Microsoft Flips Hotpatch to Default for Intune-Managed Windows Devices
Microsoft announced on March 10, 2026, that it will enable hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, starting with the May 2026 Windows security update rollout. Administrators have until May 11, 2026 to review their environments and opt out before deployments begin under the new default behavior.
The change marks a fundamental shift from the current opt-in model to automatic deployment across enterprise environments. Microsoft stated the goal is straightforward: hotpatch updates are the quickest way to keep devices secure, and making them the default removes friction from enterprise patch compliance workflows.
What Is Windows Hotpatch and Why It Matters
Hotpatch technology allows Windows systems to apply critical security updates directly to in-memory code without requiring a system reboot. Under the traditional patching model, IT administrators typically allowed 3 to 5 days for users to restart their devices before forcing compliance — a window that left organizations exposed to active exploits. Microsoft estimates that enabling hotpatch by default will cut the time to reach 90% patch compliance by approximately 50%.
Hotpatch updates are delivered monthly as lightweight patches on top of a quarterly baseline cumulative update. The baseline itself still requires a restart, but the subsequent monthly security patches applied between baselines do not. This means most enterprise devices will require only four reboots per year for security patching instead of the current twelve.
Key Dates and Administrative Timeline
Microsoft has published a clear timeline for the rollout:
- April 1, 2026 — Tenant-level controls become available in Microsoft Intune, allowing organizations to opt out of the new default at the tenant or policy level before the change takes effect.
- May 11, 2026 — Hotpatch updates will begin deploying automatically under the new default for all eligible Intune-managed devices. This is the deadline for organizations that need to opt out.
Administrators who need more time can disable hotpatch at the tenant level by navigating to Microsoft Intune → Tenant administration → Windows Autopatch → Tenant management → Tenant settings, and toggling the hotpatch setting to Block. Individual quality update policies assigned to specific device groups will override the tenant-level default.
Device Requirements and Eligibility
The default change applies only to devices that meet a specific set of prerequisites. Not all Windows devices will receive hotpatch automatically. To be eligible, devices must:
- Run Windows 11 Enterprise version 24H2 or later (build 26100.4929 or later)
- Be enrolled in Microsoft Intune with a Windows quality update policy and Windows Autopatch
- Have Virtualization-Based Security (VBS) enabled — a hard requirement for hotpatch functionality
- Hold an eligible license: Windows 11 Enterprise E3 or E5, Microsoft 365 F3, Windows 11 Education A3 or A5, Microsoft 365 Business Premium, or Windows 365 Enterprise
- Be on the latest quarterly baseline cumulative update before hotpatch applies
ARM64 devices require an additional one-time configuration step to disable CHPE (Compiled Hybrid Portable Executable) binaries before hotpatch can be applied. ARM64 support remains in preview for certain scenarios and may affect performance on those devices.
What IT Administrators Need to Do Before May 11
Organizations that are not yet ready for hotpatch should act before the April 1 opt-out window opens and verify the following before accepting the new default:
- Confirm all target devices are running Windows 11 version 24H2 or later and have the current quarterly baseline installed.
- Verify that Virtualization-Based Security is enabled across the device fleet — VBS can be blocked by incompatible drivers or older antimalware stacks.
- Validate licensing to ensure devices hold the required enterprise or education SKUs.
- Test application compatibility with hotpatch on a pilot group before broad deployment, especially for environments with custom drivers or legacy software.
- Review existing quality update policies in Intune, as policy-level hotpatch settings override tenant-level defaults.
Organizations that are ready and choose to proceed will benefit from faster compliance, fewer user interruptions, and reduced operational overhead from emergency reboots. Microsoft's published data suggests the 50% improvement in time-to-compliance applies specifically to the window between when a patch is released and when 90% of devices are fully compliant.
Consumer and Unmanaged Devices Are Not Affected
This change is scoped exclusively to enterprise-managed environments. Consumer PCs running Windows 11 Home or Pro, unmanaged business devices, and systems not enrolled in Intune or Windows Autopatch will continue to follow the traditional restart-based update workflow. Microsoft has not announced a timeline for extending hotpatch defaults to consumer editions of Windows 11.
