Event details
Intune/Patching query...
Our team (Win11 24H2) have a Windows Update Ring applied through Intune to configure the OS on our devices for 'Windows Insider Release - Preview'. This was working a treat and we were receiving preview OS patches each month before they were released into Retail Channel (all our other devices) on Patch Tuesday.......until......we applied a Quality Updates policy through Intune enabling Windows Hotpatch. Since this was applied, we receive the 'Hotpatch capable' patches each month, but not the preview patches. Is this expected behaviour? We're hoping it just affects Quality Updates (monthly OS cumulatives) and not feature updates as 25H2 is due for preview release next month, or at least it has been May for the last few years.
We are also in the process of enabling Windows Autopatch and trying to ascertain how it all fits together, and Hotpatch is part of that as well.
We like the idea of Hotpatching, 8 months of the year devices receive the security updates with not only a much smaller filesize, but without the need for devices to reboot in order to be fully protected, much less annoying for the end users. The other 4 months they get the usual monthly cumulative patch which does still require a reboot to finalise.
- EricMoe
Microsoft
There are a couple of things that you mention in your comment/question so I'll try to address them separately.
For devices that have configured the "Get the latest updates as soon as they're available", this will configure them to receive the "D" release. Once a device receives a "D" release, it's off the Hotpatching cycle for the quarter. Hotpatching only updates devices that have the baseline "B" release, so once you install the "D" release, you will not receive a Hotpatch the next month.
For devices in Windows Insider Preview channels, as they get updates, if the update is hotpatch-capable and applies to the device (it has received the B baseline update and has only received hotpatches since then) it should continue to get hotpatching. There is nothing in the Quality Update policy to receive hotpatches that should turn off receiving the "D" release. Those are managed separately from one another.
Hotpatching does not involve Windows 11 Feature Updates.
We like the idea of hotpatching too!
Thanks for coming back to me.
Devices within our team have an Update Ring policy stating Windows Insider Preview Channel and patch ASAP. These devices have been receiving the '2025-xx Cumulative Update Preview for Windows 11.......' patches - "D" release.
When we applied the Hotpatch Quality Update policy to them (with the above one still applied also), they no longer receive the Preview patches (D), only the Hotpatch stuff - "B" release. So it does seem that it's overridden the devices receiving the D Release patches.
I like the idea of hotpatching and really want to adopt the approach, obviously only for Win11 24H2. Device estate approx 5,500 - 500 devices are 24H2 and one good selling point to move the others to 24H2 (scheduled in a couple of weeks) is to bring along Hotpatching as well - just want to make sure i've got it right.
And there's how we integrate everything with Autopatch, more reading needed on my part on that one :-)
- EricMoe
File feedback with the Windows Insider Preview program on this behavior as this does not align with how it behaves on our GA channel. I'll try to repro too and submit feedback if I see the same.
To tag onto this comment -- for Autopatch, after we activate that in Intune, there is no impact from activation -- we need to populate the groups for Autopatch, before anything would be triggered from a patch perspective? We use Update Rings today and looking at doing some testing with Autopatch -- any suggestions on the best approach for that?
- EricMoe
Hi CaseyB,
Start here: Manage Windows Autopatch groups | Microsoft Learn which will walk through how to use and manage Autopatch groups. If you already had Windows Update for Business rings configured, those remain. You can elect to move devices into new rings, or continue using those existing rings. We are trying to reduce the barrier of entry as much as possible.
One of the biggest advantage of using Autopatch Groups is you can dynamically allocate devices across rings using percentages of a parent group. You don't need to define the group membership explicitly for every ring. That helps reduce admin overhead and makes management long-term a lot easier.
