Microsoft on May 12, 2026 issued new guidance that could slash the time it takes to deploy critical out-of-band patches from days to hours. The company is urging IT administrators to adopt risk-based deployment rings, a model that uses Microsoft’s own threat intelligence to automatically accelerate security updates to the devices that need them most.

What actually changed

The guidance, published as a security advisory and detailed in a Windows IT Pro Blog post, introduces risk-based rings as an expansion of the existing deployment ring model in Windows Update for Business and Microsoft Intune. Until now, rings have been static: administrators manually assign devices to groups like “ring 1” (pilot), “ring 2” (early adopters), and “ring 3” (broad deployment). Each ring gets a deferral period—say, 0 days, 7 days, and 14 days—meaning even a zero-day patch takes two weeks to reach all machines.

With the new risk-based approach, Microsoft’s cloud service can dynamically place devices into one of three rings—accelerated, standard, or conservative—based on real-time threat signals. These signals include factors such as whether a device is exposed to the internet, its patching history, the presence of vulnerable software, and active attack telemetry from Microsoft Defender. When a critical out-of-band patch is released, the service overrides static ring assignments solely for that update, putting high-risk devices into the accelerated ring (zero deferral) while keeping low-risk devices in a safer, staged rollout.

“You still control the guardrails,” the advisory notes. Administrators define risk thresholds: what qualifies as high risk, how much deferral each ring gets, and which devices are exempt. But the decision about which ring a device lands in for a given emergency patch is made by Microsoft’s threat algorithms, based on the signals you’ve opted into.

What it means for you

For IT administrators and system administrators
This changes the calculus for emergency patching. Instead of racing to manually move devices up the ring ladder or—more commonly—kicking off a full, organization-wide accelerated deployment and hoping nothing breaks, you can let risk scoring do the heavy lifting. The most exposed machines get patched in hours, while the bulk of your fleet still enjoys a safety buffer.

However, risk-based rings come with new responsibilities. You’ll need to trust Microsoft’s threat assessment. You’ll need to ensure your device inventory is accurate and that devices report their configuration and exposure status. False positives—where a device is mistakenly tagged high-risk—could lead to an unstable patch hitting a critical machine prematurely. So testing is still essential: the advisory recommends a dedicated test ring that always gets patches immediately, separate from the risk-based model, to catch showstopper bugs before they spread.

For security teams
The feature should reduce the window of vulnerability. In recent years, ransomware gangs and state-sponsored actors have exploited the gap between patch release and deployment—sometimes weaponizing vulnerabilities within hours. By connecting the patch pipeline directly to threat intelligence, Microsoft aims to shrink that gap. Security teams can also configure alerts when a large number of devices shift into the accelerated ring, signaling an active threat.

For home and small business users
There’s no direct impact. Windows Update for consumers already uses some risk signals to prioritize critical updates, but the new controls are enterprise-only. Small businesses using Intune or Windows Update for Business can adopt the feature if they have E3 or E5 licenses.

For developers and ISVs
The accelerated rollout might mean that your enterprise customers install critical updates faster, potentially surfacing app-compatibility issues sooner. Microsoft advises that if your application touches networking or security, you should test against the latest patches in a similarly accelerated cadence.

How we got here

The shift to risk-based rings didn’t come out of nowhere. Over the past three years, the drumbeat of weaponized zero-days has grown louder. In 2024, Microsoft alone released over 40 out-of-band security updates, and the average time to exploitation for some vulnerabilities dropped to under 24 hours. Traditional ring deployment—designed for the Patch Tuesday cadence where admins had weeks to test—became a liability during emergencies.

At the same time, Microsoft has been weaving threat intelligence into every corner of its security stack. Defender for Endpoint already scores devices for risk; Intune already reports device compliance and exposure. The May 12 announcement simply connects those dots: “We’re taking the same risk signals that light up your security dashboard and using them to drive the update process,” a Microsoft spokesperson told media in a pre-brief.

The feature had been in private preview with select healthcare and financial organizations since early 2026, with positive results. One unnamed hospital network reported slashing its mean time to patch for critical vulnerabilities from 72 hours to just 4 hours without increasing compatibility incidents, by letting risk-based rings handle the initial wave while postponing broad deployment.

What to do now

If you manage Windows endpoints through Intune or Group Policy, here’s how to start:

  1. Audit your ring structure. Map all existing update rings and identify which devices truly need accelerated patching. High-risk candidates usually include internet-facing servers, executive laptops, and machines running legacy or vulnerable applications.

  2. Enable threat signals in Intune. Navigate to Devices > Windows > Update rings and create a new policy or modify an existing one. Under the “Out-of-band updates” section, toggle Use Microsoft threat signals for risk-based acceleration to Yes. You can then set the risk threshold (low, medium, high) that triggers an accelerated ring assignment, and define deferral periods for the standard and conservative rings.

  3. Configure a safety net. Keep at least one traditional ring with a fixed deferral (e.g., 7 days) that covers critical systems like domain controllers or factory-floor devices. Exclude those devices from the risk-based policy entirely, or set a “maximum deferral override” so they never get patched faster than you’re comfortable with.

  4. Test the process. Use the feature’s simulation mode (available in Intune) to see how your devices would be classified during a mock emergency. Microsoft provides sample threat data for testing without releasing actual updates.

  5. Monitor and adjust. After the first real out-of-band patch, review the deployment report in Intune to see which devices were accelerated, which stayed in standard rings, and whether any issues arose. Adjust thresholds accordingly.

  6. Train your team. Your incident response playbook should now include a step: “When Microsoft issues an out-of-band patch, verify that risk-based rings are processing it as expected.” The old practice of manually pushing patches through rings can be retired.

Outlook

Risk-based rings are likely just the beginning. Microsoft has hinted that similar dynamic deployment logic could come to regular Patch Tuesday updates in the future, using a “severity-based” model where critical-rated CVEs automatically get shorter deferrals across the board. For now, the feature is only for out-of-band patches, but the advisory says to “expect broader integration with Windows Autopatch and Azure Update Manager later this year.”

For the weary admin, the promise is clear: fewer emergency weekend war rooms, and a faster, smarter way to keep the wolves at bay. But as with any automation, trust must be earned. The next time a zero-day hits, your carefully tuned risk-based rings will either be your best friend—or a lesson in why staging still matters.