Windows Autopatch is enabling hotpatch security updates by default to help secure devices even faster. This change in default behavior comes to all eligible[i] devices in Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update. Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.
One month before this shift, starting on April 1, 2026, new controls become available if you're not ready for this change. Here's why and how you can decide on your next move.
The advantage of hotpatch updates
Every month, Windows publishes security updates to address common vulnerabilities and exposures (CVEs) to help keep users at your organization secure. When you roll out these updates as an IT admin, you may wait for days for devices to restart before they become compliant. Typically, you'd allow 3-5 days after installing those fixes before forcing a restart to apply them. When hotpatch updates launched about a year ago, we changed the game. Security updates take effect as soon as they are installed – no restart required.
This change in approach patches devices significantly faster since they aren't waiting for that restart. To see how this is working in the real world, we asked four different companies with 30-70K devices about their gains in the number of days to security compliance. They all reported achieving 90% patch compliance in half the previous time, without making any policy changes (see chart below).
Today, there are over 10 million production devices enrolled in hotpatch updates, showing the level of adoption and trust companies like yours have in this capability. Learn more about the efficiency of smaller hotpatch update sizes and how we implement hotpatch updates internally at Microsoft.
Hotpatch by default: How it works
Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch updates by default to help your organization get more secure, quicker. This change applies whether you use Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph.
What does it mean in practice? All update policies in Microsoft Intune depend on Windows Autopatch. The default tenant setting is only applied to devices that aren't members of a quality update policy. Windows Autopatch respects your configuration of quality update policies. If a device is assigned to one of those policies, the hotpatch setting from that policy is the one applied. Your preferences for update deferrals and update ring settings are also respected.
Note: Hotpatch updates only apply to devices that meet the hotpatch prerequisites. Devices that don't meet these prerequisites will continue to patch in the same way they do today.
When will my devices start receiving hotpatch updates?
If a device meets the prerequisites and has taken the April 2026 security update (a baseline update), it will start receiving hotpatch updates with the May 2026 security update. Double-check whether a device is enrolled in hotpatch updates with new Windows Autopatch update readiness tools.
Note: Hotpatch updates are applied from the latest baseline release. If a device is enrolled in hotpatch updates but isn't yet on the latest baseline, Windows Autopatch first installs the latest baseline update, which requires a restart. Once the device is on the latest baseline, it continues receiving hotpatch updates without requiring restarts going forward. For more information on the latest schedule for these releases, see Release notes for hotpatch.
How do I know if a device will receive a hotpatch update?
Before the May 2026 hotpatch update, review the Hotpatch quality updates report in Intune. It shows devices that have hotpatch updates enabled and meet the prerequisites. You can easily see which devices will receive a hotpatch update in the Hotpatch ready column. Devices successfully patched are in the Hotpatched column.
You can also look at the Quality update status report in Intune to check which devices are ready to receive a hotpatch update. In this report, the column labeled Hotpatch Readiness indicates if the device meets the prerequisites for hotpatch updates. A new column called Hotpatch enabled will be added showing the status of each device.
Embracing the change at your own pace
Windows Autopatch is enabling hotpatching by default because hotpatch updates are the quickest way to get secure. As such, we recommend keeping hotpatch updates enabled for your devices. If you're not ready for this change, you can opt out groups of devices or the whole tenant.
The tenant setting to opt out of hotpatch updates is scheduled to go live on April 1, 2026. And because April is a hotpatch baseline month, you have until May 11, 2026 before any hotpatch updates are deployed.
How to opt out of hotpatch updates across your tenant
Once the changes are live in April, configure the default hotpatch update behavior for your tenant as follows:
- Open Microsoft Intune.
- Navigate to Tenant administration > Windows Autopatch > Tenant management.
- Select the Tenant settings tab.
- Toggle the "When available, apply updates without restarting the device ("hotpatch") setting to either Allow or Block.
How to opt out of hotpatch updates for groups of devices
Want to specify the desired behavior for a group of devices? Simply assign them to a quality update policy. Windows Autopatch respects your intention set at the policy level over the tenant-level default. To create a quality update policy, take the following steps:
- Open Microsoft Intune.
- Navigate to Devices > Manage updates > Windows updates.
- Select the Quality updates tab.
- Select Create.
- Select Windows quality update policy from the drop-down menu.
- Fill out the title and details on the Basics tab and select Next.
- In the Settings step, toggle the "When available, apply without restarting the device ("hotpatch") setting to either Allow or Block, then select Next.
- Apply any scope tags, then select Next.
- Assign your desired Microsoft Entra groups, then select Next.
- Select Create.
You can disable hotpatch updates at the tenant level and enable them for specific devices and vice versa. When you're ready for hotpatch updates by default, just toggle "When available, apply without restarting the device ("hotpatch") back to Allow.
To start taking advantage of hotpatch updates enabled by default, check that your devices meet the prerequisites. To learn more and get started, see Hotpatch updates and the Windows Autopatch frequently asked questions (FAQ).
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
[i] See prerequisites for hotpatch updates in Hotpatch updates.
Microsoft