Skip to main content
🦉
Message CenterMicrosoft 365 Updates
HomePermissionsTenant FinderPortfolio
🦉
M365 Message Centerby Cengiz YILMAZ

Track the latest updates, features, and announcements for Microsoft 365 services. Comprehensive archive of service updates and important changes.

Quick Links

HomePermissionsTenant FinderPortfolio

Connect

© 2026 M365 Message Center. Created with ❤ by Cengiz YILMAZ

Data sourced from Microsoft 365 Message Center • Not affiliated with Microsoft

  1. Home
  2. /
  3. MC1248388

Plan for Change: Windows Autopatch is enabling hotpatch updates by default

Plan for Change

Message ID

MC1248388
View in Admin Center

Services

Microsoft Intune

Summary

Starting May 2026, Windows Autopatch will enable hotpatch security updates by default for eligible Intune devices, speeding up security without restarts. An opt-out setting will be available from April 2026. Devices must meet prerequisites like enabling Virtualization-based Security to receive hotpatches.

Details

Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch security updates by default because they are the quickest way to get secure. This change in default behavior will impact all eligible Intune devices. Additional controls are expected in April. 

When this will happen:

  • Devices will start receiving hotpatch updates by default with the May 2026 Windows security update.
  • A tenant setting to opt out of hotpatch updates is expected to be available on April 1, 2026, or soon after.

 How this will affect your organization:

Devices that meet hotpatch prerequisites will get secure faster because full Windows security updates are applied without waiting for a restart. Devices are secured as soon as the update is installed. You do not need to wait for devices to restart, saving on average three to five days.

Devices will restart during baseline months, which are January, April, July, and October.

What you need to do to prepare:

If you already use Windows Autopatch, no action is needed to get hotpatch updates enabled by default. We recommend keeping hotpatch updates enabled for your devices.

To maximize the number of devices receiving hotpatch updates, ensure they meet the prerequisites. Most commonly, this means enabling Virtualization-based Security (VBS) for x86 devices.

If you’re not ready for this change, you can opt out groups of devices using Quality Update policies or the whole tenant.

Additional information:

Read the announcement in Securing devices faster with hotpatch updates on by default.

Learn more about hotpatch updates with the following resources:

  • Hotpatch updates
  • Hotpatch for Windows client now available
  • Hotpatching now available for 64-bit Arm architecture
  • Hotpatch for client: Frequently asked questions
  • Transforming security and compliance at Microsoft
  • Hotpatch efficiency unlocked: Smaller update size
  • YouTube: Inside hotpatch updates for Windows
  • YouTube: Hotpatching 101: Enable virtualization-based security (VBS)

Timeline

Published
Mar 10, 2026
Message published to Message Center
Updated
Mar 10, 2026
Message content updated
End Date
Jun 6, 2026
Message timeline ends

Tags

#Admin impact

Category

Plan for Change

Related Messages

Similar updates

MC1230448

Plan for Change: Improving Intune reporting accuracy

Feb 10, 2026
MC1221927â—Ź

Microsoft Defender for Android ending support for enrolled personal profiles

Jan 23, 2026
MC1220751

Reminder: "Require approved client app" control in Microsoft Entra Conditional Access will be retired in June 2026

Jan 22, 2026
MC1247878

Microsoft Intune In Development for March 2026 is now available

Mar 9, 2026
MC1242766

What’s new in the Microsoft Intune service update for February 2026

Mar 2, 2026