HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Windows 11 Windows 11Vulnerability ManagementAIPatchingWindows AutopatchSecurityMDASHIntune

Microsoft's AI Is Hunting Windows Vulnerabilities Before Attackers Do — What MDASH Means for Your Fleet

IA
Imran Awan
10 July 2026

AI is now on both sides of the vulnerability race. Attackers are using it to discover zero-days faster than ever. Microsoft's response — announced on 9 July 2026 by Pavan Davuluri, Executive Vice President of Windows and Devices — is to use AI to beat them to it. The system is called MDASH, and it is already running against the Windows codebase at scale.

The direct consequence for you as an Intune admin: expect more security updates, more frequently. That is not bad news — it means the attack window between discovery and patch is shrinking. But it does mean your patching pipeline needs to be able to absorb updates without breaking your fleet. This post breaks down what MDASH actually does, what changes in your day-to-day operations, and exactly how to configure Windows Autopatch and hotpatch to keep up.

Context: This post is based on the official Microsoft announcement at blogs.windows.com. All technical details — MDASH, KIR, SUVP — are from that source. No speculation.

What MDASH actually is

MDASH stands for Multi-model Agentic Scanning Harness. It is Microsoft's dedicated AI pipeline for finding security vulnerabilities in Windows binaries before attackers do. Here is how it works:

What this means for patch volume: Microsoft explicitly states that customers should expect a higher volume of security updates as MDASH matures. The system is finding real vulnerabilities — ones that would otherwise have been discovered by attackers first. More discoveries = more patches. Plan your update rings accordingly.
MDASH — How a Vulnerability Travels from AI to Your Device
AI Scanner
Multi-model debate scans critical Windows binaries
Prove Pipeline
Windows-specific validation — removes false positives
MSRC Review
Security Response Center assigns severity, assigns engineers
AI-Assisted Fix
Engineers use AI to understand failure and propose candidate fixes
SUVP Testing
Security Update Validation Program — multi-environment testing
Patch Tuesday
Cumulative update delivered to your fleet via Windows Update / Intune

What changes for your fleet

Three operational changes are coming as MDASH scales up.

1. Higher patch frequency. Microsoft has been direct about this: the system will produce more CVEs, which means more patches. The monthly Patch Tuesday cadence remains, but the volume of CVEs addressed each month will grow. Your update rings need to be able to process updates without a two-week manual validation delay — that window is where real-world exploits happen.

2. Faster zero-day turnaround. When MDASH finds a vulnerability before an attacker does, Microsoft can develop and test the patch before any exploitation occurs. The gap between discovery and patch shrinks from weeks (reactive) to days (proactive). Your devices need to be positioned to absorb patches quickly.

3. Known Issue Rollback (KIR) as your safety net. Microsoft explicitly flags KIR as a key part of this model. If a patch causes a regression, KIR allows Microsoft to roll back only the problematic fix without removing the entire security update. You do not need to choose between security and stability.

Tip: KIR rollbacks are delivered as Group Policy updates, not full cumulative updates. If you see a new GPO appear in your tenant after a problematic Patch Tuesday, that is KIR in action. You do not need to do anything — it applies automatically.

Check your current patch posture before you do anything else

Before enabling Autopatch or hotpatch, know where you stand. Run this against your devices to see patch compliance state:

PowerShell — Check patch compliance
# Check Windows Update last install date and pending updates $session = New-Object -ComObject Microsoft.Update.Session $searcher = $session.CreateUpdateSearcher() $result = $searcher.Search("IsInstalled=0 and Type='Software'") Write-Host "Pending updates: $($result.Updates.Count)" foreach ($u in $result.Updates) { Write-Host " - $($u.Title)" } # Check last successful Windows Update install Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5 HotFixID, InstalledOn, Description

If your devices are more than 30 days behind on cumulative updates, you have a gap that MDASH-driven patches will widen — not close — unless you act now.

In Intune, check compliance at scale:

PowerShell — Intune compliance via Graph API
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All" # Get all non-compliant devices $nonCompliant = Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" -All $nonCompliant | Select-Object DeviceName, OSVersion, LastSyncDateTime, ComplianceState | Sort-Object LastSyncDateTime | Export-Csv "C:\Temp\NonCompliantDevices.csv" -NoTypeInformation Write-Host "Non-compliant device count: $($nonCompliant.Count)"
Watch out: Devices that have not synced with Intune in more than 30 days will not receive policy-driven updates. LastSyncDateTime older than 30 days is a critical gap. Those devices are effectively unmanaged from a patching perspective.
Microsoft Intune Admin Center — Device Compliance Devices › Monitor › Compliance
847
Compliant
43
Non-compliant
12
Not evaluated
8
In grace period
Device name
OS Version
Last sync
Status
DESKTOP-REDACTED
22H2 (19045)
47 days ago
Non-compliant
LAPTOP-REDACTED
24H2 (26100)
2 hours ago
Compliant

Enable Windows Autopatch with hotpatch

Windows Autopatch is Microsoft's answer to the operational burden of absorbing more frequent patches. It handles deployment ring management, reliability-based pausing, and rollback automatically. Hotpatch goes further — it applies security fixes without requiring a reboot, which means your users stay productive even on a heavy Patch Tuesday.

Hotpatch is available for Windows 11 24H2 Enterprise and later (via Intune). Here is how to enable it:

Intune Admin Center — Path to Hotpatch policy
Devices Windows Update rings for Windows 10 and later Create profile
Setting
Value
Enable hotpatch updates
Enabled
Quality update deferral period (days)
0 (pilot ring) / 7 (standard)
Automatic update behavior
Auto install and restart at scheduled time

Verify hotpatch is applying correctly from the device side:

PowerShell — Verify hotpatch status
# Check if device received a hotpatch update Get-HotFix | Where-Object { $_.Description -like "*Hotpatch*" } | Select-Object HotFixID, InstalledOn, Description # Check Windows Update for Business reports via registry Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" | Select-Object PauseUpdatesStartTime, PauseUpdatesExpiryTime, ActiveHoursStart, ActiveHoursEnd # Confirm current patch level (Get-ComputerInfo).OsHotFixes | Sort-Object InstalledOn -Descending | Select-Object -First 3
Tip: For Windows Server, hotpatch is available through Azure Arc. Onboard your on-premises servers to Azure Arc, then enable hotpatch via Azure Update Manager. You get the same reboot-free patching on server workloads — critical for domain controllers and file servers where reboot windows are tight.

Configure Microsoft Defender Vulnerability Management

MDASH finds vulnerabilities in Windows. Defender Vulnerability Management (DVM) helps you track which of those vulnerabilities affect your specific fleet and prioritise remediation. As MDASH generates more CVEs, DVM is where you will see them surface against your device inventory.

Enable DVM in Intune via Endpoint Security:

Intune Admin Center — Endpoint Security path
Endpoint Security Vulnerability Management Security recommendations
What you will see here:
  • CVEs affecting your specific device inventory — not generic advisories
  • Exposure score per device — which devices are most at risk right now
  • Recommended security configurations aligned to Windows security baselines
  • One-click remediation tasks that push to Intune automatically

Watch the official walkthrough

Microsoft published a detailed video walkthrough of the Windows vulnerability management changes. Worth 10 minutes of your time before your next Patch Tuesday planning session:

Windows Vulnerability Management — Official Microsoft Video
Microsoft — YouTube

Your pre-Patch Tuesday checklist

Given MDASH is accelerating the volume of CVEs coming your way, here is what your monthly prep should look like from now on:

Monthly Patch Tuesday Readiness — Checklist
1
Check DVM exposure score — any devices above threshold need priority attention before patch drops
2
Review MSRC Security Update Guide at msrc.microsoft.com — read the CVE list before it drops, not after
3
Enable optional "D" release testing — Microsoft releases a preview two weeks before the security update. Use it in your pilot ring
4
Confirm Autopatch rings are healthy — run the Graph query above to find devices not syncing
5
Verify hotpatch eligibility — devices must be on Windows 11 24H2 Enterprise or later. Run the PowerShell above to confirm coverage

Known Issue Rollback — what it is and when you will see it

KIR is a mechanism Microsoft uses when a patch causes a regression in production. Instead of pulling the entire cumulative update (which would remove the security fixes), KIR surgically reverts only the problematic component. From your perspective as an admin:

How to monitor KIR in your tenant: Go to Intune Admin Center → Reports → Windows Updates → Windows feature update report. If KIR is active for a specific update, you will see a flag in the update status column. Microsoft also publishes KIR details on the Windows Release Health dashboard.

References

Scripts on GitHub

The three PowerShell scripts from this post — patch compliance check, non-compliant device triage, and hotpatch eligibility verification — are available on GitHub.

View scripts →
Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Windows 11
Windows Settings Backup Is On by Default From 26H2 — What You…
Starting with Windows 11 26H2, eligible devices will have settings backup on by default.…
Scripts & Tools
Deploy Free WHfB Health Scripts to Intune: Six Checks, Five…
WHfB breaks silently — PRT expires, NGC keys corrupt, services stop. Here is a Proactive…
Intune
Intune Certificate Profiles: SCEP, PKCS, NDES and the Full…
Certificate-based authentication in Intune — the full architecture from Root CA through…