Microsoft is set to enhance the security landscape for eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API by enabling hotpatch security updates by default. This significant shift will commence with the May 2026 Windows security update, marking a proactive step in safeguarding enterprise environments.
Streamlined Update Process
The updates will be facilitated through Windows Autopatch, Microsoft’s enterprise service designed to ensure that Windows and Microsoft 365 software remain current without manual intervention. Previously, IT administrators would typically allow a compliance window of 3 to 5 days for users to restart their devices, a practice that inadvertently left organizations vulnerable to potential cyber threats.
With the introduction of hotpatch updates, Microsoft anticipates a remarkable reduction in the time required to achieve 90% patch compliance, effectively halving the duration compared to the previous model. “Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch security updates by default because they are the quickest way to get secure,” the company stated. This change will affect all eligible Microsoft Intune devices, with additional IT controls expected to roll out in April.
Organizations will have the flexibility to manage hotpatch updates at the tenant level, allowing them to enable or disable these updates for specific devices as needed. Administrators can easily toggle the setting for hotpatch updates by selecting ‘When available, apply without restarting the device (hotpatch)’ back to Allow when they are prepared for this new default behavior.
Preparing for Hotpatch Updates
To ensure devices are ready for the upcoming hotpatch updates, administrators can utilize the Hotpatch quality updates report in Intune. This report will confirm whether devices have installed the April 2026 baseline update and meet the necessary prerequisites for receiving hotpatch updates in May.
For organizations that may not be prepared for this transition, Microsoft offers an opt-out option at the tenant level. This feature will be available starting April 1, 2026, and can be accessed through the following steps:
- Open Microsoft Intune.
- Navigate to Tenant administration > Windows Autopatch > Tenant management.
- Select the Tenant settings tab.
- Toggle the “When available, apply updates without restarting the device (hotpatch)” setting to either Allow or Block.
As April is designated as a hotpatch baseline month, administrators will have until May 11, 2026, to review and make any necessary adjustments before the deployment of hotpatch updates begins.
Initially announced in April 2022, Windows Autopatch became generally available for customers with Windows Enterprise E3 and E5 licenses in July 2022. Currently, Microsoft reports that Windows Autopatch is operational on over 10 million production devices, applying security fixes immediately upon installation and eliminating the need for system restarts.
