Hotpatching goes default in Windows Autopatch whether you like it or not

Steven

Hotpatching goes default in Windows Autopatch whether you like it or not

Summary

Microsoft is flipping the switch: hotpatch updates will be enabled by default in Windows Autopatch starting with the May 2026 security update. Hotpatching applies many security fixes without requiring a restart after an initial baseline restart; quarterly baseline updates will still need reboots. Opt-out controls are due on 1 April, and administrators can disable hotpatching at the tenant level or for device groups if they prefer the traditional patching approach.

Key Points

  1. Hotpatching (rebootless security updates) will be enabled by default in Windows Autopatch from May 2026.
  2. Opt-out controls are being made available from 1 April 2026; admins can opt out at tenant or group policy level.
  3. Hotpatching requires one baseline update with a restart to initialise; subsequent hotpatches install silently without reboot.
  4. Devices must meet prerequisites: Windows 11 24H2 or later, an eligible licence, and the April 2026 security update installed to receive hotpatches.
  5. Windows Autopatch still uses testing rings and respects existing quality update policies (deferrals and ring settings remain honoured).
  6. Microsoft recommends leaving hotpatching enabled, calling it “the quickest way to get secure.”
  7. Concerns remain: compressed rollout timeline and the risk that rebootless updates could increase the blast radius when things go wrong.

Content summary

Microsoft says hotpatches change the game by delivering security fixes that take effect immediately without user reboots, improving speed-to-patch. Windows Autopatch will manage rollout via its existing ring-based model and will not override preconfigured update policies. However, devices that meet Microsoft’s prerequisites will start receiving hotpatches automatically once the May update is deployed, unless administrators opt out. The company offers tenant- and policy-level opt-outs for shops that need more time or want to preserve stricter control over updates. The Register flags the short notice and potential for greater impact if a problematic update slips through as practical concerns for sysadmins.

Context and relevance

This change sits within a broader industry trend toward faster, less disruptive patching to reduce exposure windows. For security teams and IT operations, it’s significant because it alters the balance between rapid remediation and operational control. Organisations that rely on strict change windows, compatibility testing or have bespoke software environments may need to act: verify device eligibility, review Autopatch policies, and decide whether to opt out or adjust rings and deferrals. The move also follows other recent Microsoft update controversies, so cautious teams will want to monitor early deployments closely.

Why should I read this?

Quick and dirty: if you manage Windows fleets, this affects you — pronto. Hotpatches will start arriving by default unless you opt out, so check your Autopatch settings, confirm which devices qualify, and decide whether you want automatic, rebootless fixes or to keep tight control. You’ve got under two months before the change lands, so don’t leave this until Patch Tuesday morning.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/03/11/microsoft_hotpatching/