Unpatched software is behind roughly 60% of breaches. And with AI models getting better at finding exploitable vulnerabilities faster than most teams can remediate them, the window between disclosure and exploitation is shrinking fast.
In our latest Iru Demo Day, Head of Windows Lance Crandall joined Principal Solutions Engineer Ryan Slater to walk through how Iru helps IT teams detect, patch, and manage vulnerabilities across their Windows fleet, with real-time Q&A from attendees.
The average time to patch a known vulnerability sits between 100 and 120 days. IT teams work hard, but keeping track of every application on every device isn't anyone's full-time job. Most organizations only patch what makes the news, and the rest drifts.
What's changing is the speed at which new vulnerabilities surface. AI models are already capable of identifying exploitable weaknesses in production software. Earlier this year, Claude Opus 4.6 found 22 vulnerabilities in Firefox in just two weeks, and these tools are only getting more powerful. Manual patching workflows that worked two years ago aren't going to hold up.
Iru started as an Apple Mobile Device Management (MDM). Over time, the platform expanded to include EDR, vulnerability management, and vulnerability response for Mac. Customers saw the value of managing and securing devices from one place, and started asking for the same capabilities on Windows and Android.
Last year, Iru delivered. Windows and Android device management are now available in the platform, giving teams a single console across their entire fleet. The virtual event focused on three specific areas where that cross-platform investment pays off: vulnerability detection, application patching, and OS update management.
Iru's vulnerability management gives admins a prioritized view of CVEs across all enrolled devices, Mac and Windows alike. The platform pulls a full application inventory from each device, not just apps deployed through the MDM, but everything installed. From there, it maps installed software against known vulnerabilities, ranks them by severity, and surfaces which devices are affected.
For any given CVE, admins can see the criticality score, whether the vulnerability is actively exploited in the wild, the list of impacted devices, and the recommended remediation. Individual device views offer the same information from the other direction: drill into a specific device and see which applications are vulnerable and at what severity.
Actually remediating it is where most teams get stuck. The traditional workflow (find the installer, download it, repackage it, figure out the silent install flags, upload it to your MDM, and repeat every time there's an update) is time-consuming and fragile.
Iru's auto apps remove that overhead for over 200 of the most commonly deployed Windows applications. Firefox, Chrome, Zoom, Slack, each one is available as a pre-packaged library item that can be deployed in a few clicks.
The key feature is automatic enforcement of updates. When a new version of an application is released, Iru can push it to devices within minutes. If the application is open, the user gets prompted to close it with a configurable grace period. Once the enforcement deadline passes, the app is force-closed and the update completes. That gives admins a predictable remediation window.
New Auto Apps are added regularly, and teams can request specific applications to be added to the catalog.
For internally developed software or anything not covered by the auto app catalog, Iru's Custom App Library Items fills the gap. Admins upload a zip file containing the installer (an MSI, EXE, or even a PowerShell script) and configure the detection logic, install command, and enforcement deadline.
The PowerShell option is especially flexible. If an install requires pre-cleanup, post-install configuration, or license key injection, the script can handle all of it in sequence. And the same enforcement deadline and open-app detection logic that powers auto apps applies here too: if the target application is running, the user is prompted to close it, and after the deadline, the update is forced through.
Beyond application patching, Lance walked through how Iru handles Windows operating system updates, both the monthly cumulative patches and the annual feature updates.
The first piece is a Windows Update library item that controls the end-user experience during OS patching. Iru surfaces the seven most commonly configured settings with sensible defaults (active hours, auto-install behavior, restart policies) while keeping the full set of 40+ Microsoft settings available under an advanced toggle. It's the same opinionated-defaults-with-full-control philosophy Iru applies on the Mac side.
The second piece, coming soon, is managed OS for Windows. This lets admins define which OS version devices should be on, both for major feature updates and monthly patches, and enforce it with deployment rings. Ring zero for IT staff on day zero, ring one for the broader organization with a deferral window. If a bad patch ships, admins can pause enforcement immediately.
Lance also previewed a patch status dashboard that gives a fleet-wide view of compliance: which devices are current, which are past due, and which are in an error state. For devices that can't be patched, the platform surfaces the specific reason (like insufficient disk space) so admins can take targeted action rather than guessing.
Q: Does Iru support Autopilot for zero-touch Windows deployment?
Autopilot support is coming very soon. Once available, new Windows devices will be able to enroll into Iru automatically through the out-of-box experience (OOBE), just like Automated Device Enrollment (ADE) works for Apple devices.
Q: Can I roll back an auto app to a previous version?
Auto apps don't currently support rollback. For custom apps, the team is building the ability to add multiple versions to the same library item, with detection logic that would allow rolling back to a previous version. In the meantime, scoping updates through rings and pilot groups helps reduce the need for rollbacks.
Q: How quickly do changes take effect on devices?
Policies like BitLocker or firewall configurations are event-driven and reach devices within minutes. Applications and scripts, whether Auto Apps, Custom App Library Items, or PowerShell, begin installing within 15 minutes, assuming the device is online.
Q: Can I deploy enterprise Wi-Fi policies with certificates?
Yes. Iru supports enterprise Wi-Fi with all EAP types, including unique per-device certificates. The only current limitation is WPA3, which is a Microsoft constraint related to RSA key generation with TPM. Once Microsoft resolves that, Iru will add support.
Q: What does migration look like if I have hundreds of devices in another MDM?
Iru provides migration tooling that silently unenrolls devices from the existing MDM and enrolls them into Iru with no end-user interaction required and no admin rights needed on the device. The process has been used by many customers with positive feedback.
Q: Does Iru have a Liftoff-style onboarding experience for Windows?
Not yet, but it's on the backlog. The team recognizes the value of a guided provisioning screen, similar to the Mac Liftoff experience, that shows end users what's being installed and configured on their device after enrollment.
Q: When will Iru reach feature parity with Intune?
The team's approach is to prioritize the features customers are actually asking for rather than chasing a checkbox comparison. The major capabilities most organizations need are expected to ship over the next quarter or two, with additional refinements following. The focus is on building for the future based on real customer feedback, not replicating legacy feature sets.
Want to see how Iru can help you secure and manage your Windows fleet from a single platform? Request a demo.