Microsoft to enable Windows hotpatch security updates by default

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enable-hotpatch-security-updates-by-default-in-may/

ONE SENTENCE SUMMARY:

Microsoft will enable Windows hotpatch updates by default via Autopatch from May 2026, accelerating Intune-managed device compliance while allowing opt-out controls.

MAIN POINTS:

1. Hotpatch security updates become default for eligible Intune and Microsoft Graph-managed devices in May 2026.
2. Delivery will occur through Windows Autopatch for Windows and Microsoft 365 enterprise update management.
3. Prior restart grace periods of 3–5 days left organizations exposed before forced compliance.
4. Microsoft expects 90% patch compliance time to be reduced by roughly half.
5. Default hotpatching affects all eligible devices, with additional IT controls arriving in April 2026.
6. Tenant-level settings can disable hotpatching or selectively enable it per-device.
7. Admins can verify readiness using Intune’s Hotpatch quality updates report.
8. April 2026 acts as the baseline update required for May hotpatch eligibility.
9. Opt-out controls go live April 1, 2026 within Intune Tenant administration settings.
10. Administrators have until May 11, 2026 before hotpatch updates begin deploying.

TAKEAWAYS:

1. Faster patching reduces exposure windows created by delayed user restarts.
2. Testing readiness in April is critical to avoid unexpected May rollout issues.
3. Centralized tenant toggles provide governance while still supporting targeted exceptions.
4. Autopatch’s scale and maturity suggest operational viability for large enterprise fleets.
5. Planning should include change management for restart-less updates and updated compliance reporting.