Microsoft Enables Hot-Patching By Default To Eliminate Enterprise Reboots

Published 4 hours ago
Microsoft Enables Hot-Patching By Default To Eliminate Enterprise Reboots

Starting May 2026, Microsoft will enable hot patching by default for enterprise devices in Windows Autopatch, reducing the need for reboots and aiming for 90% compliance in half the usual time.  

Key Points About Hotpatching As The Default Setting 

  • Starting May 2026, devices running Windows 11 Enterprise, Education, or 365 on x64 with VBS enabled and managed with Intune or Graph API will have hot patching enabled by default.  
  • Hotpatching applies most security updates in memory, reducing the need for reboots. Only quarterly cumulative updates require a restart.  
  • Hot patching helps organizations reach 90% compliance in half the typical time, quickly closing security gaps after updates.  
  • Management: Although hot patching will be enabled by default, Intune administrators can adjust or disable it in the Intune admin center. Although hot patching will be enabled by default, IT administrators can adjust or disable it in the Intune admin center.  
  • Eligible devices include Windows 11 Enterprise, Education, and 365 on x64 architecture with VBS enabled.  

Soon, Windows Auto Patch will enable hot patch security updates by default, helping you secure your devices faster. Beginning with the May 2026 Windows Security Update, this will affect all eligible devices managed through Microsoft Intune or Microsoft Graph API. Hot patching lets you achieve 90% compliance in about half the time, since security fixes apply immediately without a restart. You still have control over your settings.  

New controls will be available on April 1, 2026, one month before this change. Here’s what you need to help you decide on your next steps.  

The Advantage Of Hot Patch Updates 

Each month, Windows releases security updates to fix common vulnerabilities and exposures (CVEs) and keep your organization safe. As an IT admin, you often have to wait for days for devices to restart before they are fully compliant. Typically, you give devices three to five days after installing updates before forcing a restart. When Windows Auto Patch updates launched about a year ago, this changed. Now, security updates take effect as soon as they are installed, and Windows Auto Patching enables devices to reach about 90% compliance within roughly half the previous timeline, often in around one to three days, because no restart is needed.  

In our FASTER Patching study, we spoke with four organizations managing 30,000 to 70,000 devices about the speed of compliance.  

Today, over 10 million devices use hot patch updates, reflecting broad trust in the feature. You can also explore the benefits of smaller update sizes and Microsoft’s own internal use.  

Hotpatch by default: how it works? 

With the May 2026 security update, Windows auto-patch will defer to hot-patch updates, improving the security screen for organizations using Microsoft Intune or Microsoft Graph API.  

What does this mean for you?    

All Patching Policies in Microsoft Intune rely on Windows AutoPatch. The default setting only applies to devices that are not part of a Quality Update Policy. Windows Auto Patch follows your Quality Update Policy settings. If a device is assigned to one of these policies, the hot patch settings from that policy will be used. Your choices for update deferral and update ring settings are also on/off. If a device meets the prerequisites and has installed the April 2026 security update, it will start receiving hot-patch updates with the May 2026 security update. Double-check whether a device is enrolled in hot-patch updates using the new Windows Auto Patch Update Readiness Tools.  

How Do I Know If a Device Will Receive a Hotpatch Update 

Before the May 2026 hot patch update, check the Hot Patch Quality Updates report in Intune. This report lists devices with hot-patch updates enabled and shows which will receive or have already received the update.  

You can also use the Quality Update Status report in Intune to see which devices are ready for a hot patching update. The Hot Patching Readiness column indicates whether a device meets the requirements. Soon, a new Hot Patching Enabled column will show each device’s status.  

Adapting To The Change At Your Own Pace 

Windows Auto Patch will enable hot patching by default as the fastest way to secure your devices. We recommend keeping hot patch updates enabled. However, if you choose not to use hot patches, you can opt out for specific device groups or your entire tenant. Opting out is done through the Intune admin center or by assigning devices to a Quality Update Policy that blocks hot patches. Detailed steps are provided below for both tenant-wide and group-specific opt-outs.  

The option to opt out of Hot Patch updates for your tenants will be available starting April 1, 2026. Since April is a Hot Patch baseline month, you have until May 11, 2026, before any Hot Patch updates are installed.  

How To Count The Number Of Hotpatch Updates Across Your Tenant 

When the changes go live in April, follow these steps to set your tenants’ default hot patching update behaviour.  

  1. Navigate to Tenant Administration, Windows Auto-Patch, Tenant Management.  
  1. Select the tenant settings tab.  
  1. Switch the “When available, apply updates without restarting the device (hot patching)” setting to either allow or block.  

How to Opt Out of Hot Patch Updates for Groups of Devices 

To opt in or out of device groups, assign each device group a Quality Update Policy. Windows Auto Patch uses these policy settings. To set or assign a policy, follow these steps.  

  1. Navigate to Devices > Manage Updates > Windows Updates.  
  1. Select the Quality Updates tab.  
  1. Select Create.  
  1. Select the Windows Quality Update Policy from the drop-down menu.  
  1. Fill in the title and details on the Basics tab, then select Next.  
  1. In the Settings step, switch the “When available, Apply Without restarting the device (hot patching)” setting to either Allow or Block, then click Next.  
  1. Apply any scope tags, then select next.  
  1. Assign the Microsoft Entra Groups you want, then select Next.  
  1. Select Create.  

You can set hot-patching updates for your tenant or specific device groups to override the default. Switch the hot patching setting to allow or block hot patching.  

To use hot-patch updates by default, ensure your devices meet the requirements. For more information, see hot patch updates and the Windows auto patch frequently asked questions.

Source:  Securing devices faster with hotpatch updates on by default

Amazon
Harish Shenoy

Harish Shenoy

Total Post: 412

Harish Shenoy | Technology Journalist Harish Shenoy is a veteran technology journalist at Xthe with over 21 years of experience spanning tech, health, finance, and future technology. Specializing in semiconductor roadmaps, enterprise AI infrastructure, and consumer hardware, his reporting is driven by primary-source verification and official corporate disclosures. With more than a decade of focused writing across the US, UK, Australia, Canada, and India, Harish maintains a strict commitment to factual, non-sensationalized reporting on the economic and logistical shifts within the global tech sector. His current work centers on the technical evolution of "agentic AI" and next-generation silicon.

Related Article

News
Microsoft Unveils E7 Suite to Unify Copilot Governance and Agent Security 

News
NVIDIA CUDA 13.2 Update Adds Memory-Safe Pointers for Sovereign AI Security 

Leave a Reply

Your email address will not be published. Required fields are marked *