A new Windows Autopatch report that reflects updated recommendations on patch compliance is rolling out soon to your tenant.
Keeping devices up to date has never been more critical for security. As noted in a recent post AI-powered defense for an AI-accelerated threat landscape, by Ales Holecek, Chief Architect and Corporate Vice President of Microsoft Security, organizations need to rethink exposure, response, and risk. This is especially true when it comes to keeping Windows devices patched with the latest security updates.
On April 22, 2026, Microsoft Intune released a new security update status dashboard offering centralized visibility into update compliance across Windows client, Windows Server, and Microsoft 365 apps. The dashboard provides a clear, current view for IT and security teams, backed by current data, and without the need to switch between multiple reports or tools.
Today, we're announcing that Windows Autopatch is rolling out an extension to that dashboard offering more detailed information on client patching status and policy risk exposure. This new Windows Autopatch report:
- Breaks down specific patch versions within your estate.
- Informs you of policies putting your estate at risk.
- Provides actionable workflows to help reduce exposure.
Updated recommendations for servicing Windows
Strategies for reducing risk and staying current are changing. Across the industry, organizations often had a 14- or 28-day SLA to patch devices across their estate. In today's threat landscape, this can leave users in an exposed or critical vulnerability state.
Aligned with the recommendations provided in the recent post from Microsoft Security we are adjusting our recommendations and encourage organizations to install the latest security updates:
-
Within 3 days to be considered current (and reported as current)
-
Within 7 days to help ensure devices aren’t subject to vulnerabilities (and reported as critical)
-
Between 3 and 7 days, devices are considered exposed (and reported as exposed)
To view which policies in your tenant are not configured per recommendations, navigate to the Windows Autopatch overview pane and select View policies leading to increased risk exposure, a poor experience. From here, you can see which policies are configured in a way that falls short of these recommendations.
We recognize that more aggressive timelines can introduce disruption. However, given the pace of today's threat landscape, these updated recommendations are intended to balance stronger security while maintaining user productivity and stability.
To help ensure devices stay secure, while having an optimal experience, we recommend using Windows Autopatch and configuring the following policies:
- Quality update deferral of < 3 days
- Quality update deadline of 0 or 1 day
- Grace period of 1 or 2 days
- Enable hotpatch updates (Note: Hotpatch updates will be enabled by default for all eligible devices that haven't been opted out starting in May 2026.)
We also recommend using Extended Security Updates (ESU) for all eligible devices still running Windows 10 so those devices continue to receive critical security updates.
Reassess and stay protected
Now is the time to reassess your risk profile and patching deployments. We continue to improve Windows Autopatch reports to give you the information you need to help reduce threats to your estate. By using the new report, you can identify where to take action to stay even more protected in this ever-evolving threat landscape.
Additional resources:
Microsoft