Microsoft has decided to change the switch: from the May 2026 security patch, the "hotpatch" updates will be enabled by default on all eligible Windows devices managed by Microsoft Intune and the Microsoft Graphh API, as long as they are managed through Windows Autopitch. This measure seeks to reduce the exposure window generated by traditional update cycles, in which teams could remain vulnerable for several days while waiting for reworks or manual confirmations.
What exactly is hotpatch and why does it matter? Hotpatching allows to apply certain security patches without restarting the equipment, or to minimize the need for interruptions for the user, so that critical corrections are in place practically from the time of installation. For organizations this means less time when devices are exposed to known exploits and, according to Microsoft, a significant reduction in the time needed to reach high compliance levels - the company estimates that the time to reach 90% of parched devices will be halved with this change.
Windows Autopatch, the managed Microsoft service that automates the distribution of updates for Windows and Microsoft 365, will be the way these updates will be displayed by default. Windows Autopatch was released publicly in 2022 and, according to official figures, already manages more than 10 million devices in production, applying security corrections that do not always require an immediate restart. You can review the technical explanation and the service road map in Microsoft's official documentation on Windows Autopatch in Microsoft Learn.
The change does not come without controls: Microsoft will enable administrative options that will enable you to disable hotpatch at the tenant level or to activate or disable it for specific devices. These options will be available at the Intune Management Centre from 1 April 2026, and until 11 May 2026 organizations will have room to review their status and choose to stay out of default behavior before the hotpatch deployments begin.
If you want to check if your device park is ready to receive hotpatch, Microsoft has published an Intune report called "Hotpatch quality updates report" which allows you to check if the equipment has installed the base update of April 2026 and meet the requirements. The prerequisites and conditions to be met are detailed in the Windows Autopatch technical documentation: check the pre-requirements here.
For organizations that prefer to maintain the previous model for compatibility or testing reasons, Microsoft has explained that the relevant configuration is in Microsoft Intune, under the management of the tenant in Windows Autopatch; from there you can alternate the option known as "When available, apply without restarting the device (hotpatch)" to Window or Block as appropriate. This flexibility is intended to give IT equipment time to validate critical applications, flows or integrations that could be affected by the new behavior.
What practical consequences does this have for IT departments? First, it reduces the operational burden associated with forcing restarts and manual exception management, which can result in less reactive work after each Patch Tuesday. Secondly, it improves the overall security position by shortening the window in which a corrected vulnerability can be exploited in unpatched environments. That is, it means that the testing and compatibility teams consider in advance how business applications will behave in the face of applied updates without reboot and verify the technical requirements described by Microsoft.
Official communication of the change and implementation details can be reviewed in Microsoft ads in its Message Center and in the Windows IT Pro blog. The notice at the Message Center that specifies time limits and effects is available at Microsoft Learn - Windows Message Center, and the product team analysis on the decision to activate hotpatch by default is published on the Microsoft Tech Community blog in Windows IT Pro Blog.
Microsoft's approach responds to a trend in industry that prioritizes the reduction of time between the availability of a correction and its real effectiveness in endpoints. In recent years, security teams have been concerned about the restart windows and the friction generated by interruptions for users; to enable a safe mechanism to apply non-restart patches resolves some of this problem, provided that technical requirements are met and that responsible change management is made.
For managers who are not yet ready, the practical recommendation is simple: validate the compatibility of critical applications, confirm the status of the devices with the Intune hotpatch report and decide in time whether to block the hotpatch per tenant until the tests are completed. Microsoft has left a margin until May 11, 2026 for the April base update, so using that period to prepare, test and document behavior is good practice.
In short, the default activation of hotpatch updates is intended to accelerate the organizations' defense against exploitable vulnerabilities without this involving a loss of control by managers. Keeping informed through official sources and planning coordinated tests with development and support teams will be key to taking advantage of this functionality without surprises.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...