AzureFeeds

Interested in faster compliance for your devices running Windows 11 Enterprise or Education, version 24H2? The first hotpatch update since this technology became generally available is now here. Simply enroll your eligible devices into a hotpatch policy on Windows Autopatch via Microsoft Intune, and install the latest Windows security update that serves as a baseline.

Find answers to any questions you may have in the following categories:

• Hotpatch update definitions


• Eligibility and availability of hotpatch updates


• Hotpatching on Arm64 devices


• Technical information about hotpatch updates


• Testing and error information


• Additional resources

Hotpatch update definitions

What are hotpatch updates?

Hotpatch updates are monthly security updates that take effect without requiring you to restart the device. They contain a full set of security updates equivalent to the standard updates released the same day.

What are standard updates?

A standard update is a regularly scheduled Windows security update that relies on a device restart for it to take effect.

What is the hotpatch update cycle?

All eligible Windows 11, version 24H2 devices enrolled in the hotpatch update policy are offered hotpatch updates in a quarterly cycle with respect to the calendar year:

• Baseline month: In January, April, July, and October, devices install the monthly cumulative security update and must restart for the update to take effect. This update includes the latest security fixes, cumulative new features, and enhancements since the last baseline.


• Subsequent two months: Devices receive hotpatch updates, which only include security updates and don’t require a restart for the update to take effect. These devices will catch up on features and enhancements with the next cumulative baseline month (quarterly).

Diagram shows baseline and hotpatch months, illustrating that no restarts are needed on hotpatch months.

Eligibility and availability of hotpatch updates

When will hotpatch updates for Windows client become available?

Hotpatch updates are generally available for eligible Windows 11, version 24H2 devices with x64 (AMD/Intel) CPU. Hotpatch updates are also available for Windows 365 Cloud PCs. Hotpatch updates for Arm64® devices provide a full set of security fixes, but the scenario is in public preview.

What eligibility requirements do I need to meet to access and manage hotpatching for Windows client?

If you meet the prerequisites for hotpatch updates, you can opt devices in (or out) for automated hotpatch update deployment using Windows Autopatch.

Only Windows 11 Education and Enterprise editions support hotpatching. Hotpatching is not available for Home, Pro, or IoT editions.

Check that your organization has one of the following licenses:

• Windows 11 Enterprise E3 or E5


• Microsoft 365 F3


• Windows 11 Education A3 or A5


• Microsoft 365 Business Premium


• Windows 365 Enterprise

Additionally, devices must have the following in order to receive hotpatch updates:

• Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later) and on the current baseline (e.g., April 2025 security update baseline (KB5055523)


• An x64 (AMD/Intel) CPU (Note: Hotpatching on Arm64 devices is still in public preview.)


• Microsoft Intune for managing the deployment of hotpatch updates with a hotpatch-enabled Windows quality update policy (see below)


• Virtualization-based Security (VBS) enabled

How do I opt my devices into receiving hotpatch updates?

If you’re eligible for hotpatch updates, you can opt devices in (or out) for automated hotpatch update deployment using Windows Autopatch.

1. Go to the Microsoft Intune admin center.


2. Navigate to Devices > Windows updates > Create Windows quality update policy > Settings.


3. Under Automatic update deployment settings, locate the option When available, apply without restarting the device (“hotpatch”).


4. Toggle it to Allow.

To see the hotpatch option, you should have an existing quality update policy or create a new one and add your device groups to enable hotpatch updates.

Enabling hotpatch updates by creating a Windows quality update policy in the Intune admin center.

For more information, see Enroll devices to receive hotpatch updates.

What if some devices in my hotpatch policy aren’t eligible for hotpatch updates?

The Windows quality update policy can auto-detect if your targeted devices are eligible for hotpatch updates. Ineligible devices will continue to receive the standard monthly security updates, helping ensure that your ecosystem stays protected and productive.

Note: Devices may be temporarily ineligible because they do not have Virtualization-based Security (VBS) enabled and running. Also, devices need to have the latest baseline release installed to receive hotpatch updates. Consult the troubleshooting guide to investigate ways to ensure that all your Windows 11, version 24H2 devices are configured properly for hotpatch updates.

For more information, see Prerequisites and Ineligible devices.

How is hotpatching different for Window 11 Enterprise, version 24H2 and Windows Server 2025?

Hotpatch technology is similar for Windows 11, version 24H2 and the supported Windows Server editions. The key difference is how hotpatch updates are managed:

• Windows 11, version 24H2 updates are managed by Windows Autopatch.


• Windows Server 2025 Datacenter Azure Edition is managed by Azure Update Manager (AUM). Azure Arc connected subscriptions for Windows Server 2025 Datacenter/Standard Editions can be managed through the Azure Arc Portal, AUM, or programmatically.

The eight hotpatch months and four baseline months planned each year are the same for all the hotpatch-supported operating systems (OSs). Sometimes there might be additional baseline months for one OS (e.g., Windows Server 2022), while there are hotpatch months for another OS, such as Windows Server 2025 or Windows 11, version 24H2. Watch the release notes carefully around each second Tuesday of the month for the latest information. Get to them easily from Windows release health.

Hotpatching on Arm64 devices

Can I use hotpatch updates on Arm64 devices?

Yes, hotpatch updates are available to Arm64 devices. However, hotpatching for Arm64 devices is in public preview. In addition to general prerequisites, these devices require an additional step of disabling compiled hybrid PE usage (CHPE).

Is the requirement to disable CHPE on Arm64 devices temporary?

There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. The requirement to disable and test CHPE extends beyond public preview. Disabling CHPE is required only for Arm64 devices. AMD and Intel CPUs don’t have CHPE.

What’s the impact of disabling CHPE on end-user experience on Arm64 devices?

For Arm64 devices, we recommend testing hotpatch updates with CHPE disabled. The expectation is a fully working system with acceptable performance and application compatibility. As an IT admin, you have the choice to use hotpatch updates or standard updates. If you choose to disable CHPE, the device is eligible to receive hotpatch updates. If CHPE is enabled, the device is only eligible to receive standard updates.

What are the best ways to disable CHPE on Arm64 devices?

You can disable CHPE on Arm64 devices by manually setting the registry key:

• Path: HKLMSYSTEMCurrentControlSetControlSession ManagerMemory Management


• DWORD Key value: HotPatchRestrictions=1

For more information, see Arm64 devices must disable CHPE (Arm64 CPU only).

Alternatively, disable the CHPE support using a configuration service provider (CSP) policy: DisableCHPE. Restart the device to ensure the operating system is enforcing the setting. You only need to set this once.

Technical information about hotpatch updates

How can I tell which of my devices installed a hotpatch update?

Devices receiving the hotpatch update have a different knowledge base (KB) number tracking the release and a different OS version than devices receiving the standard update that requires a restart. The monthly KB release articles online indicate if the KB installed is hotpatch capable and the corresponding OS version.

The user interface of Windows Update also shows the message: “Great news! The latest security update was installed without a restart.”

Note: You’ll only see this message after the first few hotpatch update installations.

What if I restart a device after receiving a hotpatch update? 

A device stays on the hotpatch update KB/OS version even after a restart. It won’t receive any new features as part of the regular servicing track until the next quarterly cumulative baseline update.

What if I rely on regular restarts to reset and refresh systems, maintain system performance, or reduce support calls?

You don’t have to give up regular restarts. Hotpatching doesn’t eliminate your ability to restart—it gives you flexibility. You can maintain your existing restart cadence and routines while still benefiting from faster compliance. With hotpatching, critical updates are applied promptly, and you can schedule restarts on your terms, without the pressure of immediate patching requirements.

Do hotpatch updates apply to common Windows OS binaries loaded in third-party processes or only Microsoft processes?

Hotpatch updates aren’t limited to Microsoft processes. All Windows OS binaries that are used by third-party processes are also hotpatched. Hotpatch updates are only created for Windows OS binaries. Any process loading Windows OS binaries that have hotpatch updates installed will be patched in memory before the application or operating system uses the binaries. This includes common system dynamic link libraries (DLLs) like ntdll.dll.

How can I find out if a hotpatch update was applied to the specific DLL?

One of the ways to see the hotpatch modules is in the memory dump. Symbols for hotpatched DLLs depend on the function receiving the update. Some code that is hotpatch-updated could be public (symbols), while other functions could be private (no symbols).

Are there kernel-mode hotpatch updates?

Yes, there are kernel-mode hotpatch updates. To understand more about hotpatch engineering, visit Hotpatching on Windows.

What does a failure to apply hotpatch look like?

Hotpatch failures are the same as component-based servicing (CBS) failures that you’ve seen when installing other KBs (not enough disk space or download errors). In addition, hotpatch update errors are recorded in the event logs. Search the system log for the keyword “hotpatch” to see if your system encountered any errors.

Can users switch between hotpatch and standard Windows monthly updates?

Yes, users can manually download the standard Windows monthly update from the Microsoft Update Catalog. In this case, the device stops receiving hotpatch updates and receives standard Windows updates until the month after the next baseline month. Since the device is still enrolled in hotpatching, the device will automatically rejoin the hotpatch cadence of updates after the update is released on the baseline month.

Testing and error information

What does hotpatching look like from a forensic perspective?

Hotpatch update events show up in the audit logs. Using Process Explorer, search for “_hotpatch.” The results will show the hotpatch binaries loaded in memory. The hotpatch update KB includes a link to the CSV file listing the update payload.

Can I get security alerts through Event Tracing for Windows about hotpatch events?

Hotpatch events are captured in the audit log. Search for “hotpatch” to find related errors if any have been captured. Learn more about Event Tracing for Windows (ETW).

Do I need to test hotpatch updates if I already test monthly updates?

You should test hotpatch updates when released 8 times a year (according to plan) and the monthly standard updates 12 times a year. There are no hotpatch updates for you to test in January, April, July, or October.

Get started and browse additional resources

To receive the May 2025 hotpatch update, enroll your devices into hotpatching and update them with the April 2025 baseline update. 

Visit the most up-to-date version of this information on Windows Autopatch – Frequently asked questions (FAQ).

See additional resources to help your organization make the most of hotpatch updates:

• Official announcement: Hotpatch for Windows client now available


• Technical documentation, including prerequisites, enrollment instructions, and troubleshooting: Hotpatch updates


• Windows 11, version 24H2 Enterprise hotpatch calendar: Windows 11 hotpatch calendar


• Monthly update contents: Release notes for hotpatch public preview on Windows 11, version 24H2 Enterprise clients


• User readiness information to share with people at your organization: Understanding security updates that get installed without a restart


• Per-policy level view of the current update statuses: Hotpatch quality update report


• Technical demo: The hottest way to update Windows 11 and Windows Server 2025

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.