Microsoft Enables Windows Hotpatch Updates by Default in May

Microsoft announced it will flip the switch on hotpatch security updates by default for all eligible Windows devices managed through Intune and Microsoft Graph API. The change takes effect with the May 2026 security update cycle, giving organizations roughly two months to decide whether to opt out.

Hotpatching applies security fixes directly to running processes in memory without requiring a restart. The technology previously existed in Windows Autopatch but required administrators to manually enable it. Now Microsoft is reversing that default—hotpatch will be on unless you explicitly turn it off.

What's Changing

Starting May 11, 2026, eligible Windows 11 devices enrolled in Autopatch will receive hotpatch updates instead of traditional cumulative updates during non-baseline months. The practical impact: instead of 12 mandatory reboots per year for security updates, most organizations will need only four.

Microsoft structures the hotpatch calendar around quarterly baselines. January, April, July, and October deliver standard cumulative updates requiring restarts. The two months following each baseline get hotpatch-only releases that install without interrupting user work.

According to Microsoft's announcement on the Windows IT Pro Blog, organizations already using hotpatch have achieved 90% patch compliance in half the previous time without any policy changes. Real-world deployments showed patching windows shrinking from 6-27 days down to 3-14 days across enterprise environments with 30,000 to 70,000 devices.

This follows Microsoft's pattern of enabling security features by default across its product portfolio rather than leaving protection as an opt-in configuration.

Who's Affected

The automatic enablement applies only to devices meeting specific prerequisites:

• Windows 11 version 24H2 or later (Enterprise, Education, or Microsoft 365 editions)
• Virtualization-Based Security (VBS) enabled
• Device enrolled in Microsoft Intune or managed via Microsoft Graph API
• April 2026 baseline update already installed

Consumer Windows installations and unmanaged devices won't see any change. Organizations still running quality update policies with custom hotpatch configurations also won't be affected—existing policies override the new default.

Microsoft reports over 10 million production devices already use hotpatch successfully, providing confidence the technology works at scale.

How to Opt Out

Administrators who want to maintain control over restart timing have until May 11 to disable the default. Opt-out controls become available April 1, 2026.

Tenant-level opt-out: Navigate to Microsoft Intune → Tenant administration → Windows Autopatch → Tenant management → Tenant settings. Toggle "When available, apply updates without restarting" to Block.

Group-level opt-out: Create quality update policies assigning specific Microsoft Entra groups with the hotpatch setting disabled. This approach lets organizations disable hotpatch for certain device types while keeping it enabled elsewhere.

According to Microsoft Learn documentation, quality update policies always override tenant-level defaults, giving administrators granular control over which devices receive hotpatches.

Why This Matters

The gap between vulnerability disclosure and exploitation continues shrinking. Attackers frequently weaponize newly disclosed flaws within days—sometimes hours—of public disclosure. Every day a system remains unpatched represents exposure to active threats.

Traditional update mechanics create friction that delays patching. Users postpone restarts to avoid losing work. IT teams schedule maintenance windows around business operations. These delays accumulate into weeks of unnecessary exposure.

Hotpatching removes the restart barrier entirely for most security fixes. When a patch requires no reboot, there's no reason to defer it. The fix applies immediately, and users continue working without interruption.

The approach isn't without tradeoffs. Some patches genuinely require restarts to fully take effect—kernel updates and certain driver changes can't be hotpatched. That's why Microsoft maintains the quarterly baseline schedule with mandatory restarts. But reducing those restart requirements from monthly to quarterly dramatically improves both security posture and user experience.

Organizations that have experienced patching complications may appreciate that hotpatch updates carry lower risk than full cumulative updates. Since hotpatches contain only security fixes rather than feature changes or non-security improvements, there's less potential for unexpected behavior.

Technical Requirements

For devices to qualify for hotpatch updates:

1. Correct Windows build: Windows 11 version 24H2 or later with appropriate licensing (Enterprise E3/E5, Education A3/A5, Microsoft 365 F3, Microsoft 365 Business Premium, or Windows 365 Enterprise)

2. VBS enabled: Virtualization-Based Security must be turned on. This is a hard requirement—the hotpatch installer relies on VBS functionality.

3. Current baseline: Devices must be running the latest quarterly baseline update before they become eligible for hotpatches.

4. Intune enrollment: The device must be managed through Microsoft Intune or accessible via Microsoft Graph API.

Devices not meeting all prerequisites continue receiving standard monthly cumulative updates with restart requirements.

The Bigger Picture

Microsoft's decision to make hotpatch the default reflects a broader industry shift toward "secure by default" configurations. Rather than expecting every administrator to discover and enable protective features, vendors are increasingly shipping products with security controls already active.

For security teams tracking enterprise exposure, this change should meaningfully reduce the window between patch availability and deployment. Whether that translates into fewer successful exploits depends on how quickly the May 2026 rollout reaches production systems—and how many organizations decide to opt out.

Administrators should review their Autopatch configurations before April 1 to understand current policies and decide whether the default change aligns with their patching strategy.