MC1248388: Plan for Change: Windows Autopatch is enabling hotpatch updates by default
Starting May 2026, Windows Autopatch will enable hotpatch security updates by default for eligible Intune devices, speeding up security without restarts. An opt-out setting will be available from April 2026. Devices must meet prerequisites like enabling Virtualization-based Security to receive ho...
Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch security updates by default because they are the quickest way to get secure. This change in default behavior will impact all eligible Intune devices. Additional controls are expected in April.
When this will happen
- Devices will start receiving hotpatch updates by default with the May 2026 Windows security update.
- A tenant setting to opt out of hotpatch updates is expected to be available on April 1, 2026, or soon after.
[How this will affect your organization:]
Devices that meet hotpatch prerequisites will get secure faster because full Windows security updates are applied without waiting for a restart. Devices are secured as soon as the update is installed. You do not need to wait for devices to restart, saving on average three to five days.
Devices will restart during baseline months, which are January, April, July, and October.
What you need to do to prepare
If you already use Windows Autopatch, no action is needed to get hotpatch updates enabled by default. We recommend keeping hotpatch updates enabled for your devices.
To maximize the number of devices receiving hotpatch updates, ensure they meet the prerequisites. Most commonly, this means enabling Virtualization-based Security (VBS) for x86 devices.
If you’re not ready for this change, you can opt out groups of devices using Quality Update policies or the whole tenant.
Additional information
Read the announcement in Securing devices faster with hotpatch updates on by default.
Learn more about hotpatch updates with the following resources:
- Hotpatch updates
- Hotpatch for Windows client now available
- Hotpatching now available for 64-bit Arm architecture
- Hotpatch for client: Frequently asked questions
- Transforming security and compliance at Microsoft
- Hotpatch efficiency unlocked: Smaller update size
- YouTube: Inside hotpatch updates for Windows
- YouTube: Hotpatching 101: Enable virtualization-based security (VBS)