Microsoft now offers Windows Server 2025 hotpatching through Azure Arc at no additional charge for eligible Azure Arc-enabled servers. Hotpatching installs Windows security updates without restarting the server in most months, but it does not eliminate all reboots. You still need Azure Arc, the Azure Connected Machine agent, Virtualization-based Security, and a supported Windows Server 2025 edition. This article explains what those requirements mean, how to enable the feature, and where its limits are.

Source

Windows Autopatch in the Intune admin center now includes an updated Secure Boot status report that provides device-level visibility into certificate readiness ahead of the 2026 expiry deadline. The report shows which devices have Secure Boot enabled, whether their certificates are up to date, and whether automatic or manual deployment applies. New columns for trust configuration, confidence level, and alerts help you make targeted decisions instead of broad deployments.

Source

Microsoft is introducing Cloud-Initiated Driver Recovery, a mechanism that automatically rolls back a faulty driver on your devices via Windows Update, without requiring any action from you or your hardware vendor. The feature is aimed at closing a gap where a bad driver could linger on devices for weeks before a fixed version became available. It works through the existing Windows Update pipeline and requires no new software on the client side. The feature is currently in a manual testing phase and is targeted for full automation in September 2026.

Source

In a blog post titled 'Your Windows Update experience just got updated,' Microsoft has discussed its new mechanism to handle update installation failures on Windows 11: Windows now attempts to repair a failing update in real time during installation rather than rolling back immediately. This feature, called 'automatic recovery for update failures,' reduces the number of devices left in a failed-update state that requires manual troubleshooting. Administrators should note that this feature is distinct from—and should not be confused with—boot-level recovery, which is a separate safety net for devices that fail to start up after Patch Tuesday.

Source

Windows 11 version 25H2 introduces a new Group Policy setting, Configure maintenance windows for automatic updates, that lets you define precise time windows for downloading, installing, and restarting after updates. The policy ships with version 3.0 of the ADMX administrative templates and is currently available only in Windows 11 Insider Preview builds. It takes priority over several existing update-related policies, but the interaction rules are only partially documented.

Source

The April 2026 Windows update cycle includes several changes that matter to IT administrators.

Source

Microsoft is rolling out several long-requested changes to the Windows Update experience in Windows 11. You can now skip updates during initial device setup, pause them for up to 35 days with no limit on how many times you extend the pause, and restart or shut down your PC without being forced to install a pending update. Driver, .NET (Microsoft's application runtime framework), and firmware updates will be bundled into a single monthly restart cycle. These changes are currently rolling out to Windows Insiders in the Dev and Experimental channels.

Source

Microsoft announced on April 15, 2026, a second paid security update period—called "Period 2"—for Exchange Server 2016 and 2019. This extends coverage from May through October 2026 for organizations unable to complete their migration to Exchange Server Subscription Edition (SE). The program covers only security-related patches and requires a separate purchase via a Microsoft Enterprise Agreement. This article explains what the program includes, who qualifies, and the practical limitations.

Source

On April 1, Microsoft published a TechCommunity blog post explaining how Windows Update management in Intune differs from Configuration Manager (still widely known as SCCM). A Techzine author read the post as an announcement of upcoming changes and reported that "patch behavior is set to change significantly for Microsoft Intune." That framing is a human hallucination, as Microsoft's post does not announce any changes.

Source

Microsoft announced that Windows Autopatch will enable hotpatch security updates by default for all eligible devices starting with the May 2026 Windows security update. The change affects devices managed through Microsoft Intune and the Windows updates API in Microsoft Graph. Hotpatch updates install security fixes without requiring a device restart, accelerating compliance across organizations. Previously, this feature required manual activation by administrators.

Source

Windows Autopatch update readiness reached general availability, adding four capabilities to the Windows Autopatch blade in the Microsoft Intune admin center. The new features—management status report, quality update journey, alerts and remediations, and Update Readiness Checker—give IT teams proactive visibility into device readiness, update blockers, and remediation guidance across Intune-managed Windows fleets. All capabilities are included in the existing Windows Autopatch license at no additional cost. Windows Autopatch is available for customers with Windows Enterprise, Frontline, US Government, Education, and Business Premium SKUs.

Source

Windows 10 Enterprise LTSB 2016 reaches end of support (EOS) on October 13, 2026, after which Microsoft will stop delivering security updates, bug fixes, and technical support. Organizations that cannot migrate to a newer release by that date can purchase Extended Security Updates (ESU), a paid program that provides critical security patches for up to three years. ESU licenses for LTSB 2016 will be sold through Volume Licensing or a Cloud Solution Provider (CSP) starting in Q2 2026. Activation is performed using a Multiple Activation Key (MAK) and the slmgr.vbs command-line tool.

Source

Microsoft released KB5077868 on February 16, 2026, to resolve a TrustedInstaller deadlock bug that causes Windows 11, version 26H1, to hang during the out-of-box experience (OOBE). The fix is delivered automatically as an OOBE update when the device has an active internet connection at first boot. No restart is required after applying the update, and Microsoft reports no known issues with KB5077868.

Source