APIs required to automate Windows 11 Hotpatch testing using Intune

The Windows Autopatch and Windows updates APIs in Microsoft Graph are used to automate hotpatch-related workflows with Intune-managed devices. Hotpatch is surfaced as part of Windows quality updates and is controlled and monitored through the Windows Autopatch surfaces (Intune UI or Graph).

Below is the mapping of the planned workflow to the relevant API areas, based on the available documentation.

1. Assign a Windows device to a Hotpatch test group

Use Windows Autopatch enrollment and grouping concepts:

• Enroll devices into Windows Autopatch and associate them with the appropriate Autopatch group or policies using the Windows updates API in Microsoft Graph (admin/windows/updates).
• Windows Autopatch groups and policies (quality updates, feature updates, driver/firmware, update rings) are managed via Intune or Graph; devices in those groups can then receive hotpatch-enabled quality updates.

Relevant API surface:

• admin/windows/updates (Windows updates API in Microsoft Graph beta) for:
  • Device enrollment into Autopatch
  • Managing deployment audiences
  • Managing quality update policies and deployments

Reference:

• Windows Autopatch programmatic controls for quality, feature, and driver/firmware updates describe how to enroll devices, create deployment audiences, and manage deployments via Graph.

2. List hotpatch-capable quality updates (catalog)

To identify hotpatchable quality updates:

• Use the Windows Autopatch catalog API and filter for hotpatch updates.
• The qualityUpdateCatalogEntry resource represents quality updates.
• Hotpatch updates are identified by "isHotpatchUpdate": "true" on the product revisions.

Example (from documentation):

GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?
  $top=1&
  $filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') 
    and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true 
    and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions/any(p:p/isHotpatchUpdate eq true)&
  $expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&
  $orderby=releaseDateTime desc

This returns quality updates whose product revisions include hotpatch updates.

3. Create deployment audience and target test devices

To define the test group and associate content:

• Create a deployment audience:

POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences
Content-Type: application/json

{}

• Add devices (or device groups) as members of that deployment audience using the Windows updates API (pattern is documented in the feature updates and driver/firmware programmatic control articles: identify devices, enroll them, then add them as audience members).

Relevant API concepts:

• deploymentAudiences under admin/windows/updates
• Audience membership operations (add/remove members) as shown in the feature update and driver/firmware programmatic control flows.

4. Approve and schedule hotpatch quality updates for the test audience

Use the Windows Autopatch programmatic controls for Windows quality updates:

• List catalog entries for expedited or standard quality updates.
• Create a deployment that references the chosen quality update catalog entry and the deployment audience.
• Configure scheduling and rollout behavior in the deployment or associated policy.

The quality update programmatic controls article describes:

• Listing catalog entries for expedited updates
• Creating a deployment
• Adding members to the deployment audience
• Deleting a deployment

The same Windows updates API surface is used for hotpatch-capable quality updates; hotpatch is determined by the catalog entry/product revision metadata (isHotpatchUpdate).

5. Trigger device sync / Windows Update scan / on-demand installation

From the provided context, there is no documented Graph API to:

• Programmatically trigger a Windows Update scan on an Intune-managed device, or
• Directly initiate on-demand installation of a specific hotpatch or quality update on a device.

The documented model is:

• Devices are enrolled and targeted via deployment audiences and policies.
• Windows Autopatch and Windows Update client handle scan and installation according to policy and deployment configuration.

The prerequisites sections emphasize:

• Required permissions (WindowsUpdates.ReadWrite.All, Device.Read.All).
• Required Windows Update and Graph endpoints that devices must reach.

But they do not describe an API to force an immediate scan or install beyond creating deployments and assigning devices.

6. Monitor update installation status and compliance for hotpatch

Monitoring is done via Windows Autopatch reporting, including hotpatch-specific reporting in Intune:

• In the Intune admin center, the Hotpatch quality updates report shows:
  • Total targeted devices
  • Current update states of all hotpatch-enabled devices

Navigation:

1. Intune admin center → Reports
2. Under Windows Autopatch, select Windows quality updates
3. On the Reports tab, select Hotpatch quality updates report

For API-based monitoring:

• Use Windows updates API (admin/windows/updates) to query deployment status and device states for quality update deployments.
• The same API surface used for deployments (quality, feature, driver/firmware) supports querying deployment and device status; this is the programmatic counterpart to the Intune reporting views.

Additionally:

• Windows Autopatch reporting for quality and feature updates is available once devices are members of a policy. Client devices reflect changes in under four hours, and device alerts help identify issues preventing updates.

7. Best practices / reference patterns for automated hotpatch validation

From the available documentation, the recommended pattern for automation is:

1. Ensure all Windows Autopatch prerequisites are met (including Update Health Tools where required for expedited updates).
2. Use Windows updates API (admin/windows/updates) with WindowsUpdates.ReadWrite.All and Device.Read.All permissions.
3. For a hotpatch validation pipeline:
   • Identify and enroll test devices into Windows Autopatch.
   • Create a dedicated deployment audience for hotpatch testing.
   • Query the catalog for hotpatch-capable quality updates (isHotpatchUpdate on product revisions).
   • Create a quality update deployment targeting the test audience.
   • Monitor deployment and device status via Windows updates API and/or Intune’s Hotpatch quality updates report.
   • After validation, expand the deployment (or create a new deployment) to broader audiences.
4. Use Autopatch groups or update policies in Intune to control rollout strategy and target compliance dates, and enable hotpatching to get devices secure as fast as possible.

The programmatic control articles for feature updates, expedited quality updates, and driver/firmware updates collectively illustrate the end-to-end pattern:

• Open Graph Explorer / use Graph SDK
• Identify devices
• Enroll devices
• Create deployment audiences
• List catalog entries
• Create deployments
• Add audience members
• Pause or delete deployments
• Unenroll devices

This same pattern applies when the catalog entries are hotpatch-capable quality updates.

References:

• Deploy a hotpatch quality update using Windows Autopatch
• Hotpatch for Windows quality updates
• Start using Windows Autopatch
• Programmatic controls for Windows feature updates
• Programmatic controls for expedited Windows quality updates
• Programmatic controls for drivers and firmware updates
• Windows updates API overview