inforcer's Director of Product Innovation, Dan Harris, is joined by Nikita Deshpande and Chris Tulip from Microsoft to explore how Windows Autopatch and Hotpatch modernize Windows servicing by reducing manual intervention, minimizing reboots, and lowering operational overhead.
Explore how Windows Autopatch and Hotpatch modernize Windows servicing by reducing manual intervention, minimizing reboots, and lowering operational overhead.
Dan Harris
That should be everyone rolling in. Good afternoon and good morning to everyone here. We have a really exciting session today with product managers at Microsoft, specifically around Windows Autopatch and Hotpatch.
This is a great opportunity for us and, I hope, for you as well. Last year’s Intune for MSPs initiative gave us a great relationship with Microsoft and access to some really interesting conversations. Today we are joined by the Microsoft team, and we will go into update policies and other Intune areas that are a little different from the security hardening and patching processes we often focus on day to day.
The key thing is that this topic is impactful for end users. It is an opportunity to give people something that makes them more productive, saves time, saves effort and reduces headaches around updating devices.
I am Dan, Director of Product Innovation at inforcer on the product team. With us today are Nikita and Chris. Chris, I will hand over to you first for an introduction.
Chris
Hey folks, my name is Chris. I have worked on Autopatch for around three and a half years, roughly since it started. I work on update-related areas at Microsoft. I have worked on apps, Intune and Windows, so I have been around a few different areas. I will hand over to Nikita.
Nikita
Thank you, Chris, and thank you, Dan. My name is Nikita. I am a PM on the Hotpatch updates team. I joined a year ago, right when Hotpatch became generally available on Windows client, so this call is close to our one-year anniversary. I am here to talk about Hotpatch updates: how to implement them and what feedback we have received.
We will start with a quick clip that captures the essence of Hotpatch.
Nikita
I hope that clip energised you as much as it energises me. It shows that Hotpatch updates help you get security updates without a restart. There are a lot of advantages to that. The clip shows one scenario where someone is working in investment, and timing can make all the difference.
To boil down what this presentation is about, and how this technology can save time, it starts with Hotpatching. Hotpatch gives you the monthly security updates Windows provides without requiring a restart. It does that through a model with baseline updates once a quarter, and then builds on in-memory code for the net new security changes you need each month. Those Hotpatch updates are on par with the standard security updates that require a restart. I will explain what those releases look like and how to compare them later. Please put questions in the Q&A and I am happy to take them at the end.
The key benefits of Hotpatch updates are that you get secure faster. Over the last five or six years, we have seen many security risks and vulnerabilities discovered every day. Microsoft works hard to solve those, and we want customers to reach a high security compliance rate quickly. That applies to large enterprises, small businesses and users at home.
The second benefit is improved productivity. Because you do not need to wait for restarts to get secure, you keep uptime during critical moments and do not need to think about how a restart may affect workflows.
The third benefit is the savings that come from orchestration. Autopatch, and what inforcer can do on top of it, helps manage update policies in a more efficient way.
Nikita
What does this look like for an end user or device? In the demo, there are four screens. We show the Windows Update screen where you can scan for updates, a video playing to simulate performance usage, Command Prompt to check the build version, and CPU usage so we can see whether installation causes a spike.
When the Hotpatch update becomes available and starts to install, we do not see much of a CPU spike. For the end user receiving the security update, there is not really a performance difference. It can be seamless and disruption-free. The video continues without lag, and the build version changes. That is the indicator that an update has been applied, even though the screen did not blink and no restart was required. Unless you had those diagnostic screens open, you would not know the device had just become secure by default.
In the demo, we triggered it manually by selecting Check for updates, but if Hotpatch updates are enabled, that is how PCs will behave twice each quarter, because those updates do not need a restart.
Nikita
We also analyse how quickly we can move organisations towards security compliance. The slide uses real data, anonymised by company. In general, we are seeing that enabling Hotpatch in update policies can help organisations become secure more than 50% faster.
You may ask why immediate security does not mean becoming secure in one day. The reason is that deferral policies and update timing still apply. For example, if you configure policies to roll out a day or two after Windows updates become available, that affects how quickly devices become compliant. But once you reach that window, security updates come automatically if Hotpatch is enabled. We are seeing not just time savings, but significant security wins.
Nikita
Customer feedback has also been strong. Across the board, Hotpatch feels like a no-brainer addition. It is going to become enabled by default for customers using our update system. Enabled by default means there will be less need to manually switch Hotpatch on, and more ways to toggle or check whether you want it on or off in your tenant. With inforcer, you will also be able to look at specific device groups and configure it that way.
Nikita
Let’s talk about the logistics of Hotpatch updates, especially as the enabled-by-default change is coming. In the standard servicing model, once a month you get the whole bundle: features if they are available, non-security updates and the core cumulative security updates.
Once you opt into Hotpatch, a different servicing model applies. There is a quarterly baseline schedule. January, April, July and October are the baseline months. Once a PC gets that baseline update and is opted into Hotpatch, the following two releases are core security updates without a restart. In the example, February and March are Hotpatch months, then April is the next baseline month and includes the standard servicing update. That cycle continues: April baseline, May and June Hotpatch, July baseline, and so on.
The important thing is knowing when restarts still happen. Baseline months still require restarts. Hotpatch months provide core security updates without the restart.
Nikita
Many devices are already eligible for Hotpatch through the required licensing and supported device types. Hotpatch is available on both AMD64 and ARM64. The update cycle is quarterly, with security-only Hotpatch months in between the baseline months.
For required licensing, the supported licences include E3, E5, F3, EU licences, Windows 365 Enterprise and Microsoft 365 Business Premium. I will now hand back to Dan to show how inforcer can help enable and manage this.
Dan Harris
Amazing. Looking at the questions that have come into the chat, one asks whether inforcer can provide more insight into Autopatch status, such as whether it has rolled out successfully. That is something we are working towards. One constraint is API access to get that data out, but the Microsoft team is working on access and availability for those APIs. We have put our asks in, and it sounds like the data we want is coming.
Another question asks whether baseline updates require a reboot and the mid-cycle updates do not. Yes: in the standard servicing model, you typically have one reboot every month, or three per quarter. In the Hotpatch cycle, you have one reboot during the baseline month and two non-reboot security updates in between. That effectively moves you from three reboots to one per quarter.
Another question asks whether Hotpatch requires Windows Enterprise licensing. The answer is no; it also works with Microsoft 365 Business Premium and Windows 11 Business. Nikita also confirmed that this applies from Windows 11 24H2 onwards.
Nikita
Yes, that is correct.
Dan Harris
I will share my screen and show how this looks in inforcer and Intune. In my demo, I have two tenants: a Hotpatch demo tenant and a baseline tenant. They are currently aligned and have no policies.
Before showing the inforcer way, I want to show where you configure this manually. In the Intune admin centre, go to Devices, Windows, Windows updates and then Quality updates. inforcer now supports these quality update policies. You can create a Windows quality update policy and make sure the setting to allow Hotpatch is enabled.
When you get to assignments, you will notice that the usual Add all users or Add all devices buttons are not there. That means you need a group that represents the devices you want to roll this out to. For a typical business with around 100 devices, it can be acceptable to create an all-Windows corporate devices group. You can create a dynamic device group, using a query to include Windows devices that are company-owned. You can get more specific, such as checking for Windows 11 24H2 and above, but for the demo I will keep it simple.
Dan Harris
After creating the group and associating it with the policy, the policy exists in the baseline. The next step is to move that policy through inforcer. In the tenant alignment flow, you can detect that a policy exists in the baseline and deploy it to a destination tenant.
For this specific policy, the impact of rolling it out is relatively low, so I would recommend a one-to-many deployment for many customers. For small organisations without large device counts, you can select multiple customers and deploy the policy. inforcer creates the associated group as part of the deployment, and then assigns it to the policy. That means you do not need to create the group or policy manually in every tenant.
Once deployed, the policy appears in the destination tenant. Any enrolled devices will pick up the policy over the next few hours or day or so, and the Hotpatch policy will start applying directly to those devices.
Dan Harris
If you do not want to configure the policy manually, I recommend using the baselines we are creating ourselves. These are maintained by our technical team, including Roy Kusta, and are available as blueprints.
The blueprints include services by tier, as well as standalone projects. In the Windows projects, including Windows Core and Enhanced, you can see there is already a Hotpatch policy available in the policy library. You can subscribe to that baseline, take the project from our blueprint, put it into your baseline, or deploy the project directly.
You can see what is configured, what each setting means and the kind of information you can copy and paste to customers. By deploying this policy, the associated group is also deployed and linked to the policy, so the whole configuration is managed for you.
Dan Harris
That covers the demo. I will hand back to Nikita and Chris to talk about Autopatch and how that crosses over with Hotpatch.
Nikita
That sounds good. Thank you, Dan, for the walkthrough.
Chris
Thanks for the demo, Dan. It looks really good, and the inforcer product is slick in the way it builds on top of Graph APIs and brings this together.
Another area to look at in Intune is Autopatch. Hotpatch is one of many features of Autopatch, and we talk about it a lot because we love it, but the core value of Windows Autopatch is that it is the way to approve content from Windows Update. It controls which feature updates are deployed, which quality updates are approved and how driver updates are handled.
Windows Update hosts the content. Autopatch sits between Windows Update and Intune, and stores the record that a device is approved for specific content. That then flows down to the device. Feature update policies within Intune use Autopatch as the deployment layer that says which Windows version devices should be on. If a device is not registered and does not have policy applied, it will get the latest content from Windows Update. As an MSP, you can add value by deciding whether the customer is large enough or risk-sensitive enough to manage updates more actively, or whether they simply want Windows Update to handle everything.
Chris
You can choose what to roll out, when and how. Dan showed Windows update ring policies earlier. They are some of the most used and impactful features. These are client policies that live on the device. A common question is how to set up a device to finish updating by a specific time.
You can use a target compliance date, which is the offer date, such as Patch Tuesday plus your deferral, followed by the deadline when the reboot is enforced on the device. You can set up those rings with inforcer today using existing Intune groups and distribution. That lets you deliver a ring-based rollout.
Chris
Safe deployment practices depend on customer size and risk profile. Some customers may have 10 devices, where a ring-based rollout does not make sense. Others may have hundreds or thousands of devices and want more structured control.
The transition from letting Windows Update handle everything to introducing ring-based management often happens around the 100-device mark, but that depends on the industry and risk appetite. A risk-averse organisation may need rings earlier, while a more relaxed organisation may not.
Update rings are the policy in Intune that control target compliance dates. A simple approach is to have test devices first, which could be the IT department or a small representative set of devices. Larger organisations can then use ring one, ring two and ring three. Autopatch groups help with dynamic distribution in the Intune console, though Graph APIs for Autopatch groups are not available yet. Otherwise, you can use dynamic Entra groups or other group assignment methods. Manual assignment is possible, but I would not recommend it.
Each ring should have an update ring policy. Depending on the level of control you want, feature update policies can standardise the Windows version. Driver update policies provide control or visibility over drivers. Quality update policies include Hotpatch today, and more is coming there. The overall framework is to progress content from one ring to the next, starting when the customer has a need to control risk, often around the 100-seat mark.
Chris
There was a question about changing customers from classic update rings to Autopatch. The important point is that classic update rings are Autopatch. We own and maintain that code. Autopatch groups are a feature inside Intune that handles dynamic distribution. There is not a migration between update rings and Autopatch groups because Autopatch groups also create update rings.
Dan Harris
There was also a question about when we will be able to roll out Autopatch groups via inforcer.
Chris
That one is more on me. Autopatch groups do not yet have a Graph API. We have not publicly announced a timeline for those APIs, but we are actively working on them. Dan is on the list of people we want to preview them with, and we are working closely with inforcer to make sure there is a story in that space. The answer for now is stay tuned.
Dan Harris
Neil asked whether the two quarterly virtual patches rely completely on the previous cumulative update that requires a reboot. For example, if the April cumulative update fails, will the May and June virtual updates still apply?
Nikita
I can take a first pass. I am curious what is meant by fails, but I can describe the logic. If a device has been offline and missed the April baseline, then comes back online in June, it will not simply get the June Hotpatch update with no restart. It will first take the April baseline, which requires the restart, and then it can get the May and June Hotpatch updates.
So, if the April update fails, the May and June virtual updates apply only after the April update no longer fails.
Chris
That matches my understanding.
Dan Harris
Rob asked whether it would be possible to change a policy name when deploying to a reference tenant. That is a good point. Today, my recommended workaround is to deploy it to your baseline, log into Intune, find the policy and give it the name you want. It would be good to do that in-product during deployment. It has been discussed, but I do not believe it is currently on the roadmap. I would recommend adding that to the inforcer roadmap site and upvoting it there.
Dan Harris
Another question asked about changing customers from classic rings to Autopatch. Chris has answered that. For extra validation, by enabling Hotpatch you are taking advantage of the same overall Autopatch technology, but I want to make sure I phrase that correctly.
Chris
Hotpatch is a feature of Autopatch. When you create the policy, you are enrolling in quality updates and choosing to receive the Hotpatch update. It does not do anything more complex than that. It tells Windows Update to give the device the Hotpatch update. If you turn it off, it tells Windows Update not to give the device the Hotpatch update.
Dan Harris
There was a question about whether third-party app updates are included in Autopatch or Hotpatch.
Chris
Autopatch covers Windows quality updates, Windows feature updates and driver updates. Those are the three policy types we have within Intune. That is the scope of the service. Autopatch groups also have some basic configuration for Edge and Office, but for Office we actively recommend using the cloud update policies from the Office team.
Dan Harris
Neil also asked whether, when deploying machines via Autopilot, Autopatch will deploy the baseline update and virtual updates, or just one or the other. My assumption is that if a brand-new device comes up in May, Autopilot will try to update to the latest version, then apply the April baseline and subsequently the cumulative security updates through Hotpatch. Nikita, do you know?
Nikita
I would need to verify how Autopilot chooses updates. Chris, do you know?
Chris
Hotpatch likely will not apply during Autopilot because that is when the device ID and Entra ID object are added. There is usually a sync between the device being added in Entra, then Entra moving that device into a group, then Intune detecting that group and applying the Hotpatch policy. So, for quality updates during Autopilot, it is still one of the quality updates that requires a reboot. We are talking with the Autopilot team about this, but that is the current answer.
Dan Harris
Ross asked: if the April patch keeps failing, can you temporarily opt out to get the rebootable patches for May and June, and then re-enrol afterwards?
Nikita
Yes. I hope that scenario does not happen, but you can find the quality update policy you set up, toggle Hotpatch off, and if that is before the update would apply, you will get the relevant restart-required standard update until you re-enrol.
The caveat is that, because of the baseline update model, if you opt out and then opt back in later, there may be a long lead time before the next Hotpatch applies. For example, if you opt out and then re-enrol in August, August is a Hotpatch month that relies on the July baseline. Since you were not opted in during that baseline window, devices may get restart-required standard updates in August and September, then the October baseline, and then resume Hotpatch in November. You can opt out, but be aware that Hotpatch may not resume immediately depending on where you are in the baseline calendar.
Dan Harris
There was a question about whether there will ever be an Update now function in Autopatch, because sometimes it takes a while and you do not know the live status. That feels like something where part of the answer is Microsoft and part could be inforcer surfacing a button if an API exists.
Chris
That is a valid ask. Autopatch handles approvals, but the critical part is the device talking to Windows Update, which pulls down and installs the content. You can force a device to check in using local scripting, so there are ways to trigger a sync and download. Autopatch reporting has an SLA of around four hours, with most client-to-cloud changes coming through faster than that, but the device may be offline or in another state.
There is no button today. There is a workaround through command-line scripting that can be deployed, but it is not currently one of the top asks.
Dan Harris
That makes sense, especially where there are compliance requirements and a last-minute audit. Being able to push devices to check in faster could be valuable.
Dan Harris
Another question asks whether Cloud Update for Office will be available in Intune or a different portal than config.office.com.
Chris
The short answer is that it is not currently on the Intune roadmap. We explored what that experience could look like, but it would be expensive for Intune to deliver. The Office configuration space and Intune are separate, and crossing those product boundaries can be challenging. Cloud Update is a good product, and it is what we recommend for Office updates.
Dan Harris
I do not think I have seen that on the inforcer roadmap yet, but it sounds like a good suggestion to add. It would be valuable as we go deeper into the update space.
Dan Harris
Before we wrap up, Chris, what would you recommend for rolling out Hotpatch and Autopatch as a whole? If you are taking an organisation and considering rolling it out to everyone, what thresholds feel acceptable, and when should someone pause and take a ring-based approach?
Chris
For Hotpatch, my recommendation is simply to turn it on. It decreases the number of reboots, gets devices secure faster and has a strong value proposition.
For Autopatch and update management more broadly, until you are around a 50- or 60-person organisation, I would generally let Windows Update do its thing unless there is a strong reason to stay on a specific Windows version. When you get into the 50 to 150 range, that is where I often see organisations start enforcing specific Windows versions through feature update management.
Around 100 people and above, update rings start to show up. Generally, that begins with a test ring and one additional ring. As the organisation gets larger, you add more rings and become more cautious. There is not much value in a test ring unless it has at least 20 or 30 people, because otherwise you may not catch issues caused by hardware diversity.
As you get bigger, add more rings, but do not take that to an extreme. I have seen customers with far too many rings. Generally, fewer than 10 rings is fine, even up to around a thousand people, depending on the environment. You can also turn on driver visibility at any time through an automatic policy, then manually approve newer drivers if needed. That part is optional.
Dan Harris
Thank you, Chris. I learned a lot today, and I hope everyone else has too. Zooming out, this is exactly the kind of policy we like to represent to the SMB. We can sometimes get fatigued by security, especially when a new policy might cause disruption. But this is something where you can ask customers whether they like rebooting their computer every month. Most people will say no.
This gives them time back and shows that we are not just pushing security updates for the sake of it. We are considering their day-to-day work and trying to make them more productive and effective. Technologies like this, alongside Autopilot, are there to improve efficiency and productivity. As we increase our policy depth and see more Microsoft changes like this, I would love to see more partners deploying these capabilities.
Dan Harris
A few more questions have come in. One asks where to see upcoming inforcer webinars. You will receive email communications from our teams, and the Partner Success team often reaches out. They are also available on docs.inforcer.com under on-demand and upcoming content.
Another question asks whether NinjaOne RMM controlling Windows patch deployment would be compatible with Hotpatch. I do not know for certain, but as far as I know it should be fine unless NinjaOne is using a WSUS server. As long as the device is pointed at Windows Update and has the right policy, it should work.
Dan Harris
One more asks whether Hotpatch includes only the cumulative update or whether .NET is also included.
Chris
.NET security updates are delivered quarterly and align with baseline months to avoid extra reboots. They are generally delivered as separate content streams through Windows Update, and Microsoft has tried to minimise the overall impact of .NET updates. Out-of-band .NET updates can still happen.
Dan Harris
This is not the last time we will do something like this. I love bringing the inforcer product team together with the Microsoft product team, giving us a chance to learn together, educate each other and build new ideas. I have definitely picked up ideas from the chat today.
Chris and Nikita, I hope you have taken some useful feedback as well.
Chris
Absolutely. Please keep in touch. I spend a lot of time with giant enterprise customers, so I love hearing from the full spectrum.
Dan Harris
Amazing. If there are no further questions, thank you everyone for making the time today. Stick around for more sessions like this, have a great rest of your week, and we will see you later.
Nikita
Thank you all so much.
Chris
Cheers.