From the department of "what could possibly go wrong?" comes news that Windows Autopatch is enabling hotpatch security updates by default.
The change starts with the May 2026 Windows security update, and controls to opt out will be available from April 1.
According to Microsoft, the company has "changed the game" with the launch of hotpatch updates. The feature installs security updates without requiring a restart, meaning changes take effect immediately. The process does require one baseline update with a restart to kick things off. However, after that, hotpatch updates install silently, with no reboot needed. That said, every quarterly baseline update still demands a restart.
Windows Autopatch manages the rollout of updates across an organization. It uses "testing rings" – sample device groups – to roll out updates progressively and halt or reverse them if problems emerge.
Enabling hotpatch by default from May 2026 won't override existing policies. Microsoft states that "Windows Autopatch respects your configuration of quality update policies," meaning update deferrals and ring settings still apply.
However, on any device that meets the prerequisites (running Windows 11 24H2 or later, using an eligible license, and with the April 2026 security update installed), hotpatch updates will start rolling in automatically.
Microsoft's recommendation is, unsurprisingly, to leave hotpatch updates enabled. It argues that "hotpatch updates are the quickest way to get secure."
Administrators who need more time before the change happens (less than two months isn't a lot of notice) or want to stick to the previous patching method can opt out at the tenant level or via a policy for a group of devices.
Microsoft has had a rocky start to the year on the update front. Its ring-based deployment strategy does not limit the blast radius when something goes wrong, and making hotpatching the default adds another variable that could produce unexpected consequences.
Administrators who prize tight control over their environments won't love this change, which makes the tenant-level and policy-level opt-outs genuinely welcome additions. The compressed timeline is harder to defend. ®
Source: The register