Microsoft has announced that, starting with the May 2026 Windows security update, it is enabling Windows Autopatch security updates by default. The company says that this provides the quickest route to security.
The change is coming to all eligible Microsoft Intune devices, having previously been opt-in. The company also says that there are more IT controls coming in April.
This is not a change that affects most users of Windows, only those connected to organizations. In a post to the Windows IT Pro Blog, Microsoft explains:
Windows Autopatch is enabling hotpatch security updates by default to help secure devices even faster. This change in default behavior comes to all eligible devices in Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update. Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.
The company goes on to say:
Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch updates by default to help your organization get more secure, quicker. This change applies whether you use Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph.
What does it mean in practice? All update policies in Microsoft Intune depend on Windows Autopatch. The default tenant setting is only applied to devices that aren’t members of a quality update policy. Windows Autopatch respects your configuration of quality update policies. If a device is assigned to one of those policies, the hotpatch setting from that policy is the one applied. Your preferences for update deferrals and update ring settings are also respected.
But just because hotpatch updates are going ot be enabled by default, it does not mean that they have to stay enabled. As such, Microsoft provides instructions for anyone who wants to opt out:
How to opt out of hotpatch updates across your tenant
Once the changes are live in April, configure the default hotpatch update behavior for your tenant as follows:
- Open Microsoft Intune.
- Navigate to Tenant administration > Windows Autopatch > Tenant management.
- Select the Tenant settings tab.
- Toggle the “When available, apply updates without restarting the device (“hotpatch”) setting to either Allow or Block
Providing further instructions, the company says:
How to opt out of hotpatch updates for groups of devices
Want to specify the desired behavior for a group of devices? Simply assign them to a quality update policy. Windows Autopatch respects your intention set at the policy level over the tenant-level default. To create a quality update policy, take the following steps:
- Open Microsoft Intune.
- Navigate to Devices > Manage updates > Windows updates.
- Select the Quality updates tab.
- Select Create.
- Select Windows quality update policy from the drop-down menu.
- Fill out the title and details on the Basics tab and select Next.
- In the Settings step, toggle the “When available, apply without restarting the device (“hotpatch”) setting to either Allow or Block, then select Next.
- Apply any scope tags, then select Next.
- Assign your desired Microsoft Entra groups, then select Next.
- Select Create.
You can disable hotpatch updates at the tenant level and enable them for specific devices and vice versa. When you’re ready for hotpatch updates by default, just toggle “When available, apply without restarting the device (“hotpatch”) back to Allow.
Read the full details in Microsoft’s blog post here.
