update policies Archives

Winsage

May 6, 2026

Defender Misflags DigiCert Root Certificates, Breaking Windows SSL Trust

On April 30, 2026, Microsoft Defender misclassified two legitimate DigiCert root certificates as a severe threat, specifically Trojan:Win32/Cerdigent.A!dha, leading to their quarantine and disrupting SSL/TLS validation across affected endpoints. This misclassification was a result of new malware detections introduced by Microsoft in response to concerns over compromised certificates from a DigiCert breach. The false-positive alerts were triggered by the registry entries of the two trusted root certificates, which are crucial for validating SSL/TLS sessions. Microsoft later acknowledged the error and adjusted the alert logic. There was no actual compromise of the DigiCert certificates, as administrators confirmed that the certificate hashes matched the official values. The misclassification stemmed from a failure to properly constrain the detection to only revoked end-entity signing certificates related to a separate incident. This incident follows a pattern of Microsoft Defender misidentifying legitimate software as malicious, as seen in a 2022 incident where Microsoft Office was flagged as a virus. Organizations with restrictive update policies may continue to face SSL/TLS validation failures until they deploy the corrective Security Intelligence version or manually restore the DigiCert roots.

Winsage

May 6, 2026

Microsoft enables Hotpatching by default: Windows updates without restarts become a reality

Beginning in May 2026, Microsoft will introduce Hotpatching as a default feature for compatible systems, allowing security updates to be applied without requiring a restart. Hotpatching updates code directly in the memory of running processes, enabling selective updates without interrupting the entire system. It does not replace monthly security updates but alters their activation process on eligible systems, categorized as security updates within the monthly B releases. Eligible systems must be running Windows 11 version 24H2 or newer and possess suitable licenses such as Enterprise, Education, Microsoft 365, or Windows 365. Management of these updates will be facilitated through Windows Autopatch or Microsoft Intune. Microsoft will continue to utilize baseline updates that require a restart, which will alternate with Hotpatch months. Hotpatching aims to reduce the frequency of restarts tied to security updates, particularly benefiting environments where uptime is critical. However, planned restarts will still be necessary, and robust telemetry and maintenance practices will be needed to ensure smooth operation.

Winsage

March 11, 2026

Hotpatching goes default in Windows Autopatch whether you like it or not

Microsoft will enable hotpatch security updates by default starting with the May 2026 Windows security update. Hotpatch updates allow security enhancements to be applied without system restarts, while quarterly baseline updates will still require a restart. Windows Autopatch will manage updates using "testing rings" to progressively roll out updates and address any issues. Devices must run Windows 11 24H2 or later and have the April 2026 security update installed to receive hotpatch updates automatically. Existing update policies will remain intact, and administrators can opt out of hotpatch updates at the tenant or group policy level.

Winsage

February 13, 2026

Microsoft Introduces New Secure Boot Certificates Before June Deadline

The foundational security certificates supporting Windows Secure Boot, introduced in 2011, will expire in mid-2026, specifically in June and October. Microsoft and PC manufacturers are updating the Windows ecosystem to address this. Devices that do not receive updated certificates may face security limitations and compatibility issues with newer operating systems and hardware. The transition is described as a "generational refresh" of the trust infrastructure for Windows. Systems failing to update will still function but may enter a "degraded security state," unable to install new security mitigations or newer operating systems. Most users will receive updates automatically through Windows Update, while older systems may require manual intervention. Systems at risk include those running unsupported Windows versions, with Secure Boot disabled, or not enrolled in Extended Security Updates. Users should check their Secure Boot status using PowerShell commands to ensure they are using the new certificates. The update affects not only Windows PCs but also other devices utilizing UEFI Secure Boot.

Winsage

December 3, 2025

Windows 10’s demise fuels Linux hype again — but will Bazzite finally break the “forever up‑and‑comer” curse? There’s a chance.

Microsoft has discontinued support for Windows 10, leading to around 500 million PCs being eligible for an upgrade to Windows 11, though many users remain on the unsupported platform. Zorin OS has gained approximately 780,000 users migrating from Windows within a month of this decision. Bazzite, a Linux-based gaming distribution, surpassed one petabyte of ISO downloads in a month, serving around 150,000 ISOs and attracting 730,000 visitors. Bazzite offers better hardware compatibility and pre-installed drivers for NVIDIA and AMD GPUs, making it a strong alternative to SteamOS. The improved compatibility of Windows games on Linux, aided by Valve's Proton, is contributing to the trend of users exploring alternatives to Windows.

Winsage

August 18, 2025

You Can No Longer Turn Off App Updates in Microsoft’s Store

The Microsoft Store has changed its app update policy, limiting users to delaying individual app updates for a maximum of five weeks, down from the previous option to pause updates indefinitely. Users can manage these settings in the App updates section of Settings, where they will receive notifications about the potential risks of missing critical updates. This change is part of a broader trend in Microsoft's update policies, which previously allowed indefinite pauses for operating system updates but now enforces a 35-day limit. The motivation behind these changes is primarily focused on enhancing security by encouraging timely installation of updates. The new policy applies only to apps downloaded from the Microsoft Store, and users seeking indefinite delays may need to consider alternative sources, albeit with the risk of missing important security updates.

AppWizard

July 9, 2025

Modder behind the ‘Swiss army knife of PC gaming’ deletes their 20 year-old Steam account with anti-Valve manifesto: ‘By the end of my bitter dealings with Valve… there was zero hope’

Kaldaien, the creator of the graphics and performance enhancement tool Special K, has deleted their Steam account after two decades, citing frustrations with Steam's update policies and the platform's evolution since 2002. They criticized Steam for becoming bloated and complicating software compatibility, making older games unplayable due to updated requirements. Kaldaien expressed concerns about the diminishing freedom for gamers to purchase from various sources and criticized the Steam Input API for obstructing access to alternative input options. Despite being a Steamworks partner, they felt unresponsive to Valve and noted that some issues stem from developers' choices rather than Steam itself. Kaldaien's experiences highlight the concentration of power in Valve's hands and raise questions about the long-term implications for gamers reliant on a single platform.

Winsage

June 14, 2025

Will your Mac or Windows PC still get security updates in 2026? Check this chart

Microsoft's Windows 11 operating system has introduced stringent compatibility requirements, making many PCs, some as young as six or seven years old, ineligible for security updates and upgrades. Apple's MacOS update policies are similarly restrictive, with security updates provided for the three most recent versions. When a new version is released, older systems may become unsupported and stop receiving updates. The upcoming MacOS 26 Tahoe is expected to launch in September, at which point MacOS 13 Ventura will cease to receive updates, affecting older Macs. Unsupported models include MacBook Air, MacBook Pro, or Mac Mini from 2017 or earlier, and iMac and Mac Pro models from 2018 or earlier. For Windows PCs, compatibility with Windows 11 generally requires a CPU released in 2019 or later, though some older Intel CPUs may qualify. Microsoft offers a PC Health Check app to assess compatibility, and users can bypass certain checks to install Windows 11. Windows 10 users can pay for security updates for up to three years after support ends in October 2025, a feature not available for Mac users. Security updates for both Mac and Windows PCs are typically available for eight to ten years after the release date.

Winsage

April 9, 2025

Patch Tuesday fixes an exploited bug, but not for Windows 10

Microsoft's Patch Tuesday updates addressed over 120 vulnerabilities, including one actively exploited flaw (CVE-2025-29824) and 11 critical issues. CVE-2025-29824 is an elevation of privilege vulnerability in the Windows Common Log File System Driver, targeted by the group Storm-2460 to deploy ransomware called PipeMagic, affecting victims in the US, Spain, Venezuela, and Saudi Arabia. This vulnerability has a CVSS score of 7.8 and allows attackers to escalate privileges due to a use-after-free flaw. Patches for Windows Server and Windows 11 have been released, but Windows 10 users are still awaiting a fix, with Microsoft promising updates soon. Among the critical vulnerabilities addressed, all allow for remote code execution (RCE). Notable vulnerabilities include: - CVE-2025-26670: LDAP Client RCE, Critical, CVSS 8.1 - CVE-2025-27752: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-29791: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-27745: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27748: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27749: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27491: Windows Hyper-V RCE, Critical, CVSS 7.1 - CVE-2025-26663: Windows LDAP RCE, Critical, CVSS 8.1 - CVE-2025-27480: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-27482: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-26686: Windows TCP/IP RCE, Critical, CVSS 7.5 - CVE-2025-29809: Windows Kerberos Security Feature Bypass, Important, CVSS 7.1 Dustin Childs from ZDI noted that CVE-2025-29809 requires additional measures beyond standard patching. CVE-2025-26663 and CVE-2025-26670 are considered wormable, necessitating prompt updates, especially for networks exposing LDAP services. Adobe released over 50 fixes for vulnerabilities in products like Cold Fusion, After Effects, and Photoshop, with some issues in Cold Fusion classified as critical. AMD updated advisories regarding GPU access and various Ryzen AI software vulnerabilities.

Winsage

March 31, 2025

Windows 11 quick machine recovery: Restoring devices with boot issues

Microsoft has launched a quick machine recovery feature in its Windows operating system to help IT administrators remotely execute fixes on machines that cannot boot, particularly during widespread outages. This feature allows devices to automatically enter Windows Recovery Environment (WinRE) and connect with Microsoft’s recovery services for tailored remediations delivered via Windows Update. IT administrators can enable or disable this feature remotely and configure settings such as scanning intervals and restart timeouts. Currently, quick machine recovery is in testing and available to users in the Windows Insider Program, with plans for future accessibility to IT administrators managing Windows 11 Pro and Enterprise devices.