How hotpatch updates help keep Windows 11 secure by design

Windows hotpatch updates allow you to adopt a secure-by-design and secure-by-default approach to keeping Windows 11 protected and productive. The security architecture advantage behind hotpatch updates helps you support continuous protection, accelerate patch compliance, and reduce operational disruption. And since hotpatch updates will be enabled by default across Windows Autopatch for eligible devices in May 2026, you might wonder how this makes your environment even more secure by default.

How hotpatch updates reflect Windows security by design​

In Microsoft overarching security-by-design philosophy, security comes first when designing any product or service. Embodying this philosophy are hotpatch updates.

These are the same security fixes that are part of monthly security updates (also known as “B” releases). The distinction is that they get installed without requiring a restart. Hotpatch updates help you:

• Reduce downtime for frontline devices, VDI sessions, IT-managed shared PCs, and high uptime systems.
• Shrink your vulnerability window (i.e., the time between patch availability and full deployment).
• Improve update compliance rates automatically.

Note: Hotpatch updates only apply to devices that meet the prerequisites and receive updates managed by Windows Autopatch. Otherwise, no action is needed. Ineligible devices continue to patch the same way they do today.

Click to expand...

How hotpatch update prerequisites strengthen your security baseline​

Hotpatch update readiness is built on Windows security capabilities that help ensure that devices are in a trusted state before updates are applied.

The key prerequisite is virtualization-based security (VBS) - a foundational Windows 11 security feature and the core requirement for hotpatch updates at scale. VBS (also known as core isolation) uses hardware virtualization to run a secure kernel alongside the OS in a hypervisor-isolated environment. This separation means that, even if the main OS is compromised, the secure kernel remains protected. For hotpatch updates, VBS provides the trusted environment needed to safely update running kernel code.

Hotpatch updates also require modern Windows 11 hardware that supports VBS. Protections like silicon-rooted security and firmware integrity further strengthen the trusted foundation, in which VBS operates. This way, hotpatch updates apply to devices with an already robust security baseline. In other words, devices that receive hotpatch updates are already trusted and well-protected - reducing risk and strengthening your security posture.

Operational governance through existing update frameworks. Hotpatch updates are delivered using the same Windows Update and Windows Autopatch mechanisms you already manage today. Clean integration of hotpatch updates into existing update rings and policies helps ensure consistent rollout, predictable compliance, and centralized, cloud‑managed enforcement - without introducing a new update model to govern. This means you get the benefits of hotpatch updates with no disruption to your current update processes or compliance reporting.

How hotpatch updates fit into Windows chip-to-cloud security model

Security by design spans from chip to cloud. Hotpatch technology reflects this broader architectural framework in its prerequisites and functionality, designed to keep devices secure end-to-end. Let's take a look at the hardware (chip) layer, the operating system (OS) layer, and the cloud and identity layer of the same chip-to-cloud trust chain you already manage.

Hardware/chip layer. Hotpatch updates are supported only on modern, secure silicon configurations (including Arm64), helping ensure that updates apply on hardware with:

• TPM 2.0
• UEFI Secure Boot
• Measured and trusted boot pathways

This way, the OS environment being patched is already hardware-rooted and trusted.

OS layer. Hotpatch update readiness guidance links directly to VBS, which is core to Windows 11 OS-level protections. These OS-level safeguards help you:

• Protect sensitive processes from tampering.
• Enforce strong code integrity.
• Create a trusted foundation for in-memory patching.

Hotpatch updates use this secure architecture, updating protected code paths while keeping the OS running.

Cloud/identity layer. Hotpatch updates use the same trusted channels as Windows Update. They're managed through:

• Windows Update client policies (formerly Windows Update for Business)
• Windows Autopatch quality update rings
• Microsoft Entra ID (formerly Azure AD)-based device identity

This helps ensure that your patches come from a secure, authenticated cloud source and adhere to your compliance and deployment policies.

Hotpatch updates use the full chip-to-cloud trust chain, so every update is delivered and applied with end-to-end security.

How hotpatch updates reflect Windows security by default​

Microsoft Secure Future Initiative defines security as protections that are enforced by default and require no extra effort. Windows 11 security posture, rooted in stronger defaults and continuous innovation, reinforces the security-by-design principles.

Hotpatch updates have always been designed with security at the core, and until now have been an opt-in feature. With the May 2026 security update, Windows Autopatch will enable hotpatch updates by default at the tenant level to help organizations get secure quicker. This change in default behavior is designed to reduce patch friction while keeping your existing update governance intact. Importantly, it doesn't override the controls you already use and comes with new controls to opt out until you're ready.

• The default tenant setting is only applied to devices that aren't members of a quality update policy.
• Windows Autopatch continues to respect the preferences you've set for deferrals and update ring settings.
• Starting April 1, 2026, you can also opt out of this new default behavior at the tenant or device group level. Learn more at Securing devices faster with hotpatch updates on by default.

With hotpatch updates enabled by default, you're secured with Windows security updates during each hotpatch release month, with no additional steps. In addition, critical security out-of-band (OOB) updates can also be delivered as hotpatch updates. This automatically secures you against the threats addressed by the OOB update, and your organization is protected faster, with less effort and fewer manual steps.

Alignment with security best practices​

Enrolling in hotpatch updates automatically aligns your devices with Microsoft security best practices. Enroll devices in Windows Autopatch before May, if you haven't yet, and you'll start getting these updates enabled by default! These latest innovations in monthly servicing help keep your environment on a higher-trust, chip-to-cloud–aligned security baseline.

Embrace security by default with hotpatch updates that reduce user downtime and restart-driven tickets, improve update compliance, and shorten vulnerability exposure.

• The latest in Windows 11 security
• Hotpatch for client: Frequently asked questions
• Hotpatch readiness: Enable VBS at scale
• Hotpatch efficiency unlocked: Smaller update size
• Best practices for securing Microsoft Intune
• Windows 11 security book

---

Securing the present, innovating for the future

Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design, by default and during runtime, from Windows to the cloud, enabling trust at every layer of the digital experience.

Learn how to stay secure with Windows. Check out the updated Windows 11 Security Book and Windows Server Security Book, more about Windows 11, Windows Server, Windows hotpatch updates and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.