Microsoft will turn on hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, beginning with the May 2026 Windows security update.
The updates will be delivered through Windows Autopatch, the company’s enterprise service that automatically keeps Windows and Microsoft 365 software up to date.
Under the previous update model, IT administrators typically allowed 3 to 5 days for users to restart their devices before forcing compliance (a window that left their organizations exposed to attacks).
However, with this change, Microsoft estimates that the time to reach 90% patch compliance will be halved.
“Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch security updates by default because they are the quickest way to get secure. This change in default behavior will impact all eligible Microsoft Intune devices. Additional IT controls are coming in April,” Microsoft said.
“You can disable hotpatch updates at the tenant level and enable them for specific devices and vice versa. When you’re ready for hotpatch updates by default, just toggle ‘When available, apply without restarting the device (hotpatch)’ back to Allow,” it added.
Admins can check device readiness using the Hotpatch quality updates report in Intune to confirm whether devices have installed the April 2026 baseline update and meet the prerequisites to receive hotpatch updates in May.
Organizations that are not ready will be able to opt out at the tenant level using controls in Microsoft Intune (which will go live on April 1, 2026) by going through the following steps:
- Open Microsoft Intune.
- Navigate to Tenant administration > Windows Autopatch > Tenant management.
- Select the Tenant settings tab.
- Toggle the “When available, apply updates without restarting the device (“hotpatch”) setting to either Allowor Block.
Because April is a hotpatch baseline month, admins have until May 11, 2026, before any hotpatch updates are deployed, providing them with enough time to review and adjust.
Windows Autopatch was first announced in April 2022 and reached general availability for customers with Windows Enterprise E3 and E5 licenses in July 2022.
Microsoft says that Windows Autopatch is now running on more than 10 million production devices, applying security fixes the moment they are installed, eliminating the need for a system restart.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Related Articles:
Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws
Microsoft still working to fix Windows Explorer white flashes
Action1 vs. Microsoft WSUS: A Better Approach to Modern Patch Management
Microsoft testing Windows 11 batch file security improvements