Microsoft Enhances Windows Autopatch with Automatic Hotpatch Updates
In a significant shift for IT management, Microsoft is set to streamline the update process for Windows devices. Beginning with the May 2026 Windows security update, the company will automatically enable hotpatch security updates for devices managed through Microsoft Intune or the Microsoft Graph API. This change aims to enhance the efficiency of security patching while minimizing disruptions for users.
Windows Autopatch, a service designed to automate updates for Windows and Office, has been a game changer for IT administrators. It not only facilitates the timely application of updates but also allows for the pausing and rolling back of updates should devices fail to meet performance benchmarks post-installation.
The introduction of hotpatch technology, which allows security fixes to be applied immediately without necessitating a device restart, marks a pivotal advancement. Previously, this feature required manual activation by administrators, but Microsoft asserts that the new automatic setting will significantly reduce the time it takes to achieve compliance. “Applying security fixes without waiting for a restart can help organizations reach 90% compliance in half the time, while remaining in control,” the company stated.
Eligible devices that install the April 2026 baseline security update will automatically begin receiving hotpatch updates starting in May 2026. However, it’s important to note that this default setting will apply only to devices not already assigned to a quality update policy. Existing configurations, including hotpatch settings, update rings, and deferral preferences, will remain unaffected.
For devices that are not on the latest baseline, Windows Autopatch will first install the necessary baseline update, which will require a restart. Following this initial update, future security fixes will be applied seamlessly without further reboots.
While Microsoft encourages organizations to keep hotpatch updates enabled for optimal security management, there is flexibility for those who may not be ready to adopt this change. Organizations can choose to opt out specific device groups or their entire tenant, with the opt-out setting becoming available on April 1, 2026. It’s worth noting that since April is designated as a hotpatch baseline month, deployments will not commence until May 11.
IT administrators looking for further details on this change and guidance on enrollment can refer to Microsoft’s official blog post for comprehensive information.
