Microsoft Enables Hotpatch by Default May 2026

Microsoft will enable hotpatch updates by default in May 2026 for eligible Intune-managed devices, applying security fixes without restarts to speed compliance. Admins can opt out per tenant or via quality update policies before April 1, 2026.

Windows Autopatch will enable hotpatch security updates by default starting with May 2026. This change applies to eligible devices managed via Microsoft Intune or Microsoft Graph API.

Main feature and impact

Windows Autopatch enabling hotpatch by default removes restart requirements for eligible security fixes. Devices that meet hotpatch prerequisites apply many security updates immediately on installation. Organizations can reach 90 percent compliance in roughly half the prior time. This reduces exposure windows without altering update deferral or ring configurations for devices already assigned to quality update policies.

Practical implications

Administrators must verify device prerequisites and baseline update status before May 2026. Devices not on the latest baseline will receive that baseline first, which requires a restart. Tenant and policy controls allow blocking hotpatch at tenant or quality policy scope. The tenant opt-out toggle goes live April 1, 2026, and organizations have until May 11, 2026 before default hotpatch deployments begin.

“All update policies in Microsoft Intune depend on Windows Autopatch. The default tenant setting is only applied to devices that aren’t members of a quality update policy. Windows Autopatch respects your configuration of quality update policies. If a device is assigned to one of those policies, the hotpatch setting from that policy is the one applied.”

To prepare, review the Hotpatch quality updates and Hotpatch readiness reports in Intune. If you opt out, toggle the tenant setting to Block or assign devices to a quality update policy that sets hotpatch to Block. If you accept hotpatch by default, confirm prerequisites and baselines to avoid unexpected restarts. Follow Microsoft documentation and monitor deployment reports to validate faster compliance and adjust scope as needed.

Key points from the article:

Hotpatch enabled by default starting May 2026 for eligible Intune devices.

Applies security fixes without requiring device restarts.

Admins can opt out at tenant level starting April 1, 2026.

Quality update policies override the tenant default for specific groups.

Devices must meet prerequisites and latest baseline to receive hotpatch.

Related Coverage:

• Windows news you can use: March 2026
• What’s new in Microsoft Intune – March
• Windows 365 Frontline in shared mode expands to New Zealand North, Mexico Central, and Europe

From the Windows IT Pro Blog articles

---