Windows Autopatch Archives

Winsage

March 15, 2026

Microsoft Releases Emergency Windows 11 Hotpatch to Fix Remote Code Execution Flaw

Microsoft has released an out-of-band hotpatch update, KB5084597, to address three critical remote code execution vulnerabilities (CVE-2026-25172, CVE-2026-25173, CVE-2026-26111) in the Windows Routing and Remote Access Service (RRAS) management tool. This update is specifically for Windows 11 Enterprise devices in the hotpatch program that did not receive fixes during the March 2026 Patch Tuesday. The vulnerabilities can be exploited by an authenticated attacker within the domain, potentially leading to remote code execution. Hotpatch updates apply fixes through in-memory patching without requiring a device reboot, making them suitable for mission-critical devices. The update is applicable to Windows 11 versions 24H2, 25H2, and Windows 11 Enterprise LTSC 2024, and will be automatically installed on enrolled devices without a restart. Non-enrolled devices received the fix via the standard March 10 Patch Tuesday update.

Winsage

March 11, 2026

Hotpatching goes default in Windows Autopatch whether you like it or not

Microsoft will enable hotpatch security updates by default starting with the May 2026 Windows security update. Hotpatch updates allow security enhancements to be applied without system restarts, while quarterly baseline updates will still require a restart. Windows Autopatch will manage updates using "testing rings" to progressively roll out updates and address any issues. Devices must run Windows 11 24H2 or later and have the April 2026 security update installed to receive hotpatch updates automatically. Existing update policies will remain intact, and administrators can opt out of hotpatch updates at the tenant or group policy level.

Winsage

March 11, 2026

Microsoft to enable Windows hotpatch security updates by default

Microsoft will enable hotpatch security updates by default for eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API starting with the May 2026 Windows security update. This change aims to enhance security and reduce the time to achieve 90% patch compliance by half. The updates will be managed through Windows Autopatch, which allows organizations to apply updates without manual intervention. Administrators can manage hotpatch updates at the tenant level and can opt-out starting April 1, 2026. A Hotpatch quality updates report will be available in Intune to ensure devices are ready for the updates. Windows Autopatch became generally available in July 2022 and is currently operational on over 10 million production devices.

Winsage

March 11, 2026

Microsoft flips Windows Autopatch to default hotpatch security updates

Microsoft will automatically enable hotpatch security updates for Windows devices managed through Microsoft Intune or the Microsoft Graph API starting with the May 2026 Windows security update. This feature allows security fixes to be applied without requiring a device restart, improving compliance efficiency. Devices that install the April 2026 baseline security update will begin receiving hotpatch updates in May 2026, but this will only apply to devices not already assigned to a quality update policy. Organizations can opt out of hotpatch updates for specific device groups or their entire tenant starting April 1, 2026.

Winsage

February 25, 2026

Microsoft gives Windows laggards the ‘gift of time’ wrapped in licensing fees

Microsoft is offering up to three years of Extended Security Updates (ESU) for older Windows installations, with the expectation of compensation. Most major versions of Windows 10 will reach end of support by 2025, while Windows 10 Enterprise 2016 LTSB and Windows IoT Enterprise LTSB 2016 will end support on October 13, 2026, and Windows Server 2016 will conclude support on January 12, 2027. Microsoft recommends upgrading to Windows Server 2025 for Windows Server 2016 users. The pricing for ESU for Windows 10 2016 LTSB starts at a specified amount per device for the first year, with expected increases in subsequent years. Customers using Intune or Windows Autopatch may receive a reduced rate. There is no official pricing for Windows Server 2016 ESU, creating uncertainty for administrators. Historically, Microsoft has charged a premium for extended support, with previous ESU costs for Windows Server 2012 being 100 percent of the full license price for the first year. The final cost of ESU will depend on each organization’s licensing agreement.

Winsage

February 24, 2026

Microsoft extends security patching for three Windows products at a price

Support for Windows 10 Enterprise LTSB 2016 and Windows 10 IoT Enterprise 2016 LTSB will end on October 13, 2026, while Windows Server 2016 will reach its end of support on January 12, 2027. Organizations using these products will receive one final monthly security update on the specified dates, after which they will not receive security patches, updates, or technical support. The Extended Security Updates (ESU) program allows organizations to purchase coverage for up to three years beyond the end of support, with pricing starting at a specified amount per device for the first year and doubling for each subsequent year. Windows Server 2016's ESU pricing has not been announced, and Microsoft recommends upgrading to newer Long-Term Servicing Channel releases. In the European Economic Area, Windows 10 users can access ESU until October 14, 2026, without payment or cloud account requirements due to advocacy from Euroconsumers.

Winsage

December 8, 2025

Windows Autopatch Adds CVE Reporting to Boost Security Visibility

Microsoft has introduced a Common Vulnerabilities and Exposures (CVE) reporting capability within Windows Autopatch to improve security for IT teams. This tool provides an overview of Windows vulnerabilities addressed in recent updates, enabling device-specific tracking. Key features of the CVE report include a list of CVEs addressed in the past 90 days, tracking of patch compliance at the device level, links to Knowledge Base articles, filtering options, and near real-time updates. Administrators can access the CVEs report by navigating to the Microsoft Intune admin center and selecting the appropriate reports. The report includes CVE identifiers, severity scores, exploitation status, and details on devices needing updates. Organizations can enhance their response to vulnerabilities by utilizing various strategies, such as the Windows Autopatch update readiness feature and targeted fixes with the Security Copilot Vulnerability Remediation Agent.

Winsage

October 1, 2025

How to get the Windows 11 2025 Update

Microsoft has released the Windows 11 2025 Update, also known as Windows 11, version 25H2, which will be delivered as an enablement package (eKB) that includes features from version 24H2. This update focuses on security enhancements, including improved vulnerability detection and AI-assisted secure coding, while removing legacy features like PowerShell 2.0. The rollout begins for eligible devices running version 24H2, with a gradual expansion over the coming months. For commercial and educational users, version 25H2 is available through Windows Autopatch and the Microsoft 365 admin center, introducing new functionalities such as Wi-Fi 7. The support timeline is reset to 24 months for Home and Pro editions and 36 months for Enterprise and Education editions. Users on version 23H2 and earlier must perform a full OS swap to update to version 25H2. The update will be available via Windows Server Update Services (WSUS) on October 14, 2025.

Winsage

August 3, 2025

Microsoft Weekly: 10 years of Windows 10

Windows 10 celebrated its 10th anniversary, while Windows 11 SE is being discontinued and will not receive the upcoming Windows 11 version 25H2, with support ending in October 2026. Microsoft plans to open-source WinUI, the user interface framework for Windows 11. The Flyoobe tool has been updated to assist users switching from Windows 10 to Windows 11 on unsupported hardware. Recent data shows a gradual increase in Windows 11's market share, while Microsoft Edge struggles in the desktop browser market. Microsoft provided guidance on upgrade paths for businesses transitioning to Windows 11. Updates for Windows Insiders include general fixes and new features across various channels. Microsoft reported a record-high profit of .2 billion and revenue of .4 billion for the last financial quarter. A new Surface Laptop Smurface Edition was announced, and Adobe has made creative applications available natively on Windows on ARM devices. Microsoft Edge introduced an AI-driven feature called Copilot Mode, while Opera filed a complaint against Microsoft in Brazil regarding unfair practices. Microsoft banned the developer account of LibreOffice for violating the Service Agreement. In gaming, Microsoft released the July 2025 update for the Xbox app, allowing game streaming through Xbox Cloud Gaming, and is preparing for the Gamescom show. EA decided to maintain game prices and announced a remaster of Plants vs Zombies: Replanted. A public beta for Battlefield 6 is forthcoming. Valve revealed updates for the Steam client, including a revamped store interface. Special discounts are available for the Back to School season.

Winsage

July 29, 2025

Microsoft explains how organizations can use Intune to upgrade from Windows 10 to Windows 11

Windows 10 is approaching its end of life, and organizations can purchase Extended Security Updates (ESU), though this may not be financially viable for all. Microsoft has released a guide to assist companies in upgrading from Windows 10 to Windows 11 via Intune. The guide is intended for domain-joined or co-joined Windows 10 PCs and emphasizes the need for hardware compatibility, specifically TPM 2.0. Organizations should use Microsoft Configuration Manager or Endpoint Analytics to verify hardware requirements and ensure devices are updated to version 22H2. IT administrators are advised to synchronize identities from Active Directory to Entra ID, configure hybrid join, and prepare the Intune environment with necessary licenses and roles. They should also streamline Group Policy Objects, establish Intune configuration profiles, and use Windows Autopatch for updates. Applications must be migrated from Configuration Manager to Intune for management, and outdated deployments should be decommissioned. The final migration step involves transitioning to an Entra ID-joined configuration. This process aims to enhance management, security, user experience, and reduce reliance on legacy infrastructure.