← Back to blog
Security

Windows hotpatching as the new default: security updates without reboots and what IT teams need to check now

By Zarioh Digital Solutions6 min read
Share
Windows hotpatching as the new default: security updates without reboots and what IT teams need to check now

Windows Autopatch is enabling hotpatching by default for all eligible endpoints. Security updates are applied in memory without a reboot, and the transition is happening this month. What is hotpatching, which devices qualify, and what actions should IT teams take now?

Windows Autopatch has rolled out a quiet but significant change this quarter: hotpatching is being enabled by default for all eligible endpoints starting June 2026. What began as an opt-in feature for Windows 11 Enterprise customers in early 2025 has become the new standard for every organisation running Windows Autopatch with eligible hardware.

The impact on day-to-day IT operations is immediate. Fewer scheduled reboots, smaller update packages, and a shorter exposure window between the availability of a security patch and its installation. At the same time, there are specific requirements, a new update cycle, and scenarios where opting out makes sense. This article covers the essentials.

What is hotpatching and how does it differ from a regular update?

A standard Windows security update replaces files on disk and requires a reboot to load the new code into memory. Hotpatching works differently: the patch is applied directly to the running processes in memory without requiring a restart. The on-disk files are updated simultaneously for consistency, but the reboot can be deferred to the next scheduled maintenance window.

The difference is directly relevant to an organisation's security posture. Reboots are frequently deferred, especially for active users or business-critical workloads. That deferral period is precisely the window in which a vulnerability remains exploitable. Hotpatching significantly reduces that window because protection is active as soon as the patch is installed, regardless of when the device restarts afterwards.

Hotpatch packages are also significantly smaller than standard cumulative updates, reducing bandwidth consumption for organisations with many endpoints and shortening installation time per device.

Why is Microsoft enabling hotpatching by default now?

Hotpatching has been available as an opt-in for Windows 11 Enterprise E3/E5 and Windows 365 Enterprise since early 2025. Adoption was positive, the technology proved itself, and Microsoft decided to make it a default-on setting. The rationale is the same as for other security defaults: a feature that demonstrably improves security posture should not depend on deliberate activation to achieve broad effect.

The timing fits within a broader movement in which Microsoft shifts security defaults. Multi-factor authentication was enabled by default for new tenants, Security Defaults in Entra ID are periodically tightened, and now hotpatching follows in Autopatch. The pattern is consistent: organisations that take no action automatically become better protected.

The transition began with the May 2026 Patch Tuesday cycle and continues through the June maintenance window. From 15 June 2026, all eligible devices that meet the requirements are moved to the hotpatch channel.

Which devices qualify?

Not every Windows device in your environment automatically benefits from hotpatching. Requirements apply at three levels.

At the licensing level, hotpatching is restricted to Windows 11 Enterprise or Education editions tied to E3, E5, A3, or A5 licences. Devices running Windows 11 Pro are not eligible and continue to receive the standard cumulative update.

At the OS version level, Windows 11 24H2 is the minimum requirement. Devices on older builds fall back to the standard Latest Cumulative Update.

At the hardware level, three security features are required: Secure Boot must be enabled, Virtualization Based Security (VBS) must be active in enforced mode, and Hypervisor-Enforced Code Integrity (HVCI), visible in Windows settings as Memory Integrity, must be on. Devices that fail on at least one of these requirements automatically receive the standard LCU. That fallback behaviour is built in, so the transition does not block updates for ineligible devices.

What does the update cycle look like now?

Hotpatching follows a quarterly cycle. Each quarter begins with a baseline update: a full cumulative update that requires a reboot. That is the reference build on which the hotpatches of the subsequent two months are built. During those two months, eligible devices receive hotpatch updates — security fixes applied in memory without a reboot.

Of the twelve Patch Tuesday cycles per year, four require a reboot (the baseline months) and eight make the reboot optional (the hotpatch months). Microsoft cites a reduction in the reboot burden of up to fifty percent for quality updates.

Devices that are not running the exact baseline build at the time of a hotpatch release cannot receive the hotpatch and fall back to the full LCU. This is a practical consideration for devices that missed a baseline update due to network issues or travel restrictions: they can only join the hotpatch cycle again at the start of the next baseline quarter.

Five things IT teams should check this week

First: inventory which devices are eligible. In the Intune portal, filter on Windows 11 24H2 and Enterprise licences. Devices with that combination managed via Autopatch are the candidates for the hotpatch channel. Devices that do not qualify require no additional action.

Second: check HVCI status. Memory Integrity is not enabled by default on all devices, particularly on machines upgraded from an older version of Windows. In Intune, you can enforce VBS and HVCI via a configuration profile under Endpoint security. Do this before the hotpatch transition to maximise the number of eligible devices.

Third: check existing Autopatch policies for conflicts. Devices assigned to a quality update policy that does not allow hotpatching, or that has a specific update deferral, will not be moved automatically. Review your Autopatch configuration for policy rules that could override the default.

Fourth: prepare the helpdesk for end-user questions. Users will see update notifications without the usual restart prompt, which can raise questions. A brief internal message — updates are applying, no restart required — prevents unnecessary support tickets.

Fifth: configure reporting for hotpatch status. Intune reports show which devices successfully received the hotpatch and which fell back to the LCU. Monitor this actively in the first few weeks to identify whether more devices than expected are not eligible.

When does opting out make sense?

Microsoft provides an opt-out option at tenant level via the Autopatch configuration. Opting out makes sense in a limited number of scenarios. Organisations with line-of-business applications that are sensitive to in-memory changes may want to test in a pilot group before the default roll-out proceeds. Environments with strict change management requirements where every change must pass a formal approval process have reason to track the scheduling of hotpatch cycles separately.

However, Microsoft is clear about the intent: the opt-out is designed for specific testing circumstances, not as a general policy. Organisations without concrete objections benefit directly from faster security coverage with fewer reboots — which is precisely what the feature was built to deliver.

Structurally: faster patching as a security strategy

Hotpatching as a default is not an isolated feature but part of a broader strategic shift: minimising the time between a patch becoming available and the active protection of endpoints. In sectors where exploitation of known vulnerabilities is the most commonly used attack vector, that time saving directly affects the risk profile of the organisation.

At the same time, the feature places new demands on the base configuration of endpoints. Organisations that have not yet enabled HVCI should do so now — not only for hotpatching, but because Memory Integrity is a foundational requirement for modern Windows security features such as Credential Guard and Virtualization Based Security more broadly.

Want support checking your Intune and Autopatch configuration, enabling HVCI across your device fleet, or setting up reporting around update compliance? Contact Zarioh for a practical conversation.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share