We have a Windows 10 machine our staff like. What happens at end-of-life?

It gets replaced. Windows 10 reached end-of-security-updates in October 2025; any machine running it after that is outside ML1 and exposed to unpatched vulnerabilities. We either upgrade the hardware to Windows 11 or replace it. Extending support contracts isn't a long-term answer.

What about our old server running a critical app?

That's where the vendor conversation gets real. If the vendor still patches, we patch. If they don't, the server is either isolated from the general network (air-gapped or segmented behind strict firewall rules), or the application is replaced. Running an unpatched server on the corporate LAN in 2026 is a choice with consequences.

Does patching break things?

Sometimes. That's why our cadence includes pilot rings: we patch a small subset first, confirm no breakage, then roll out more broadly. When a patch does cause breakage, we roll it back and work with the vendor. We don't leave systems unpatched 'just in case'.

Essential Eight · Control 06 of 08

Patch operating systems

Keeping Windows, macOS, Linux and your server operating systems up to date.

Why this control matters

Same reason as application patching, except the operating system is the foundation everything else runs on. An unpatched OS means every application running on it inherits the vulnerability. Operating system compromise usually means game over rather than a bad day.

The three maturity levels

Patch operating systems at Essential Eight ML1, ML2 and ML3.

These are the published ACSC requirements for this specific control at each maturity level. Your overall Essential Eight maturity is scored against your weakest control, not averaged, so a gap here pulls down the whole score.

ML1 The 2026 baseline

Operating system vendor patches are applied to internet-facing services within 2 weeks (48 hours if an exploit exists). Workstation, server and network-device OSs are patched within 1 month.

ML2 Regulated or under audit

OS patches for internet-facing services with known exploits are applied within 48 hours. Workstations and servers are patched within 2 weeks. End-of-life operating systems are replaced.

ML3 Defence or sensitive

All OS patches applied within 48 hours of release when an exploit exists. The latest release (not just the latest patched version of an older release) is used for internet-facing services.

Not sure which level you should aim for?

The three-question picker on the Essential Eight hub will point you at the right target based on your regulatory position and the kind of data you hold.

Take the maturity picker

How we run it

The way CCP implements patch operating systems for clients.

OS patching runs on a managed cadence through Intune for Windows clients and equivalent tooling for macOS and Linux. Internet-facing services get the 48 hour SLA for known exploits. Workstations and servers follow a 2 week rhythm for routine patches, with out-of-band patching when a critical vulnerability lands between cycles. End-of-life operating systems are replaced, not left running with 'workarounds'.

Talk to a tech about this control See which plan includes it

Free self-assessment

No email required.

Score yourself on all eight controls, get a branded PDF.

Eight questions, your estimated Essential Eight maturity level, and a branded PDF report you can share with your board, insurer, broker or auditor. Runs entirely in your browser. Nothing is sent to us unless you choose to book a call.

Take the self-assessment

Common questions

What people actually ask about patch operating systems.

We have a Windows 10 machine our staff like. What happens at end-of-life?: It gets replaced. Windows 10 reached end-of-security-updates in October 2025; any machine running it after that is outside ML1 and exposed to unpatched vulnerabilities. We either upgrade the hardware to Windows 11 or replace it. Extending support contracts isn't a long-term answer.
What about our old server running a critical app?: That's where the vendor conversation gets real. If the vendor still patches, we patch. If they don't, the server is either isolated from the general network (air-gapped or segmented behind strict firewall rules), or the application is replaced. Running an unpatched server on the corporate LAN in 2026 is a choice with consequences.
Does patching break things?: Sometimes. That's why our cadence includes pilot rings: we patch a small subset first, confirm no breakage, then roll out more broadly. When a patch does cause breakage, we roll it back and work with the vendor. We don't leave systems unpatched 'just in case'.

Related controls

Related Essential Eight controls that work alongside this one.

See all eight

Control 02

Patch applications

Keeping your software up to date so it has the latest security fixes.

Read the control

Control 01

Application control

Only letting approved programs run on your computers. Everything else is blocked by default.

Read the control

Control 04

User application hardening

Turning off features in web browsers and Office that attackers commonly abuse.

Read the control

These ML1 / ML2 / ML3 summaries distil the ACSC's published Essential Eight Maturity Model. For the full, authoritative text, see the ACSC Essential Eight Maturity Model .

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.