Windows Autopatch Is Enabling Hotpatch by Default in May 2026: What IT Admins Need to Do Now
TL;DR
- What changed: Starting with the May 2026 security update, hotpatch is enabled by default in Windows Autopatch for all eligible devices managed by Intune.
- What hotpatch does: Security updates that install without requiring a device restart. Microsoft estimates this cuts the time to reach 90% patch compliance roughly in half — from 3–5 days to near-immediate.
- What you need to do: Check device eligibility (Windows 11 24H2, VBS enabled, April baseline installed). Decide whether to let the default run, limit it to specific groups, or opt out at the tenant level.
- Key dates: April 1 — opt-out toggle becomes available in Intune. May 11 — hotpatch deployments begin for eligible devices.
- Existing configs are safe: Update rings, deferrals, and existing quality update policies are not changed. The new default only applies to devices with no quality update policy assigned.
The annual update cycle with hotpatch
Baseline
January
Restart required
Hotpatch
February
No restart
Hotpatch
March
No restart
Baseline
April
Restart required
Hotpatch
May
No restart ← new default
Hotpatch
June
No restart
Baseline
July
Restart required
Hotpatch
August
No restart
4 baseline months per year (restart required), 8 as hotpatch candidates (no restart). The pattern repeats every quarter.
Key Dates: What Happens and When
Mar 10 2026
Microsoft announcement
Microsoft publishes the change in the Windows IT Pro Blog. Hotpatch becomes the default for eligible devices in Windows Autopatch starting May 2026.
Apr 1 2026
Opt-out toggle becomes available in Intune
The tenant-level opt-out control becomes available in Intune → Tenant administration → Windows Autopatch → Tenant management → Tenant settings. Before this date, the control does not exist.
April 2026
April baseline — restart required
April is a baseline month. Devices that install the April security update are eligible to receive hotpatch in May. This is the last restart-required update before the new default kicks in.
May 11 2026
Hotpatch deployments begin — deadline for opt-out
Eligible devices without an explicit exclusion start receiving security updates via hotpatch — no restart, automatically. If you want to opt out, this is your deadline.
Operating System
Windows 11 24H2 or later
Windows 11 Enterprise or Education, version 24H2 minimum. Windows 10 and earlier Windows 11 versions are not eligible.
Licensing
Eligible licence
Windows 11 Enterprise E3, E5, or equivalent. Verify eligibility for your specific licence tier in the Intune portal — availability may vary.
Security — most commonly missing
VBS (Virtualization-Based Security) enabled
VBS must be enabled on the device. Configure via the
VirtualizationBasedTechnology CSP in Intune. Devices without VBS show "Hotpatch – VBS not running" in the Autopatch report.Management
Managed by Intune or Graph API
The device must be enrolled in Windows Autopatch through Microsoft Intune or via the Windows updates API in Microsoft Graph.
Baseline
April 2026 update installed
The device needs the April baseline installed (restart required) before it can receive hotpatch in May. Devices missing the baseline are updated first.
Architecture — Arm64 edge case
Additional step required on Arm64
Arm64 devices require CHPE to be disabled via registry before hotpatch is eligible. If you have Arm64 devices with 32-bit x86 apps, exclude them from hotpatch policies — disabling CHPE can affect x86 compatibility.
💡 How to check device readiness
Use the Hotpatch quality updates report in Intune: Devices → Monitor → Windows quality updates → Hotpatch quality updates report. It shows which devices are eligible, which have VBS enabled, and which are missing the April baseline. Microsoft is adding a dedicated "Hotpatch enabled" column to make the status visible per device. Run this report before the deployment begins.
What to Do Before May 11
- Run the Hotpatch quality updates report in IntuneDevices → Monitor → Windows quality updates → Hotpatch quality updates report. Understand which devices are eligible, which have VBS enabled, and which still need the April baseline.
- Check VBS status across eligible devicesVBS is the prerequisite I see missing most often. Devices without it won't receive hotpatch — they fall back to standard LCU. If you have a large number of affected devices, consider enabling VBS via CSP now. It's also a security baseline control worth having regardless of hotpatch.
- Identify devices without a quality update policy assignedThe new default applies to unassigned devices. Find them, and decide whether to add them to an existing ring or let the default cover them.
- Validate critical applications with their vendorsHotpatch modifies how patches are applied at kernel level. Applications with kernel-mode drivers or low-level components may behave differently. If you have business-critical software with kernel dependencies, confirm vendor support for hotpatch on Windows 11 24H2 before May.
- Confirm your rollback processAutopatch supports pausing and rolling back updates. Before enabling hotpatch at scale, make sure you know how to pause a rollout, remove a specific hotpatch update, and escalate to Microsoft Support if needed. Have the playbook ready before the first deployment.
- Make a conscious decision: enable, limit to groups, or opt outFrom April 1 you have three options: let the default run, configure hotpatch per group via quality update policies, or opt out at the tenant level. Don't let this decision happen by default without a deliberate choice.
Tenant-level opt-out (available from April 1)
Intune — Tenant-level opt-out
1. Open the Microsoft Intune admin center
2. Navigate to:
Tenant administration → Windows Autopatch → Tenant management
3. Select the Tenant settings tab
4. Find the toggle:
"When available, apply updates without restarting the device (hotpatch)"
5. Set to Block to opt out for the entire tenant
Set to Allow to keep hotpatch enabled (default)Per-group opt-out via quality update policy
Intune — Policy-level opt-out
1. Navigate to:
Devices → Manage updates → Windows updates → Quality updates
2. Create or edit a Windows quality update policy
3. In Settings, configure:
"When available, apply without restarting the device (hotpatch)" → Block
4. Assign the policy to the relevant Entra ID group
5. Policy-level settings take precedence over the tenant default
→ You can have hotpatch enabled for some groups and blocked for others
⚠️ Arm64 devices
If you have Arm64 devices with 32-bit x86 apps, exclude them from hotpatch policies. Disabling CHPE — required for hotpatch on Arm64 — can affect x86 app compatibility.
🔍 Not sure where your environment stands?
In many cases, the readiness report will already make the next step clear. If you're dealing with exceptions, mixed policy coverage, or devices that don't fit neatly into the standard model, that's where a more detailed review can help. If that would be useful in your environment, feel free to reach out.
📚 Related Articles