Windows auto-patch will enable hot-patch security updates by default to accelerate device security. This change in default behavior will apply to all eligible devices managed through Microsoft Intune and those accessing the service via Microsoft Graph API, beginning with the May 2026 Windows Security Update. Applying security fixes without requiring a restart enables organizations to achieve 90% compliance in half the usual time while continuing administrative control.
Starting April 1, 2026, organizations not ready for default hot-patch updates will have new administrative controls. The next sections explain the reason for this update and how to choose the best approach.
Advantages Of Hotpatch Updates
Monthly, Windows releases security updates to address known CVEs and mitigate risk. Traditionally, IT administrators waited several days for device restarts before updates became effective, and compliance targets were met. Standard practice is to allow a three to five-day window for post-installation before enforcing a restart. With hotpatching, updates are deployed and activated immediately without requiring a restart, increasing security efficiency.
Devices are patched significantly faster with hotpatching because updates do not require device restarts. For instance, four organizations managing 30,000–70,000 endpoints each achieved 90% patch compliance in half the time compared to traditional approaches, without modifying update policies.
Currently, over 10 million production devices are enrolled in hot-patch updates, demonstrating broad adoption and organizational trust in this function. Additional information is available on the efficiency of smaller hot-patch update sizes and on Microsoft’s internal implementation of hot-patch updates.
Hotpatch By Default: Operational Overview.
In May 2026, Windows Auto Patch will make hot patch updates the default to accelerate security for organizations using Intune or Microsoft Graph API. All patch policies in Intune are managed by Windows AutoPatch. The default setting applies only to devices not in a quality update policy. For devices assigned to a quality update policy, the specified hot patch setting is enforced. Preferences for Update Deference and Update Ring are maintained.
Timeline For Receiving Hotpatch Updates
Devices that meet the prerequisites and have installed the April 2026 Security Update will start receiving hot patch updates from May 2026. Check enrollment status using the new Windows Auto Patch Readiness Tools.
How Do I Know If A Device Will Receive A Hot Patch Update
Prior to the May 2026 hot patch update, review the Hot Patch Quality Updates report in Intune. This report identifies devices with Hot Patch Updates enabled that also satisfy the necessary prerequisites. The HotPatch Ready column indicates which devices will receive a hotpatch update, while the Hot Patched column lists devices that have been successfully patched.
The Quality Update Status Report in Intune can also be used to determine which devices are prepared to receive a HotPatch update. The HotPatch Readiness column indicates whether a device satisfies the prerequisites for HotPatch updates. An additional column, “HotPatch enabled”, will be added to display each device’s status.
Adopting Hotpatch Updates At An Individualized Pace
Windows Autopatch is enabling hotpatching by default because hotpatch updates are the quickest way to get secure. Hotpatching is the process of applying updates without restarting devices. As such, we recommend keeping HotPatch updates enabled for your devices. If you are not ready for this change, you can opt out of groups of devices or the whole tenant (your organization’s account or environment in Microsoft’s cloud services).
The tenant-level HotPatch update setting becomes available on April 1, aligning with the baseline month. IT teams have until May 11, 2026, to make configuration adjustments before automatic deployment begins.
Opting Out Of Hotpatch Updates At The Tenant Level
When changes take effect in April, follow these operational steps to configure a tenant-wide opt-out for HotPatch updates.
- Navigate to Tenant Administration, Windows Autopatch, Tenant Management.
- Select the tenant settings tab.
- Toggle the “When available, apply patches without restarting the device (HotPatch)” setting to either allow or block.
How to Opt Out of HotPatch Updates for Groups of Devices
To define a custom update approach for a device group, assign devices to a quality update policy. Windows Autopatch enforces policy-level configuration above the tenant default. To create a policy, follow these procedural steps.
- Open Microsoft Entune.
- Navigate to Devices > Manage Updates > Windows Updates.
- Select the Quality Updates tab.
- Select Create.
- Select the Windows Policy update policy from the drop-down menu.
- Fill in the title and details on the Basics tab, then select Next.
- In the settings step, toggle the “When available, apply without restarting the device (HotPatch)” setting to either allow or block, then select next.
- Apply any scope tags, then select next.
- Assign the Microsoft intra groups you want, then select Next.
- Select create.
You can disable HotPatch Updates at the tenant level and enable them for specific devices and vice versa when you are ready for HotPatch Updates. By default, just toggle when available, apply without restarting the device (HotPatch), and allow.
To use HotPatch updates, enabled by default, ensure that all devices meet the required prerequisites. For additional information and an implementation guide, refer to the HotPatch updates documentation and the Windows Autopatch Frequently Asked Questions (FAQ).
Source: Securing devices faster with hotpatch updates on by default
