Patch management for SMBs without MDM muscle

Patches need to go on. But how do you enforce that without Intune or Jamf? Here's the pragmatic minimum setup.

Unpatched systems are the biggest breeding ground for attacks. Large organisations handle this with an MDM. Without one, you have to rely more on policy and monitoring.

The three layers

1. OS updates: Windows Update, macOS Software Update. Set to automatic, deferral max 2 weeks. On enterprise editions: via Windows Update for Business.
2. Browser: Chrome, Edge, and Firefox update themselves. Enforce via Chrome Enterprise policy if that's not happening.
3. Applications: Office, Acrobat, Teams via their native updaters. VPN clients. Password manager. This is where many SMBs fall behind.

Monitoring without MDM

• Quarterly survey: "send a screenshot of About → version" for each critical app.
• For devices registered in Entra ID: check via Security → Devices compliance report.
• Chrome Enterprise policy reports versions centrally (free with Google Workspace).

Communicating the requirement

Once a quarter, hold a "patch day" — everyone runs their updates. The manager sees completion. Not a personal task, but a team moment.

Moving towards Intune?

Business Premium including Intune is €19/user/month and largely automates all of this. With > 20 employees, it starts paying for itself quickly. See Intune basics.

See also: security pillar.