Blog Post

Windows IT Pro Blog
5 MIN READ

Securing devices faster with hotpatch updates on by default

Chris_Tulip's avatar
Chris_Tulip
Icon for Microsoft rankMicrosoft
Mar 09, 2026

Windows Autopatch is enabling hotpatch security updates by default to help secure devices even faster. This change in default behavior comes to all eligible[i] devices in Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update. Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.

One month before this shift, starting on April 1, 2026, new controls become available if you're not ready for this change. Here's why and how you can decide on your next move.

The advantage of hotpatch updates

Every month, Windows publishes security updates to address common vulnerabilities and exposures (CVEs) to help keep users at your organization secure. When you roll out these updates as an IT admin, you may wait for days for devices to restart before they become compliant. Typically, you'd allow 3-5 days after installing those fixes before forcing a restart to apply them. When hotpatch updates launched about a year ago, we changed the game. Security updates take effect as soon as they are installed – no restart required.

This change in approach patches devices significantly faster since they aren't waiting for that restart. To see how this is working in the real world, we asked four different companies with 30-70K devices about their gains in the number of days to security compliance. They all reported achieving 90% patch compliance in half the previous time, without making any policy changes (see chart below).

Today, there are over 10 million production devices enrolled in hotpatch updates, showing the level of adoption and trust companies like yours have in this capability. Learn more about the efficiency of smaller hotpatch update sizes and how we implement hotpatch updates internally at Microsoft.

Hotpatch by default: How it works

Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch updates by default to help your organization get more secure, quicker. This change applies whether you use Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph.

What does it mean in practice? All update policies in Microsoft Intune depend on Windows Autopatch. The default tenant setting is only applied to devices that aren't members of a quality update policy. Windows Autopatch respects your configuration of quality update policies. If a device is assigned to one of those policies, the hotpatch setting from that policy is the one applied. Your preferences for update deferrals and update ring settings are also respected.

Note: Hotpatch updates only apply to devices that meet the hotpatch prerequisites. Devices that don't meet these prerequisites will continue to patch in the same way they do today.

When will my devices start receiving hotpatch updates?

If a device meets the prerequisites and has taken the April 2026 security update (a baseline update), it will start receiving hotpatch updates with the May 2026 security update. Double-check whether a device is enrolled in hotpatch updates with new Windows Autopatch update readiness tools.

Note: Hotpatch updates are applied from the latest baseline release. If a device is enrolled in hotpatch updates but isn't yet on the latest baseline, Windows Autopatch first installs the latest baseline update, which requires a restart. Once the device is on the latest baseline, it continues receiving hotpatch updates without requiring restarts going forward. For more information on the latest schedule for these releases, see Release notes for hotpatch.

How do I know if a device will receive a hotpatch update?

Before the May 2026 hotpatch update, review the Hotpatch quality updates report in Intune. It shows devices that have hotpatch updates enabled and meet the prerequisites. You can easily see which devices will receive a hotpatch update in the Hotpatch ready column. Devices successfully patched are in the Hotpatched column.

You can also look at the Quality update status report in Intune to check which devices are ready to receive a hotpatch update. In this report, the column labeled Hotpatch Readiness indicates if the device meets the prerequisites for hotpatch updates. A new column called Hotpatch enabled will be added showing the status of each device.

Embracing the change at your own pace

Windows Autopatch is enabling hotpatching by default because hotpatch updates are the quickest way to get secure. As such, we recommend keeping hotpatch updates enabled for your devices. If you're not ready for this change, you can opt out groups of devices or the whole tenant.

The tenant setting to opt out of hotpatch updates is scheduled to go live on April 1, 2026. And because April is a hotpatch baseline month, you have until May 11, 2026 before any hotpatch updates are deployed.

How to opt out of hotpatch updates across your tenant

Once the changes are live in April, configure the default hotpatch update behavior for your tenant as follows:

  1. Open Microsoft Intune.
  2. Navigate to Tenant administration > Windows Autopatch > Tenant management.
  3. Select the Tenant settings tab.
  4. Toggle the "When available, apply updates without restarting the device ("hotpatch") setting to either Allow or Block.

How to opt out of hotpatch updates for groups of devices

Want to specify the desired behavior for a group of devices? Simply assign them to a quality update policy. Windows Autopatch respects your intention set at the policy level over the tenant-level default. To create a quality update policy, take the following steps:

  1. Open Microsoft Intune.
  2. Navigate to Devices > Manage updates > Windows updates.
  3. Select the Quality updates tab.
  4. Select Create.
  5. Select Windows quality update policy from the drop-down menu.
  6. Fill out the title and details on the Basics tab and select Next.
  7. In the Settings step, toggle the "When available, apply without restarting the device ("hotpatch") setting to either Allow or Block, then select Next.
  8. Apply any scope tags, then select Next.
  9. Assign your desired Microsoft Entra groups, then select Next.
  10. Select Create.

You can disable hotpatch updates at the tenant level and enable them for specific devices and vice versa. When you're ready for hotpatch updates by default, just toggle "When available, apply without restarting the device ("hotpatch") back to Allow.

To start taking advantage of hotpatch updates enabled by default, check that your devices meet the prerequisites. To learn more and get started, see Hotpatch updates and the Windows Autopatch frequently asked questions (FAQ).

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

[i] See prerequisites for hotpatch updates in Hotpatch updates.

Updated Mar 06, 2026
Version 1.0
device management
security
servicing and updates
windows 11
windows autopatch

2 Comments

  • ArturCzepukojc's avatar
    ArturCzepukojc
    Copper Contributor
    Mar 10, 2026

    Together with my collegaues we've been reading this back and forth and it's still really hard to understand if we are going to be hit by this or not - meaning the article is confusing.

     

    What happened to the recent failures regarding forced enablement of features and a promise to let admins decide?

     

    "Autopatch management status" says we are enrolled to "Driver" and "Feature" policies but not "Quality" - does this mean we are going to be impacted? We don't have Autopatch configured tenant wide and we only have a Hotpach policy for a test group of devices.

    • Chris_Tulip's avatar
      Chris_Tulip
      Icon for Microsoft rankMicrosoft
      Mar 10, 2026

      Hey Artur, Thanks for reaching out!

      To answer your first question directly, the scope of the change is all eligible devices in Intune or through Graph API. What eligible means is that the device has the right licenses and meets the Hotpatching pre-requisites. (e.g. Win 11 24H2+ and VBS enabled for x86 devices) 

      To your second question around Admin choice, we're fully committed to leaving admins in the driver's seat. That's why we're communicating the change early and are adding the option to opt out. To be super explicit about the change timeline: 

      1. March 9th: We're letting you know that changes are coming
      2. April 1st: The option to opt out at the tenant level will go live in the Intune portal
        1. Note: The Hotpatch settings you configure in Quality Update Policies will overwrite the tenant level setting for devices assigned to those policies. 
      3. May Security Update: First default on hotpatch security update

      This timeline provides six weeks to act before any change occurs, ample time to hit the toggle if you want to stick with traditional patching. As discussed above, the rationale is that devices get secure significantly faster while deploying the exact same set of security fixes. Given that the technology has been proven on millions of devices over the last year without issue, enabling Hotpatch by default is the best thing to do from both a security and user experience perspective.