Windows Autopatch Just Turned Hotpatch On By Default —…

Starting with the May 2026 Windows security update, Microsoft has switched hotpatch on by default for every eligible device enrolled in Windows Autopatch. This is not a preview. It is not opt-in. If your devices meet the eligibility requirements, they are now receiving hotpatch updates — and if your organisation is not ready for that, you have a narrow window to act before the next Patch Tuesday.

This post covers exactly what hotpatch is, how the update cycle works, which devices qualify, and — critically — how to opt out at the tenant level or per policy group if you need more time to test. There is also a note on Arm64 that every endpoint engineer with a mixed fleet needs to read before assuming all devices are covered.

Action required: If you are running Windows Autopatch and have not yet reviewed your hotpatch configuration, do it today. As of the May 2026 update cycle, eligible devices are patched without a restart by default. Validate your eligibility picture, check your compliance baselines, and confirm whether opt-out is needed before your next maintenance window.

What hotpatch actually is

Hotpatch is a patching mechanism that installs security fixes directly into the running OS — without requiring a device restart. The update is applied to in-memory code, so the change takes effect immediately, while the device keeps running and the user keeps working.

This is materially different from a standard cumulative update. A standard update replaces files on disk, queues a restart, and only becomes effective after the device has rebooted and loaded the new binaries. Hotpatch skips that cycle entirely for supported security patches.

The practical results Microsoft report for organisations using hotpatch at scale:

90% patch compliance reached in half the time compared to standard cumulative updates
Smaller update packages — hotpatch payloads are significantly smaller than full cumulative updates, reducing bandwidth consumption and install time
Fewer required restarts — in a standard four-month hotpatch cycle, only one restart per quarter is required (for the baseline update), rather than one per month

Why this matters for compliance: Patch compliance rates are often dragged down by devices that miss restart windows — users defer reboots, laptops are closed during update hours, or critical sessions can't be interrupted. Hotpatch eliminates the restart barrier entirely for the months it applies, which is why the compliance velocity improvement is significant.

How the hotpatch update cycle works

Hotpatch does not replace cumulative updates entirely — it operates on a four-month repeating cycle that alternates between baseline months and hotpatch months.

Month type	What happens	Restart required?	Months per year
Baseline month	Standard cumulative update is installed; this becomes the new baseline that subsequent hotpatches build on	Yes	4
Hotpatch month	Security fixes are applied on top of the current baseline directly into the running OS — no new baseline, no restart	No	8 (two per quarter)

The result is one restart per quarter instead of one per month for eligible devices. Hotpatch months always patch on top of the most recent baseline, so the security coverage is equivalent — the delivery mechanism is just radically different.

Important: Baseline months still require a restart. Hotpatch does not eliminate restarts — it reduces them to once per quarter. Your patch maintenance windows and restart notification policies still need to be configured correctly for baseline months.

Eligibility — which devices qualify

Hotpatch is not available to every device in your Autopatch estate. All of the following conditions must be met simultaneously. A device that fails any single requirement falls back to the standard cumulative update path and is not affected by the default-on change.

Requirement	Detail	Notes
Windows 11, version 24H2	Build 26100.2033 or later	Windows 10 and Windows 11 pre-24H2 are not eligible
x64 CPU	AMD64 or Intel 64-bit processor	Arm64 is not supported — see Arm64 note below
Microsoft Intune management	Device must be managed via Intune	Co-managed devices may have additional considerations
Virtualization-based Security (VBS)	VBS must be enabled on the device	Devices with VBS disabled will not receive hotpatch
Windows Autopatch quality update policy	Device must be enrolled in a Windows Autopatch quality update policy	The default-on change applies at the policy level

Devices that do not meet all requirements receive the standard cumulative update on the normal schedule. They are unaffected by this change and require no action on your part.

How to check if your devices are receiving hotpatch

1 Check the Autopatch quality update policy in Intune

Go to Intune admin centre > Devices > Windows updates > Quality updates
Open your Windows Autopatch quality update policy
Look for the hotpatch setting — as of May 2026, this defaults to Allow
The policy will indicate whether hotpatch is enabled for devices assigned to it

2 Check device eligibility — Windows Update for Business reports

In the Intune admin centre, go to Reports > Windows updates
Open the Windows Update compliance reports or the Autopatch reports section
Filter for devices running Windows 11 24H2 — these are your hotpatch candidates
Cross-reference against the eligibility table above: x64 CPU, VBS enabled, Intune-managed, enrolled in quality update policy

3 Verify on a single device

On an eligible device after a hotpatch month update, check the Windows Update history. A hotpatch update will be labelled differently from a standard cumulative update — it will show as a hotpatch or security update that did not require a restart. You can also check via PowerShell:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

For a more detailed view of what was applied and whether a restart was required, check the Windows Update log:

Get-WindowsUpdateLog

This outputs a readable log to your desktop. Search for hotpatch to confirm delivery.

How to opt out — if you are not ready

There are two opt-out levels: tenant-wide and per-policy. Both are available through the Intune admin centre. You do not need to contact Microsoft support to opt out.

Before you opt out: Opting out means eligible devices revert to standard cumulative updates with monthly restarts. This is a legitimate choice if your environment is not yet validated for hotpatch, but it does mean you lose the compliance velocity and bandwidth benefits immediately. Consider piloting with a small ring before blanket opt-out.

A Tenant-level opt-out (blocks hotpatch for all eligible devices across the tenant)

Go to Intune admin centre > Tenant administration > Windows Autopatch
Select Tenant management
Click the Tenant settings tab
Find the setting: "When available, apply updates without restarting the device ('hotpatch')"
Toggle this setting to Block
Save the change — this takes effect at the next policy evaluation cycle

This is a blanket tenant-level block. Every eligible device enrolled in any Windows Autopatch quality update policy will stop receiving hotpatch and revert to standard cumulative updates with monthly restarts.

B Policy-level opt-out (blocks hotpatch for specific device groups only)

If you only want to block hotpatch for specific device groups — for example, a set of kiosk devices, VDI pools, or a test ring — you can override at the individual quality update policy level without affecting the rest of the tenant.

Go to Intune admin centre > Devices > Windows updates > Quality updates
Open the quality update policy assigned to the device group you want to exclude
Edit the policy and locate the hotpatch option
Set it to Block for this policy
Save — devices assigned to this policy will receive standard cumulative updates from the next update cycle

Policy-level override is the recommended approach for most environments. It lets you keep hotpatch enabled for your main fleet while blocking it for groups that need additional validation — for example, devices running line-of-business applications not yet tested against hotpatch delivery.

Arm64 devices — read this before assuming coverage

Arm64 devices are not supported for hotpatch. Microsoft has no current plans to support hotpatch on Arm64 devices that have CHPE (Compiled Hybrid Portable Executable) enabled. If you have Arm64 devices in your fleet — Surface Pro X, Surface Pro 9 5G, Snapdragon-based devices — they will not receive hotpatch updates and will continue on the standard cumulative update schedule. No action is needed for those devices specifically.

The precise caveat from Microsoft: Arm64 devices must disable CHPE to be eligible for hotpatch. CHPE is the mechanism that enables Arm64 devices to run x64 applications with improved performance through binary translation. Disabling it degrades application compatibility and performance on those devices, making it an impractical requirement for most organisations.

What this means in practice: If your fleet is mixed — x64 laptops and Arm64 Surface devices — only the x64 devices will receive hotpatch. Your Arm64 devices will continue to receive standard cumulative updates with monthly restarts. This is transparent to end users and requires no configuration change, but it does mean your hotpatch compliance metrics will only reflect part of your estate.

Should you leave hotpatch on?

For most organisations, the answer is yes — but with a structured pilot first rather than accepting the default blindly across the entire tenant.

The case for keeping hotpatch enabled:

Compliance velocity is significantly better. Reaching 90% patch compliance in half the time is a meaningful security improvement, particularly for environments with distributed workforces or users who historically defer restart prompts.
Operational disruption is reduced. Fewer forced restarts means fewer calls to the service desk, fewer interrupted sessions, and less end-user friction around Patch Tuesday.
The update coverage is equivalent. Hotpatch security content covers the same CVEs as the standard cumulative update for supported months. You are not accepting a lower level of security coverage in exchange for fewer restarts.
Bandwidth consumption is lower. Smaller payloads are a genuine operational benefit for distributed offices, home workers, and metered connections.

Reasons to pilot before fully committing:

Line-of-business application compatibility. Although hotpatch applies updates without a restart, some applications that hook into the OS at a low level or rely on specific kernel state may behave differently. Run a validation pass against your critical applications on a pilot ring before broad rollout.
VDI and shared device environments. Non-persistent VDI images may need specific consideration — hotpatch behaviour in multi-session Windows or pooled desktop scenarios should be validated against your specific stack.
Change management requirements. Some organisations have change advisory board processes that require any deviation from the standard update mechanism to go through a change request. Confirm whether hotpatch-by-default constitutes a change that needs to be formally approved in your environment.

Recommended approach: If you have not already, create a small Windows Autopatch pilot ring with 20–50 eligible x64 Windows 11 24H2 devices. Leave hotpatch enabled for this group through at least one full cycle (one baseline month plus two hotpatch months). Validate compliance rates, application behaviour, and user experience before deciding whether to maintain the default or opt out for specific groups.

Official Microsoft references

Windows Autopatch hotpatch updates — primary documentation covering hotpatch behaviour, eligibility, the update cycle, and how hotpatch interacts with the Autopatch service
Configure hotpatch for Windows quality updates in Intune — step-by-step guidance for configuring hotpatch in the Intune admin centre, including the tenant-level and policy-level settings
What's new in Microsoft Intune — release notes covering the hotpatch-by-default change and other recent Intune updates
Windows Autopatch overview — overview of the Windows Autopatch service, including eligibility requirements and what the service manages

Windows Autopatch Just Turned Hotpatch On By Default — Act Before It Hits Your Estate