Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch security updates by default because they are the quickest way to get secure. This change in default behavior will impact all eligible Microsoft Intune devices. Additional IT controls are coming in April.
When will this happen:
- Devices will start receiving hotpatch updates by default with the May 2026 Windows security update.
- The tenant setting to opt out of hotpatch updates is scheduled to go live on April 1, 2026.
How this will affect your organization:
Devices that meet hotpatch prerequisites will get secure faster because full Windows security updates are applied without waiting for a restart. Devices are secured as soon as the update is installed. You don’t need to wait for devices to restart, saving on average three to five days.
Devices will restart during baseline months, which are January, April, July, and October.
What you need to do to prepare:
If you already use Windows Autopatch, no action is needed to get hotpatch updates enabled by default. We recommend keeping hotpatch updates enabled for your devices.
To maximize the number of devices receiving hotpatch updates, ensure they meet prerequisites. Most commonly, this means enabling Virtualization-based Security (VBS) for x86 devices.
If you’re not ready for this change, you can opt out groups of devices using Quality Update policies or the whole tenant.
Additional information:
Read the announcement in Securing devices faster with hotpatch updates on by default.
Learn more about hotpatch updates with the following resources:
- Hotpatch updates
- Hotpatch for Windows client now available
- Hotpatching now available for 64-bit Arm architecture
- Hotpatch for client: Frequently asked questions
- Transforming security and compliance at Microsoft
- Hotpatch efficiency unlocked: Smaller update size
- Inside hotpatch updates for Windows (YouTube video)
- Hotpatching 101: Enable virtualization-based security (VBS) (YouTube video)