Microsoft has announced a significant shift in its enterprise update strategy, declaring that hotpatch security updates will be enabled by default for eligible Windows devices managed via Microsoft Intune and the Microsoft Graph API. This change is scheduled to commence with the May 2026 Windows security update. Hotpatching allows security updates to be applied to a running system without requiring a disruptive reboot, a long-standing pain point for IT administrators and end-users alike. The updates will be delivered through Windows Autopatch, Microsoft's enterprise service designed to automatically maintain the currency of Windows and Microsoft 365 software.
The move is a direct response to the critical challenge of patch latency in corporate environments. Under traditional update models, IT administrators often face a difficult trade-off: enforcing immediate reboots disrupts productivity, while allowing grace periods leaves systems vulnerable. Microsoft noted that administrators typically permitted a 3 to 5-day window for users to restart devices before forcing compliance, a delay that left organizations exposed to exploitation. By enabling hotpatching by default, Microsoft estimates it will halve the time required to achieve 90% patch compliance across managed estates, dramatically shrinking the attack surface available to threat actors.
Administrators will retain granular control over the new default behavior. Microsoft has stated that hotpatch updates can be disabled at the tenant level and selectively enabled for specific devices, or vice versa. The control to "When available, apply without restarting the device (hotpatch)" can be toggled back to "Allow" when an organization is prepared for the default behavior. Furthermore, Microsoft indicated that additional IT controls for managing this feature are slated for release in April 2026, ahead of the May update rollout. Admins can assess their environment's readiness using the dedicated "Hotpatch quality updates" readiness report.
This strategic evolution occurs against a backdrop of increasingly sophisticated cyber threats, as highlighted by other recent security reports. These include nation-state actors like APT28 deploying customized open-source tools, phishing campaigns exploiting platforms like Microsoft Teams to deliver malware such as A0Backdoor, and adversaries leveraging artificial intelligence to enhance every stage of the attack lifecycle. By streamlining the patch application process to eliminate reboot barriers, Microsoft aims to provide a more robust and responsive defense mechanism, helping organizations keep pace with the rapidly evolving threat landscape and complementing other security hardening measures like Kernel-mode Hardware-enforced Stack Protection.
