Hotpatch goes default in Autopatch. You have 10 days.

On May 11, 2026, Microsoft enables hotpatch updates by default at the tenant level for every Windows Autopatch customer. Hotpatch delivers security patches that apply without a restart in 8 of 12 months, reducing mandatory reboots from 12 per year to 4. The opt-out window opened April 1. If your fleet isn’t ready, you have 10 days to decide whether to accept the new baseline or turn it off.

The operational risk isn’t hotpatch itself. It’s that only a subset of your devices will qualify, and if you haven’t inventoried against the requirements, you’ll wake up on May 12 with two patching cadences running side by side in the same tenant.

What qualifies, and what doesn’t

Hotpatch requires Windows 11 Enterprise or Education 24H2 or later, managed through Intune with Autopatch enrollment. The device also needs three security features enabled: Virtualization-Based Security (VBS), Memory Integrity (HVCI), and Secure Boot.

That’s a narrower slice than most people assume. Memory Integrity in particular is a common gap. It ships off by default on many OEM builds, and some organizations disabled it intentionally because of driver compatibility issues. If you turned it off two years ago for a printing driver and never revisited the decision, that device won’t hotpatch.

The machines that don’t meet the requirements won’t error out or throw an alert. They silently stay on the old 12-reboot cadence. Microsoft’s documentation is clear about this, but the operational result is easy to miss: you’ll have two groups of devices on different patch timelines, and your reporting won’t distinguish between “hotpatched this month” and “waiting for the next reboot window” unless you build that view yourself.

Why the timing matters

Four reboots per year instead of 12 sounds like a win, and for qualifying devices it genuinely is. The baseline months that still require a reboot are January, April, July, and October. The other eight months deliver security content via hotpatch, no restart needed. Microsoft says over 10 million production devices are already enrolled.

But this change lands in a specific context. 2026 has been a rough year for Windows patching confidence. In January, a cumulative update broke RDP sessions and shutdown behavior, requiring an out-of-band fix. In March, KB5079391 was pulled from the preview channel and reissued as KB5086672. In April, KB5082063 put domain controllers in PAM environments into reboot loops after an LSASS fault. Microsoft shipped the OOB fix KB5091157 on April 20, ten days after Patch Tuesday. That same April Patch Tuesday carried 167 CVEs, 11 Critical, and 2 zero-days exploited in the wild.

None of that means hotpatch is unreliable. But it means the teams being asked to trust a new patching model are the same teams that spent Q1 cleaning up after the old one. That’s real context for the people deciding whether to opt in or ride out another quarter on the traditional cadence.

The split-fleet problem

Say you have 500 devices in Autopatch. Maybe 300 meet the hotpatch requirements. On a hotpatch month, those 300 get their security update applied in the background, no reboot. The other 200 need the traditional cumulative update and a restart.

If your patching reports just show “compliant” or “not compliant,” you won’t see the split. Both groups are getting patched. But they’re getting patched on different timelines, through different mechanisms, with different failure modes. Your change board approved one maintenance window. Now you effectively need to track two.

If you’re running Intune compliance policies that check Defender definition versions or OS build numbers, the hotpatched devices and the traditionally patched devices may report different build strings at different times during the month. A compliance policy that marks a hotpatched device as non-compliant because its build number doesn’t match the expected cumulative update string is the kind of problem that generates 200 help desk tickets on a Tuesday morning.

What you need to do before May 11

Know your numbers. If you don’t have a report that shows the exact count of hotpatch-eligible vs. ineligible devices in your tenant, you can’t make an informed decision about opt-in. That report is the first thing to build this week.

Decide whether to opt in or opt out. You can opt out at the tenant level or at the device-group level. If most of your fleet qualifies and you’re comfortable with the split reporting, opting in is reasonable. If fewer than half your devices qualify, you might want to opt out until you can close the gap, rather than managing two cadences indefinitely.

Validate your compliance baselines. If your compliance policies reference OS build numbers, patch levels, or Defender versions, find out what happens when hotpatched devices report a different build string than traditionally patched ones. A false non-compliance flag on hotpatched machines is a support escalation you don’t need.

Revisit your change management documentation. Your change board probably has one entry for “monthly Windows patching.” After May 11, you may need two: one for the hotpatch months (no reboot, no maintenance window needed for qualifying devices) and one for the baseline months (January, April, July, October) where everyone reboots.

What else is converging on your queue

WSUS was deprecated in September 2024. Windows Update for Business was folded into Autopatch in late 2024. The patching infrastructure under your environment is consolidating, and hotpatch going default is the latest piece of that.

And the threats aren’t waiting for your fleet to catch up. CVE-2026-32202, a Windows Shell NTLM leak being exploited by APT28, has a CISA remediation deadline of May 12, one day after hotpatch goes default. CVE-2026-33824, an unauthenticated IKEv2 RCE at CVSS 9.8, is sitting in the same patch cycle. Those patches need to land regardless of which delivery mechanism your devices are using.

Ten days isn’t much time to inventory a fleet, evaluate a patching model change, and update your change management process. But that’s the window. If you run Autopatch and haven’t looked at this yet, the inventory is where to start. Everything else follows from knowing what your fleet actually looks like.