Microsoft Enables Windows Hotpatch Security Updates by Default for Enhanced Security and Reliability

Post Views: 3

Microsoft to Roll Out Hotpatch Security Updates by Default for Windows Devices

In an effort to expedite the deployment of security patches, Microsoft has announced plans to enable hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API. This change is set to take effect with the May 2026 Windows security update.

Hotpatch Updates and Windows Autopatch

Hotpatch updates, which allow for the application of security fixes without requiring a system restart, will be delivered through Windows Autopatch, Microsoft’s enterprise service designed to keep Windows and Microsoft 365 software up to date. According to Microsoft, this shift in default behavior is expected to significantly reduce the time it takes for organizations to achieve 90% patch compliance, with estimates suggesting that the timeframe will be cut in half.

Previous Update Model and Vulnerability

Under the previous update model, IT administrators typically allowed a 3- to 5-day window for users to restart their devices before enforcing compliance, leaving organizations vulnerable to attacks during this period. By enabling hotpatch updates by default, Microsoft aims to minimize this exposure.

Administrators will still have the option to disable hotpatch updates at the tenant level or enable them for specific devices. To do so, they can toggle the “When available, apply without restarting the device (hotpatch)” setting to either “Allow” or “Block.”

Transition and Controls

To ensure a smooth transition, organizations can use the Hotpatch quality updates report in Intune to verify whether devices have installed the necessary April 2026 baseline update and meet the prerequisites for receiving hotpatch updates in May. Those that are not ready can opt out at the tenant level using the controls in Microsoft Intune, which will become available on April 1, 2026.

Windows Autopatch Milestone

The rollout of hotpatch updates by default marks a significant milestone for Windows Autopatch, which was first announced in April 2022 and reached general availability for customers with Windows Enterprise E3 and E5 licenses in July 2022. Today, Windows Autopatch is running on over 10 million production devices, applying security fixes in real-time and eliminating the need for a system restart.