Skip to Content

MC1247859: Windows Autopatch is enabling hotpatch updates by default

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1247859: Windows Autopatch is enabling hotpatch updates by default

Summary

  • Windows Autopatch will enable hotpatch security updates by default for eligible Intune devices.
  • Hotpatch updates allow devices to be secured faster without waiting for a restart, reducing update delay by three to five days on average.
  • Devices will still require restarts during specified baseline months (January, April, July, and October).
  • Recommended to ensure devices meet hotpatch prerequisites, such as enabling Virtualization-based Security (VBS) for x86 devices.
  • An option will be available to opt out of hotpatch updates for specific groups or the entire tenant.

Admin Impact: Medium
User Impact: Low
Release Start: 01 Apr 2026
Release End: 01 May 2026
Services: Windows
Category: Stay informed
Tags: Admin Action

History

3/9/2026 Item Added to Message Center

Microsoft Message

Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch security updates by default because they are the quickest way to get secure. This change in default behavior will impact all eligible Microsoft Intune devices. Additional IT controls are coming in April.

When will this happen

  • Devices will start receiving hotpatch updates by default with the May 2026 Windows security update.
  • The tenant setting to opt out of hotpatch updates is scheduled to go live on April 1, 2026.

How this will affect your organization

Devices that meet hotpatch prerequisites will get secure faster because full Windows security updates are applied without waiting for a restart. Devices are secured as soon as the update is installed. You don’t need to wait for devices to restart, saving on average three to five days.

Devices will restart during baseline months, which are January, April, July, and October.

What you need to do to prepare

If you already use Windows Autopatch, no action is needed to get hotpatch updates enabled by default. We recommend keeping hotpatch updates enabled for your devices.
To maximize the number of devices receiving hotpatch updates, ensure they meet prerequisites. Most commonly, this means enabling Virtualization-based Security (VBS) for x86 devices.

If you’re not ready for this change, you can opt out groups of devices using Quality Update policies or the whole tenant.

Additional information

Read the announcement in Securing devices faster with hotpatch updates on by default.

Learn more about hotpatch updates with the following resources:

  • Hotpatch updates
  • Hotpatch for Windows client now available
  • Hotpatching now available for 64-bit Arm architecture
  • Hotpatch for client: Frequently asked questions
  • Transforming security and compliance at Microsoft
  • Hotpatch efficiency unlocked: Smaller update size
  • Inside hotpatch updates for Windows (YouTube video)
  • Hotpatching 101: Enable virtualization-based security (VBS) (YouTube video)