Contact Us

What’s New for Windows Patching

May 27, 2025
David McCabe, CISSP, CISM, MBA

What’s New for Windows Patching

As of mid-2025, there are several notable trends and developments in Windows and third-party patch management that are relevant for IT professionals, especially those in regulated environments like financial institutions.  Here’s a breakdown of what’s new and important:

  • Checkpoint Cumulative Updates – In late 2024, Microsoft introduced checkpoint cumulative updates for systems running Windows 11, version 24H2 and Windows Server 2025.  
    • Checkpoint cumulative updates will be released on a more frequent basis to deliver patches.  This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update.  This new process means that you can save time, bandwidth, and hard drive space.
    • The monthly Patch Tuesday will continue to be the primary release for security updates and bug fixes. 
    • Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) continue to install the latest monthly security update regardless of whether there were any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged.
  • Windows Autopatch – A cloud service through Microsoft Intune that automates updates for Windows, Microsoft 365 Apps for enterprise, Teams, and Edge.  
    • Microsoft continues to expand and enhance this service to provide more controls and reporting.  Windows Autopatch reports now cover all Intune-managed devices, with four-hour client-to-cloud latency.
    • Autopatch now operates with least-privilege access, changing how the service makes changes in a person’s environment, acting with the current user’s permission instead of with full Intune administrator permissions.
  • Enhanced Windows Update for Intune (aka Windows Update for Business) 
    • Better visibility and reporting for patch status across devices.
    • New: Winget can now manage updates for more third-party apps natively (Zoom, Chrome, Adobe Reader, etc.)
      • Intune + Winget can now automatically update many third-party apps using public repositories.
      • Microsoft’s Windows Package Manager Community Repository is growing.

There have been some concerns expressed about the new features including:

  • Controlled Feature Rollout (CFR) – This feature controls the pace of updates so not all devices get updates at the same time, even within the same organization.  
    • This can result in devices within an organization not having consistent updates. 
    • This issue can be mitigated through Group Policy and mobile device management (MDM) controls. 
  • Microsoft is bundling Servicing Stack Updates (SSUs) with cumulative updates which can cause issues when updates fail and are retried.
    • Windows Update now includes automatic third-party driver updates (e.g., GPU, Wi-Fi), which may introduce instability or compatibility issues, especially on critical systems or with banking hardware.
    • Financial systems often depend on certified hardware compatibility.  nintended driver updates can break integrations with ATMs, teller systems, etc.
    • These issues could potentially be mitigated by increased testing, including the rollback process.
  • Microsoft is increasingly de-emphasizing Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM) in favor of cloud-first tools like Windows Autopatch, Intune, and Update Compliance.
    • Institutions still relying on on-premises infrastructure may find themselves without full support for newer patching models or lacking telemetry required to manage updates securely.
    • Institutions may want to consider developing a hybrid patch management strategy to be prepared for additional actions by Microsoft towards retiring older solutions.

As any IT administrator will tell you, patching is complex, troublesome, and always changing.  But it is also critical for the security of your data and therefore we all need to stay “Intune” with the adjustments coming our way. 

References: https://learn.microsoft.com/en-us/windows/deployment/update/catalog-checkpoint-cumulative-updates