Hotpatch for Windows 11 lets security updates install and take effect without a device restart — same security coverage as a standard cumulative update, just without the reboot. But it doesn't fire every month. The cycle runs quarterly: three months of hotpatch updates, then a baseline month where a full cumulative update lands and a restart is required. June 2026 is one of those baseline months. So is July.
The 2026 hotpatch calendar
Hotpatch follows a predictable quarterly rhythm. Here is the full 2026 schedule based on Microsoft's official release notes:
| Month | Update type | Restart required | KB |
|---|---|---|---|
| January 2026 | Baseline | Yes | KB5074109 |
| February 2026 | Hotpatch ✓ | No | KB5077212 |
| March 2026 | Hotpatch ✓ | No | KB5079420 |
| April 2026 | Baseline | Yes | KB5083769 |
| May 2026 | Hotpatch ✓ | No | KB5089466 |
| June 2026 ← now | Baseline | Yes | KB5094126 |
| July 2026 | Baseline | Yes | TBC |
| August 2026 | Hotpatch resumes ✓ | No | TBC |
| September 2026 | Hotpatch ✓ | No | TBC |
| October 2026 | Baseline | Yes | TBC |
Source: Windows Autopatch — Hotpatch updates (Microsoft Learn)
What hotpatch actually is
Hotpatch updates contain the same security content as a standard monthly cumulative update (the B-release). The difference is delivery: hotpatch patches the in-memory code of running processes, so the security fix takes effect immediately — no reboot required to flush and reload. Package sizes are also significantly smaller than standard LCUs, which means faster download and less network impact across a large fleet.
On baseline months, a standard cumulative update installs normally and a restart is required. Baseline months establish the updated code on disk that the next three hotpatch months will patch in memory.
Prerequisites — all must be met
| Requirement | Detail |
|---|---|
| Licence | Windows 11 Enterprise E3/E5, Microsoft 365 F3, Windows 11 Education A3/A5, Microsoft 365 Business Premium, or Windows 365 Enterprise |
| OS version | Windows 11 24H2 or later — earlier versions are not eligible and get the standard LCU |
| Management | Microsoft Intune with Windows Autopatch, quality update policy with hotpatch enabled |
| Baseline | Device must be on the latest quarterly baseline update before hotpatch months begin |
| VBS | Virtualization-based Security must be running — if VBS is off, the device falls back to LCU automatically |
Arm64 devices — one extra step
Hotpatch works on Arm64 devices (Surface Pro X, Copilot+ PCs, etc.) but requires CHPE (Compiled Hybrid PE) to be disabled first. Set this via registry or the DisableCHPE CSP:
# Registry path to disable CHPE for hotpatch on Arm64
# Set HotPatchRestrictions = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"HotPatchRestrictions"=dword:00000001
# Or deploy via Intune OMA-URI:
# ./Vendor/MSFT/Policy/Config/WindowsUpdate/DisableCHPE
# Value: 1Why a device might not be hotpatching
If your eligible devices are not receiving hotpatch updates when they should be, check these in order:
| Autopatch alert | Meaning | Action |
|---|---|---|
| Hotpatch — Baseline missing | Device is behind on the quarterly baseline — will get a full LCU and restart first | No action — self-corrects after baseline installs |
| Hotpatch — OS not compatible | Device is on Windows 11 23H2 or earlier | Upgrade to 24H2 or later |
| Hotpatch — VBS not running | Virtualization-based Security is disabled on the device | Enable VBS (requires restart to take effect) |
You can verify hotpatch is active on a device using Event Viewer:
# Check if AllowRebootlessUpdates is active in Event Viewer
# Applications and Services Logs > Microsoft > Windows > WindowsUpdateClient > Operational
# Look for events confirming hotpatch application without restart
# PowerShell: check VBS status
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).VirtualizationBasedSecurityStatus
# 2 = Running (hotpatch eligible)
# 0 = Off (hotpatch will not apply)Hotpatch quality update report
Track hotpatch compliance across your fleet in Intune:
Intune admin center → Reports → Windows Autopatch → Windows quality updates → Reports tab → Hotpatch quality updates
The report shows per-policy counts for: Up to date, Hotpatched, Not up to date, In progress, Not ready, and Paused. Data refreshes every 4 hours.