Starting May 2026, Windows Autopatch will enable hotpatch security updates by default for eligible Intune devices, speeding up security without restarts. An opt-out setting will be available from April 2026. Devices must meet prerequisites like enabling Virtualization-based Security to receive hotpatches.
Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch security updates by default because they are the quickest way to get secure. This change in default behavior will impact all eligible Intune devices. Additional controls are expected in April.
When this will happen:
How this will affect your organization:
Devices that meet hotpatch prerequisites will get secure faster because full Windows security updates are applied without waiting for a restart. Devices are secured as soon as the update is installed. You do not need to wait for devices to restart, saving on average three to five days.
Devices will restart during baseline months, which are January, April, July, and October.
What you need to do to prepare:
If you already use Windows Autopatch, no action is needed to get hotpatch updates enabled by default. We recommend keeping hotpatch updates enabled for your devices.
To maximize the number of devices receiving hotpatch updates, ensure they meet the prerequisites. Most commonly, this means enabling Virtualization-based Security (VBS) for x86 devices.
If you’re not ready for this change, you can opt out groups of devices using Quality Update policies or the whole tenant.
Additional information:
Read the announcement in Securing devices faster with hotpatch updates on by default.
Learn more about hotpatch updates with the following resources: