Overview
- Microsoft updated its official guidance to require shorter deployment windows, advising quality update deferrals of less than three days, update deadlines of zero or one day, and an update grace period of no more than two days.
- Hotpatch is now on by default in Microsoft Intune, which lets eligible security fixes take effect immediately after install without requiring a reboot to reduce exposure and user disruption.
- Windows Autopatch now includes an Intune report that shows which devices are unpatched and supports ring‑based, automated rollouts for Windows, Microsoft 365 Apps, and Edge, with equivalent time‑bound settings available in Configuration Manager or WSUS.
- Microsoft says the change responds to faster vulnerability discovery driven by AI — its MDASH scanner found 16 authentication‑stack flaws including four critical remote code execution bugs and the company reported 206 addressed vulnerabilities in June — so longer deferral windows raise the risk of exploit.
- Microsoft urges IT teams to combine faster, automated patching with Conditional Access to block non‑compliant devices, a move that will require tighter policy settings and more telemetry but can cut exposure while limiting user disruption.