Troubleshoot the Azure Arc Agent in Azure using Azure Monitor & Log Analytics Workspace
May 8, 2025More Room for your Notes in OneNote
May 9, 2025
An Azure-powered solution for Modern Endpoint Management
Keeping organizational endpoints secure and up to date is both critical and complex. Windows 11 Hotpatching simplifies the challenge with a game-changing update feature, enabling organizations to secure endpoints quickly, with minimal user disruption. Unlike traditional updates that require reboots, Hotpatching delivers real-time security updates with zero downtime. Hotpatching is all about security and productivity. In this blog, I explore Windows 11 Hotpatching, covering key implementation considerations, benefits, and essential details.
What is Windows 11 Hotpatching?
Hotpatching is an update technology by which organizations can apply security patches without requiring a reboot, ensuring uninterrupted productivity and system availability. It enables the installation of monthly Cumulative Security Updates directly into memory, with no reboot requirement. These are full security patches released on Patch Tuesday that take effect immediately, without interrupting users or restarting systems, processes, or applications. Hotpatches give the same level of security as the Standard updates. Hotpatch servicing does not include Features updates and Quality updates like the Standard servicing does, and it only includes Cumulative OS Security updates.
Hotpatch updates availability for Windows 11 Clients
Hotpatch updates are available for Windows 11 Enterprise client devices, version 24H2 and above, x64 (AMD/Intel) CPU; for devices managed via Microsoft Intune and enrolled in Windows Autopatch. The updates are GA – generally available on Intel and AMD-powered devices.
However, for ARM64 devices, Hotpatch updates are in public preview as of this writing.
Why Hotpatching matters, and what are the benefits?
Faster Security
With Hotpatch updates, there are no more deferrals or delays before a machine can be secured. Hotpatching enables devices to patch faster, reducing vulnerability windows and ensuring systems are secure as soon as updates are available. With Hotpatch updates, critical vulnerabilities can be addressed immediately. You can quickly take measures to help protect your organization from cyberattacks, while minimizing user disruptions.
Zero-disruption experience – improve user productivity
Due to the no reboot requirement, end users can continue to work uninterrupted, making Hotpatching ideal for mission-critical environments such as healthcare, emergency services, financial sectors, etc.
Cost-efficient operations
With the fast patch velocity and simplification of patch orchestration, operations become cost-efficient. Fewer support tickets, less downtime, and better compliance, all contribute to improved operational efficiency and reduced IT overhead.
Servicing model | How Hotpatching works | Do devices ever need a reboot?
Hotpatch servicing has a separate release train than the Standard updates, as illustrated in the graphic.
Hotpatch updates are delivered eight times a year. Hotpatches are released in the months between Baseline months i.e. in Feb and Mar, May and Jun, Aug and Sep, Nov and Dec.
Baseline releases happen once every quarter i.e. in Jan, Apr, Jul, Oct. During the Baseline months, both Hotpatching and Standard servicing machines run the same code. Baselines are released four times a year.
The reason for Baseline months is for devices to have optimum performance and operational excellence, such that once in a quarter you reboot and get devices up to the baseline and then leverage Hotpatching for the next two months until baselining again.
Instead of rebooting twelve times a year, Hotpatch enabled devices would typically reboot only four times a year, i.e. during the Baseline months.
Example: In the Jan baseline month, on Patch Tuesday, both Hotpatch devices and Standard update devices get the Standard update. During Feb Patch Tuesday, devices enrolled in Hotpatching receive a Feb Hotpatch update containing the same cumulative security fixes that Standard update devices get. However, Hotpatch-enabled devices will not receive feature or quality updates. The Hotpatch cycle continues for two months, followed by baselining again in Apr. At this time, both Hotpatch and Standard train devices will receive the same Standard Apr updates. Machines opted in for Hotpatching that didn’t receive features for two months, get caught up in Apr. This repeats each quarter.
In occasions when there’s no Hotpatch payload available, or a device is not Hotpatch eligible, it is kept secure with the Standard update.
Eligibility
Virtualization-Based Security (VBS) enabled Windows 11 Enterprise version 24H2 or higher x64 (AMD/Intel) CPU devices, managed through Microsoft Intune, using Autopatch and leveraging update management using Autopatch, are Hotpatch eligible client devices. Hotpatch updates are available with Windows Enterprise E3, E5, or F3.
VBS is an OS setting that enables virtualization-based security and is a prerequisite for Hotpatch update installer to function. If VBS isn’t enabled, a device won’t be offered Hotpatch updates.
To find whether VBS is enabled and running, check System Information on the machine.
If VBS is not enabled already, you can use one of the following methods to turn it on.
- Configure the VBS setting via Group Policy.
- Set a registry key on the device and restart it. This is a one-time action that enables VBS for future updates.
- Enable Memory Integrity under the device’s Windows Security settings, to turn on VBS.
Another prerequisite, specifically during the Public Preview phase of Hotpatching is that Windows 11 24H2 ARM64 devices must disable Compiled Hybrid Portable Executable (CHPE) via registry (one-time setting), to take Hotpatch updates. It is important to test the modification of CHPE settings as some machines or applications may have a dependency on CHPE.
More information about both VBS and ARM64 CHPE requirements can be found here on Microsoft Learn.
Getting Started with Hotpatching, and the Admin Experience
How to enable Hotpatching to offer Hotpatch updates to eligible devices?
In Intune, create a new Windows Quality Update policy under Devices –> Windows Updates –> Quality Updates tab –> Create –> Windows Quality Update Policy.
Then in Settings for the policy, switch the toggle to allow Hotpatching, as illustrated in the graphic, and subsequently add the eligible devices group to the policy.
How to verify client Hotpatch update policy enrollment?
On a device, under Settings –> Windows Update –> Advanced options –> Configured update policies, you’ll notice a policy on the device that enables Hotpatch updates when available, as illustrated in the graphic.
Opting in and out
Admins can opt in and out of the Hotpatch updates at any time. For instance, if your machine took a Hotpatch update in Mar, but you’d like to have the Standard update instead, you can install the Standard update on top of the Hotpatch update. The machine won’t be eligible for a Hotpatch again until it goes through the next baseline.
Uninstalling a Hotpatch
You can uninstall a Hotpatch update, as well as scan, download, and reinstall it. The uninstallation of a Hotpatch update is quick but requires a reboot.
Reporting
Monitor patch compliance and device eligibility via built-in reporting. A report specific to Hotpatching shows the devices enrolled into Hotpatching, the status of those devices – whether they took the Hotpatch or the Standard update (if an eligibility criterion was missing, for instance). It also includes the configuration for the devices, helping you identify which eligibility criteria is not met. Admins can thus track progress of the Hotpatching policy.
Hotpatch Release Schedule
In the Hotpatch Release Schedule, you’ll find information on Windows Client Hotpatch releases. If Microsoft must change the Hotpatch schedule for a reason, you could check here for whether next month’s update will be a Hotpatch or a Baseline, and plan your activities accordingly. If a critical fix can’t be delivered via Hotpatch, Microsoft may release a standard update instead.
About Hotpatch KB and OS version numbers
Hotpatch updates are just another KB with an OS version that shows up in the update history.
In a Hotpatch month, the Standard update will have its own unique KB number and OS version number, while the Hotpatch that month will have a different KB number and OS version. This means that during Hotpatch months, machines that are Hotpatched will have a different OS version than the machines that receive the Standard update. Also, the Standard update version will always be higher than the Hotpatch version.
You could do compliance tracking via KB articles and OS versions. During Hotpatch months, you’d want to track against an OS version that’s the Hotpatch version number or higher, and during Standard months you’d want to track against the Standard OS version number.
As best practice, refer to the Hotpatch and Standard updates Release Notes for important ad-hoc information related to specific prerequisites or known issues.
User Experience
Hotpatch updates download and install in the background, and are transparent to the end user. After the updates are installed, Windows Update under Settings displays a success message in a Green banner, similar to the one illustrated in the graphic.
Closing Remarks
Hotpaching enables to secure devices as quickly as possible by alleviating the reboot pain point.
Try it out!
I wrote this blog post for Gimme Cloud Talks at Global Azure 2025, which is part of the annual worldwide Global Azure community event focused on sharing knowledge and best practices around Microsoft Azure and its ecosystem.
