possible. The scheme actively prefers automatic updates over manual patching.
• 14-day SLA for high or critical CVEs (CVSS ≥ 7.0). Lower-severity patches have no strict SLA but must be applied in reasonable time.
• Firmware updates when released by vendors - this is newer emphasis in v3.3 and catches many estates out (BIOS, router firmware, NAS firmware).
• Third-party applications - browsers, PDF readers, runtimes (Java, .NET), design tools. Not just the OS.

2. WSUS - still viable, specific risks

Windows Server Update Services (WSUS) works for Cyber Essentials if disciplined:

• Auto-approve Critical and Security Updates for the Windows classifications you care about
• Computer groups by environment (production, test) with staged rollout: test → pilot → all
• Target release cadence: approve on Patch Tuesday, deployed to pilot by Wednesday, all machines by next Monday - inside the 14-day window
• Do not dismiss feature updates indefinitely; schedule them at least annually so devices don't fall off supported Windows versions
• Dashboard: WSUS console + periodic export, or better, pipe data to a reporting layer (SCCM, Nexthink, or a scripted PowerShell export)

Known risks with WSUS:

• Orphaned clients that stopped checking in weeks ago still show green in the console; compare WSUS inventory against AD last-logon
• Third-party apps (Chrome, Firefox, Adobe Reader) are not covered by WSUS. You need a separate tool for these.

3. Intune / Windows Autopatch

For cloud-native Windows management, Intune Update Rings + Windows Autopatch (E3+ licence) is the cleanest evidence pattern.

Update Rings:

• Pilot ring (5% of devices): 0-day deferral, 0-day quality deferral
• Broad ring (95%): 0-day feature deferral deferred, 2-day quality update deferral
• Deadlines: 7 days for quality updates, reset via grace period

Windows Autopatch automates Microsoft 365 Apps, Edge, Teams, and Windows quality updates with a rolling ring structure. Inbuilt reporting gives you "patch status per device per month" which assessors accept as strong evidence.

Driver and Firmware updates now deploy via Intune for most Dell, HP, Lenovo, and Surface devices with the right policy payload - this covers the firmware clause.

4. Third-party patching tools

WSUS and Intune don't patch most third-party apps. The cleanest options for UK SMEs:

• Action1 - free tier up to 200 endpoints; patches Windows OS + dozens of third-party apps
• PDQ Deploy / Inventory - LAN-based, low cost
• NinjaOne - RMM-class, covers Windows + Mac + third-party
• Datto RMM / N-able N-central - MSP-grade RMMs with the same coverage
• winget via scripted deployments - free but needs someone to own it

Whatever you pick, the scheme wants to see the tool's report showing every device's patch status for at least the top 10 third-party apps in your estate (browsers, Office, Adobe Reader, Zoom, Slack, Teams, password manager, anti-malware, remote-access tool, design/productivity apps).

5. Firmware - the newer v3.3 focus

Cyber Essentials v3.3 explicitly calls out firmware. Most gaps here:

• Laptop BIOS / UEFI - Dell Command | Update, HP Image Assistant, Lenovo System Update, Surface firmware via Intune. Schedule monthly.
• Routers / firewalls - most UK SMEs run consumer-grade kit with stale firmware. Upgrade cadence: quarterly at minimum, or switch to a managed router (Meraki, UniFi with firmware auto-update) so it's handled.
• NAS / storage - Synology / QNAP / TrueNAS often lag. Subscribe to vendor security bulletins.
• Printers - surprisingly common attack surface. Quarterly firmware check.

6. macOS and Linux patching

macOS: Managed Software Update via MDM (see Cyber Essentials for Jamf / Kandji / Intune).

Linux: unattended-upgrades on Debian/Ubuntu, dnf-automatic on RHEL/Fedora, plus weekly reboot for kernel updates. Bonus: livepatch on Ubuntu Pro reduces reboot requirement on critical kernel CVEs.

7. Evidence assessors expect

• Patch tool screenshot or export showing patch level per device
• Sample recent CVE: "Microsoft CVE-2026-xxxxx released 9 April, deployed across our estate by 18 April - here's the report"
• Supported-OS inventory with no end-of-support OS present
• Firmware cadence evidence - at minimum a policy document plus vendor update logs
• Third-party coverage - list of business-critical apps with patch status

8. Common failure points

1. "We don't track patches per CVE." Assessors sample specific CVEs; if you cannot produce the deployed date, the control fails. Fix: pick a tool that exposes per-device patch history.

2. End-of-support devices in scope. Windows 10 22H2 is end-of-support on 14 October 2025 - past that date, devices running it are out-of-scope only if isolated with compensating controls, otherwise a fail.

3. Third-party apps ignored. Chrome, Edge, Zoom, Adobe Reader are the usual offenders. A third-party patching tool solves this.

4. Firmware never updated. Router last updated 2022. Plan a firmware refresh before assessment.

5. One device a "special case" that doesn't get patched. Either remove from scope, isolate it, or get it on the patching program - exceptions fail the control.

What Fig checks

Our CE readiness scan inspects your patch tool output (WSUS, Intune, Action1, PDQ, NinjaOne - we support CSV exports from any of them) and flags devices outside the 14-day window, end-of-support OSes, and missing third-party app coverage. Properly-tooled estates pass first-attempt at >96%.

Start Cyber Essentials - from £299.99 + VAT | Pricing tiers | CE Plus with vulnerability scan