Hotpatching goes default in Windows Autopatch whether you like it or not
- Reference: 1773229419
- News link: https://www.theregister.co.uk/2026/03/11/microsoft_hotpatching/
- Source link:
The change starts with the May 2026 Windows security update, and controls to opt out will be available from April 1.
[1]According to Microsoft, the company has "changed the game" with the launch of [2]hotpatch updates . The feature installs security updates without requiring a restart, meaning changes take effect immediately. The process does require one baseline update with a restart to kick things off. However, after that, hotpatch updates install silently, with no reboot needed. That said, every quarterly baseline update still demands a restart.
[3]
Windows Autopatch manages the rollout of updates across an organization. It uses "testing rings" – sample device groups – to roll out updates progressively and halt or reverse them if problems emerge.
[4]
[5]
Enabling hotpatch by default from May 2026 won't override existing policies. Microsoft states that "Windows Autopatch respects your configuration of quality update policies," meaning update deferrals and ring settings still apply.
However, on any device that meets the prerequisites (running Windows 11 24H2 or later, using an eligible license, and with the April 2026 security update installed), hotpatch updates will start rolling in automatically.
[6]Microsoft's 'atypical' emergency Windows patches are becoming awfully typical
[7]Microsoft dials up the nagging in Windows, calls it security
[8]Microsoft finally gets around to fixing Windows 10 Recovery Environment after breaking it in October
[9]Hasta la vista! Microsoft finally ends extended updates for ancient Windows version
Microsoft's recommendation is, unsurprisingly, to leave hotpatch updates enabled. It argues that "hotpatch updates are the quickest way to get secure."
Administrators who need more time before the change happens (less than two months isn't a lot of notice) or want to stick to the previous patching method can opt out at the tenant level or via a policy for a group of devices.
[10]
Microsoft has had a rocky start to the year on the update front. Its ring-based deployment strategy does not limit the blast radius when something goes wrong, and making hotpatching the default adds another variable that could produce unexpected consequences.
Administrators who prize tight control over their environments won't love this change, which makes the tenant-level and policy-level opt-outs genuinely welcome additions. The compressed timeline is harder to defend. ®
Get our [11]Tech Resources
[1] https://techcommunity.microsoft.com/blog/windows-itpro-blog/securing-devices-faster-with-hotpatch-updates-on-by-default/4500066
[2] https://learn.microsoft.com/en-gb/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2abGft9AaW9crnAcNOn-3PAAAABI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abGft9AaW9crnAcNOn-3PAAAABI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abGft9AaW9crnAcNOn-3PAAAABI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/02/02/microsoft_quality_control/
[7] https://www.theregister.com/2026/02/10/microsoft_windows_security/
[8] https://www.theregister.com/2026/03/06/microsoft_finally_gets_around_to/
[9] https://www.theregister.com/2026/01/14/microsoft_calls_time_on_the/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abGft9AaW9crnAcNOn-3PAAAABI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
What could possibly go wrong?
M$ taking control of updates now.
Excuse me if I think that this is going to screw up or even brick machines given M$ recent record of updates.
Unbelievable
So how long till the baddies work out how to fake a hot patch?
How could anyone think this was a good idea?
"controls to opt out will be available from April 1."
Given that date, I wouldn't bank on it.
"Sorry about that. That was just our little joke."
Re: "controls to opt out will be available from April 1."
Indeed. As the French might say, there's something fishy about choosing that date.
"completely stable" er yeah ok, Micro$lop...
I'm so glad
that my personal systems are macOS and Ubuntu, except for a Win10 laptop, a Win7 desktop, and a WinServer 2008 R2 machine due to be decommissioned Real Soon Now.
I predict Fun Times Ahead. So... which will get borked first: printing? Network access? Security? Why not all three? (Note: assorted Patch Tuesday 'updates' over the last 18 months have broken all three. In several cases, MS has broken stuff twice.)
Get out your popcorn, lads and lasses.
The quickest way to get secure is to ditch Microsoft. Hurry!
Yawn. Stable, quickly applied and, apart from the occasional reboot at your convenience, rebootless patches have been the norm for years hereabouts. Not auto-applied, although they could be.
Providing the stable bit can be managed it will be a great relief for Microsoft's customers to have their vendor finally catch up after all this time.
Nof if you are in any way responsible, they're not.
"running Windows 11 24H2 or later"
Phew, lucky escape there! I'm still on Win 10 LTSC and have no intention of ever downgrading to the shitshow that is Windows 11.
The compressed timescale
Would indicate that they have some patches that need to be installed Really Quickly, and are so important that they need to apply maximum friction to any attempt to not install them.
So, pick your story:
A need to force an update for an M$ internal reason - prevent piracy, enable telemetry, install some non-removable patch, prevent Surfaces being rooted
There's a screamingly awful security hole, that will blow the Windows ecosystem out of the water. Everybody needs to install it, or nobody will be safe
Some nice chaps in black suits with curly earpieces called, and made it very clear that a change is needed for National Security(TM)
Re: The compressed timescale
Don't forget this one... MS desperately needing to get a commercial return on AI investments, so forcing Even More CoPilot down everyone's throat, additional subscription requirements, ever more ingenius ways to make it reallly hard to opt out of subscription services.
From the department of "what could possibly go wrong?"
You're not wrong there!!
Understandably most OS owners and operators will be jumping for joy at the prospect of completely stable and no risk patches being auto applied......
As you say What Could Possibly Go Wrong!!!