Microsoft to Enable Hotpatch Security Updates by Default in Windows Autopatch

Microsoft will enable hotpatch security updates by default in Windows Autopatch, starting with the May 2026 Windows security update. This change will apply to eligible devices managed through Microsoft Intune and the Microsoft Graph API.

Windows Autopatch is a managed service that automates the delivery of Windows and Microsoft 365 updates, which ensures devices stay secure and up to date with minimal administrative effort. It orchestrates updates across staged deployment rings and can pause or roll back updates if issues arise in enterprise environments.

According to Microsoft, traditional Windows security updates often require a system restart before the protections fully take effect, which leads to delays of around three to five days in many enterprise environments. Hotpatch updates eliminate this waiting period by activating immediately upon installation, which enables organizations to reach about 90% compliance in roughly half the time.

How does the default change work?

Starting in May 2026, hotpatch updates will begin rolling out to Windows devices managed via Microsoft Intune or API that are not assigned to a specific quality update policy. This feature will respect existing organizational preferences, such as update rings, deferral settings, and policy-based hotpatch configurations.

The hotpatching feature will only be available for devices that meet specific prerequisites, which include running Windows 11 version 24H2 or later, having an eligible enterprise license, and already installing the April 2026 baseline security update.

On April 1, 2026, Microsoft will introduce new administrative controls that will let organizations disable or selectively apply hotpatching. This change is designed to give IT teams flexibility if they aren’t ready to adopt the new default behavior. Microsoft notes that April is a baseline month, and devices that still need to install the baseline update must complete a reboot, after which subsequent monthly hotpatch updates will apply automatically without requiring restarts.

What does this mean for large fleets?

For large organizations managing tens of thousands of devices, the transition from the traditional restart‑dependent update model to the hotpatch approach represents a meaningful operational upgrade. In real enterprise environments, companies overseeing fleets of 30,000 to 70,000 devices saw their time to reach 90% security‑patch compliance cut in half, without modifying existing update policies.

For large fleets, this improvement translates into savings in both IT labor and device downtime. These include fewer forced‑restart windows to schedule, reduced support tickets from disrupted users, and a significantly shorter vulnerability window across the entire environment.