Microsoft is set to give enterprise IT administrators a new level of control over Windows quality updates. According to a roadmap entry (ID 501449) published on the Microsoft 365 roadmap, the company plans to introduce "Microsoft Intune: Windows Quality Update management policies" that will allow per-update approval and rollout management, with a preview available in January 2026 and general availability expected in February 2026. The capability is aimed at closing a long-standing gap in Windows update management: the ability to selectively approve or block individual quality patches—including non-security previews and critical out-of-band fixes—without resorting to broad deferral windows or ring-based schedules.

Microsoft already offers a robust set of update controls in Intune, including update rings for general servicing, feature update policies to lock in specific Windows versions, expedited quality updates for urgent fixes, and driver update management. However, the existing tooling has often forced admins to make binary choices: either accept all quality updates within a deferral period or pause everything. The new per-update approvals promise a more surgical approach, letting teams vet each patch before it reaches production systems.

The Roadmap Entry and What’s Coming

The roadmap description for ID 501449 clearly states that the policy will let administrators “manage individual Windows quality updates including non-security and out-of-band updates, and choose which update types to automatically approve and the rollout options for those approvals.” The timeline is aggressive: a public preview in January 2026, with full general availability the following month. This positions the feature as a cornerstone of Microsoft’s evolving Windows servicing story, one that increasingly leans on cloud-native management through Intune and Windows Update for Business.

The new policy type will sit alongside the four existing update policy categories in Intune: update rings, feature updates, quality updates (which currently cover expedited updates and Hotpatch), and driver updates. According to Microsoft’s documentation, the per-update management will extend the quality updates category, adding the granular approval logic that many enterprise customers have been requesting for years.

Why Granular Quality Update Control Matters Now

For large organizations, the tension between security and stability is acute. Quality updates—the monthly cumulative updates that fix bugs and occasionally ship with non-security improvements—have been a source of anxiety ever since Windows as a Service became the norm. A single faulty patch can disrupt thousands of devices, yet delaying updates too long leaves systems exposed. The existing tools, while functional, lack the precision needed for complex environments.

  • Broad deferral windows (e.g., “delay all quality updates by 7 days”) don’t discriminate between critical security fixes and optional non-security previews. If a bad patch appears, admins often have to pause the entire ring, affecting all updates.
  • Expedited update policies allow fast-tracking a specific security release, but they lack the workflow needed for thorough validation before broad rollout.
  • Out-of-band fixes are typically urgent and require immediate action, yet most enterprises treat them with caution. Having the ability to test and approve them individually, on a small pilot group first, could dramatically reduce the risk of breaking line-of-business applications.

The new per-update management layer addresses these pain points by decoupling the approval of individual patches from the broader servicing cadence. Administrators will be able to create policies that automatically approve certain update types (e.g., security-only hotpatches) while requiring manual approval for non-security previews or out-of-band releases. This matches the real-world process where a change advisory board (CAB) signs off on specific updates after testing.

Technical Underpinnings: Hotpatch, OOBE Updates, and More

The new policy arrives amid a flurry of servicing innovations from Microsoft. Understanding these helps frame the full potential of per-update management.

Hotpatch for Windows 11 Enterprise: Hotpatch technology delivers security updates that install without requiring a reboot. It is available for eligible Windows 11 Enterprise devices running specific builds, using the same underlying mechanism as in Windows Server. Hotpatch updates are monthly security releases that can be applied silently, drastically cutting downtime. However, Hotpatch is not available for all quality updates—only specific security fixes are modeled for it. When a Hotpatch is not feasible (for example, if a kernel component is updated), devices fall back to a traditional latest cumulative update (LCU) that requires a restart. The new per-update policies could let admins selectively approve Hotpatch-enabled updates, maximizing uptime while still maintaining control.

OOBE Quality Updates: Starting with Windows 11 22H2, devices joined to Entra ID (Azure AD) or hybrid-joined can automatically check for and install quality updates during the out-of-box experience (OOBE). This ensures that newly provisioned machines are fully patched before the user first signs in, reducing post-setup patch cycles and help desk calls. The Enrollment Status Page (ESP) settings in Intune already control this behavior, but the upcoming rollout options in the new policy will give admins more granular control over which updates are applied during OOBE and how they are scoped.

Autopatch and WUfB Deployment Service: Microsoft has been pushing Windows Autopatch, a service that automates phased rollouts of updates, as the “safe” path for most organizations. Autopatch uses the Windows Update for Business deployment service under the hood. The new per-update policies will integrate into this ecosystem, allowing customers who use Autopatch to override or supplement the automated approvals when needed. For organizations not using Autopatch, the policies will provide similar granularity directly through Intune.

What the New Policy Will Likely Look Like

While Microsoft hasn’t published the full user interface, the roadmap language and existing Intune patterns suggest a clear design:

  • Per-update approval pane: A list of available quality updates, each with a publish date, type (security, non-security, out-of-band), and status. Administrators can approve or block each one individually.
  • Automatic approval rules: Options to automatically approve updates of certain types. For example, all security-only Hotpatch updates could be auto-approved, while non-security previews require manual review.
  • Rollout scheduling: For approved updates, configure a start date, gradual rollout period (e.g., “make available to 10% of devices, then increase by 20% every 24 hours”), and target device groups.
  • Reporting and monitoring: Dashboards showing update deployment status, including which devices have applied a specific update, Hotpatch vs. LCU breakdown, and any errors encountered.
  • Conflict resolution with existing policies: The system will need to reconcile per-update approvals with update ring deferral settings and feature update lock-in. Likely, the most restrictive setting will win, but documentation will clarify interaction.

These controls will likely appear under a new “Quality update management” node in the Intune admin center, extending the existing “Windows updates” blade.

Operational Benefits for Enterprise IT

The move to per-update approvals brings several concrete advantages:

  1. Reduced risk of mass disruptions: By testing a quality update on a small pilot ring and only approving it for broader deployment after validation, organizations can avoid the blast radius of a bad patch. This is especially critical for sectors like healthcare, finance, and manufacturing, where uptime is paramount.
  2. Faster security response: When a critical vulnerability is announced, the security team can immediately approve the corresponding Hotpatch (or regular update) for a pilot group and rapidly expand rollout if no issues surface. This compresses the patch window significantly.
  3. Compliance and audit readiness: Centralized, per-update approval records in Intune provide a clear trail for auditors. This replaces ad-hoc email approvals or ticket-based processes that are hard to track.
  4. Streamlined provisioning: Because OOBE updates can now be managed with the same granularity, IT can ensure that devices shipped to users are not just up-to-date with the latest cumulative update, but also with only the updates that have been approved. This prevents a new hire from receiving a problematic update during setup that was blocked for existing devices.

The Risks and Unknowns

Despite the promise, early adopters should approach with caution. Several factors could complicate the rollout:

  • Licensing and eligibility: Advanced features like Hotpatch, expedited updates via WUfB deployment service, and possibly the per-update management itself may require specific licenses. Microsoft has not explicitly confirmed whether the new policies will be available for all Intune tenants or only those with Windows E3/E5, Microsoft 365 E3/E5, or Autopatch subscriptions. Organizations should verify licensing before planning.
  • Platform prerequisites: Hotpatch demands Windows 11 Enterprise with Virtualization-Based Security (VBS) enabled. Not all devices will meet these requirements, meaning some will continue to use standard LCU updates that require reboots. This creates a mixed update population that complicates reporting and rollback procedures.
  • Telemetry and connectivity: The policy likely depends on Windows diagnostic data and consistent cloud connectivity to Intune and Microsoft update endpoints. Devices in air-gapped or low-connectivity environments may not function as expected.
  • Rollback limitations: While Hotpatch reduces reboots, it does not support automatic rollback. If a Hotpatch causes an issue, uninstalling it requires a fallback to a full LCU, which involves a reboot. Similarly, driver updates managed through Intune lack any automatic rollback mechanism; manual intervention is required. This makes careful testing even more critical.
  • Policy conflicts: Combining update rings, feature update policies, and per-update approvals could lead to unpredictable outcomes. Microsoft’s own documentation warns that overlapping feature and update ring policies can cause delays. IT teams will need to design a clear, non-overlapping policy structure and test extensively.
  • Heterogeneous environments: Many large enterprises still rely on WSUS, Configuration Manager, or third-party patching tools for a subset of their fleets. The new per-update policies will only apply to devices managed by Intune and enrolled with Windows Update for Business. A coexistence strategy will be essential for hybrid shops.

Preparing for the Per-Update Future

Given the February 2026 GA target, forward-looking IT teams can start preparing now. A practical checklist includes:

  • Inventory devices: Identify which machines run Windows 11 Enterprise and are eligible for Hotpatch. Separate devices that are on older Windows versions, BYOD, or managed via WSUS/ConfigMgr into distinct servicing cohorts.
  • Review licensing: Confirm that the tenant has the necessary subscriptions to use advanced update features. This may involve discussions with your Microsoft account team.
  • Harden test environments: Enable VBS and required telemetry levels on pilot devices. Validate network connectivity to Windows Update endpoints and configure ESP settings to ensure OOBE updates work as expected.
  • Design a policy hierarchy: Decide which update controls will be set at the ring level, the feature update level, and the new per-update level. Document the precedence rules and expected behavior.
  • Build validation playbooks: Automate post-update testing using remote monitoring and management tools. Prepare fallback scripts that can uninstall a problematic Hotpatch or driver update and reboot if necessary.
  • Update helpdesk and imaging workflows: Train support staff on the new OOBE update behavior and how to handle cases where a newly provisioned device receives a blocked update. Ensure imaging teams are aware of the new ESP settings.

Integration Scenarios: Autopatch, Intune, and Hybrid

The per-update policies are not a replacement for Windows Autopatch but a complement. Autopatch will continue to automate the general update process, but administrators can now step in for specific patches. For example, if Autopatch begins rolling out a quality update that causes issues in the “test” ring, an admin could immediately block that update organization-wide or delay its progression to later rings—without pausing all other updates.

For organizations that have not adopted Autopatch, the new policies will provide some of the autonomy that Autopatch offers, but with manual oversight. Hybrid WSUS/ConfigMgr environments, however, will likely see limited benefit unless devices are co-managed and moved to Intune for update management. Microsoft has been encouraging adoption of cloud-native servicing paths, and this feature reinforces that direction.

What Could Trip Up Ops Teams

Beyond the technical prerequisites, the human factor matters. The increased granularity brings complexity. IT teams must resist the temptation to micromanage every single patch; doing so could lead to analysis paralysis and delayed patching. A balanced approach—auto-approve low-risk updates, manually review high-impact ones—will likely serve most organizations best.

Regulatory environments that require detailed change records for every system modification will need to update their processes to account for Hotpatch’s silent installations and OOBE-applied updates. The absence of a reboot may look suspicious to auditors unless documented properly.

Vendor compatibility is another concern. Independent hardware and software vendors often do not explicitly test their products against each monthly quality update, let alone Hotpatch variants. Early adopters should closely monitor vendor support matrices and consider contractual safeguards.

The Bigger Picture: Microsoft’s Servicing Evolution

The per-update management feature is part of a broader trend toward making Windows servicing more predictable and less disruptive. Hotpatch, in particular, represents a significant shift, aiming to eliminate one of the biggest end-user frustrations: the forced reboot. Combined with the ability to apply updates during OOBE, Microsoft is clearly targeting the entire device lifecycle—from first boot to ongoing maintenance.

The fact that this feature is being built into Intune, rather than a separate tool, indicates that Microsoft sees it as essential for modern endpoint management. It also suggests that the company is responding to feedback from large enterprises stuck between the extremes of full automation and manual, high-risk blanket deferrals.

Final Recommendations

The preview in January 2026 will be critical for early adopters to kick the tires. Those with complex, safety-critical environments should plan to start a pilot immediately after the preview becomes available. Include a representative mix of hardware, drivers, and key applications. Document everything: which updates were approved, which were blocked, and the outcomes. Use the preview period to refine the policy hierarchy and validate monitoring tools.

By the time general availability arrives in February 2026, the goal should be to have a clear, tested deployment model that leverages the new granular controls without overcomplicating the update process. The payoff—a more secure, stable, and efficient Windows fleet—could be substantial.