AI is now on both sides of the vulnerability race. Attackers are using it to discover zero-days faster than ever. Microsoft's response — announced on 9 July 2026 by Pavan Davuluri, Executive Vice President of Windows and Devices — is to use AI to beat them to it. The system is called MDASH, and it is already running against the Windows codebase at scale.
The direct consequence for you as an Intune admin: expect more security updates, more frequently. That is not bad news — it means the attack window between discovery and patch is shrinking. But it does mean your patching pipeline needs to be able to absorb updates without breaking your fleet. This post breaks down what MDASH actually does, what changes in your day-to-day operations, and exactly how to configure Windows Autopatch and hotpatch to keep up.
What MDASH actually is
MDASH stands for Multi-model Agentic Scanning Harness. It is Microsoft's dedicated AI pipeline for finding security vulnerabilities in Windows binaries before attackers do. Here is how it works:
- Multi-model debate: Multiple AI families — including leading third-party models — are run against the same code simultaneously. Each model flags candidate vulnerabilities. The system cross-examines results across models to filter noise.
- Dedicated cloud infrastructure: Scanning does not run on shared compute. Microsoft built dedicated cloud infrastructure specifically for the MDASH pipeline so it can scan continuously at scale.
- Critical binary focus: The scanner pipeline targets critical Windows binaries — the components most likely to be exploited in a zero-day attack.
- Prove pipeline: A separate Windows-specific validation step reduces false positives. A candidate vulnerability flagged by the AI models must pass the prove pipeline before it reaches an engineering team.
- MSRC integration: Confirmed vulnerabilities route directly to the Microsoft Security Response Center for prioritisation and fix assignment.
What changes for your fleet
Three operational changes are coming as MDASH scales up.
1. Higher patch frequency. Microsoft has been direct about this: the system will produce more CVEs, which means more patches. The monthly Patch Tuesday cadence remains, but the volume of CVEs addressed each month will grow. Your update rings need to be able to process updates without a two-week manual validation delay — that window is where real-world exploits happen.
2. Faster zero-day turnaround. When MDASH finds a vulnerability before an attacker does, Microsoft can develop and test the patch before any exploitation occurs. The gap between discovery and patch shrinks from weeks (reactive) to days (proactive). Your devices need to be positioned to absorb patches quickly.
3. Known Issue Rollback (KIR) as your safety net. Microsoft explicitly flags KIR as a key part of this model. If a patch causes a regression, KIR allows Microsoft to roll back only the problematic fix without removing the entire security update. You do not need to choose between security and stability.
Check your current patch posture before you do anything else
Before enabling Autopatch or hotpatch, know where you stand. Run this against your devices to see patch compliance state:
# Check Windows Update last install date and pending updates $session = New-Object -ComObject Microsoft.Update.Session $searcher = $session.CreateUpdateSearcher() $result = $searcher.Search("IsInstalled=0 and Type='Software'") Write-Host "Pending updates: $($result.Updates.Count)" foreach ($u in $result.Updates) { Write-Host " - $($u.Title)" } # Check last successful Windows Update install Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5 HotFixID, InstalledOn, Description
If your devices are more than 30 days behind on cumulative updates, you have a gap that MDASH-driven patches will widen — not close — unless you act now.
In Intune, check compliance at scale:
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All" # Get all non-compliant devices $nonCompliant = Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" -All $nonCompliant | Select-Object DeviceName, OSVersion, LastSyncDateTime, ComplianceState | Sort-Object LastSyncDateTime | Export-Csv "C:\Temp\NonCompliantDevices.csv" -NoTypeInformation Write-Host "Non-compliant device count: $($nonCompliant.Count)"
LastSyncDateTime older than 30 days is a critical gap. Those devices are effectively unmanaged from a patching perspective.Enable Windows Autopatch with hotpatch
Windows Autopatch is Microsoft's answer to the operational burden of absorbing more frequent patches. It handles deployment ring management, reliability-based pausing, and rollback automatically. Hotpatch goes further — it applies security fixes without requiring a reboot, which means your users stay productive even on a heavy Patch Tuesday.
Hotpatch is available for Windows 11 24H2 Enterprise and later (via Intune). Here is how to enable it:
Verify hotpatch is applying correctly from the device side:
# Check if device received a hotpatch update Get-HotFix | Where-Object { $_.Description -like "*Hotpatch*" } | Select-Object HotFixID, InstalledOn, Description # Check Windows Update for Business reports via registry Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" | Select-Object PauseUpdatesStartTime, PauseUpdatesExpiryTime, ActiveHoursStart, ActiveHoursEnd # Confirm current patch level (Get-ComputerInfo).OsHotFixes | Sort-Object InstalledOn -Descending | Select-Object -First 3
Configure Microsoft Defender Vulnerability Management
MDASH finds vulnerabilities in Windows. Defender Vulnerability Management (DVM) helps you track which of those vulnerabilities affect your specific fleet and prioritise remediation. As MDASH generates more CVEs, DVM is where you will see them surface against your device inventory.
Enable DVM in Intune via Endpoint Security:
- CVEs affecting your specific device inventory — not generic advisories
- Exposure score per device — which devices are most at risk right now
- Recommended security configurations aligned to Windows security baselines
- One-click remediation tasks that push to Intune automatically
Watch the official walkthrough
Microsoft published a detailed video walkthrough of the Windows vulnerability management changes. Worth 10 minutes of your time before your next Patch Tuesday planning session:
Your pre-Patch Tuesday checklist
Given MDASH is accelerating the volume of CVEs coming your way, here is what your monthly prep should look like from now on:
Known Issue Rollback — what it is and when you will see it
KIR is a mechanism Microsoft uses when a patch causes a regression in production. Instead of pulling the entire cumulative update (which would remove the security fixes), KIR surgically reverts only the problematic component. From your perspective as an admin:
- KIR arrives as a Group Policy update — not a new Windows update
- Devices receive it on the next GP refresh cycle
- You do not need to take any action — it applies automatically to enrolled devices
- You can track KIR events on the Windows Health Dashboard in the Intune admin center
References
- Evolving Windows vulnerability management to meet the speed of AI-powered discovery — Windows Experience Blog
- Windows Autopatch overview — Microsoft Learn
- Hotpatch updates in Windows Autopatch — Microsoft Learn
- Microsoft Defender Vulnerability Management — Microsoft Learn
- Microsoft Security Response Center — Security Update Guide
The three PowerShell scripts from this post — patch compliance check, non-compliant device triage, and hotpatch eligibility verification — are available on GitHub.
View scripts →