Windows IT Pro Blog:
Hotpatch updates for Windows 11 Enterprise, version 24H2 for x64 (AMD/Intel) CPU devices are now available. With hotpatch updates, you can quickly take measures to help protect your organization from cyberattacks, while minimizing user disruptions.
Hotpatching represents a significant advancement in our journey to help you, and everyone who uses Windows, stay secure and productive. So, let's talk about the benefits, how it works, and how you and your organization can take advantage of this advancement as part of your Windows servicing journey.
Benefits of hotpatch updates
Hotpatching offers numerous enhancements when it comes to keeping Windows client devices up to date:- Immediate protection: Hotpatch updates take effect immediately upon installation, providing rapid protection against vulnerabilities.
- Consistent security: Devices receive the same level of security patching as the monthly standard security updates released on the second Tuesday of every month.
- Minimized disruptions: Users can continue their work without interruptions while hotpatch updates are installed. Hotpatch updates don't require the PC to restart for the remainder of the quarter. (Note: OS features, firmware, and/or application updates may still cause a restart in the quarter.)
The Windows Update settings page shows a message that the latest security update was installed without a restart.
How hotpatch technology works
You'll first create a hotpatch-enabled quality update policy in Windows Autopatch through the Microsoft Intune console. All eligible Windows 11 Enterprise, version 24H2 devices managed by this policy will be offered hotpatch updates in a quarterly cycle, as shown below. The hotpatch updates follow the same ring deployment schedule as standard updates. Devices receiving the hotpatch update will see a different KB number tracking the hotpatch release and a different OS version than devices receiving the standard update that requires a restart.
A diagram showing baseline and hotpatch months, illustrating that no restarts are needed on hotpatch month.
Hotpatch updates operate on a quarterly cycle:
- Cumulative baseline month: In January, April, July, and October, devices install the monthly fixed security update and restart. This update includes the latest security fixes, cumulative new features, and enhancements since the last cumulative baseline.
- Subsequent two months: Devices receive hotpatch updates, which only include security updates and do not require a restart. These devices will catch up on features and enhancements with the next cumulative baseline month (quarterly).
| Quarter | Baseline update (requires restart) | Hotpatch update (no restart required) |
|---|---|---|
| 1 | January | February and March |
| 2 | April | May and June |
| 3 | July | August and September |
| 4 | October | November and December |
Get started with hotpatch
To enable hotpatching for Windows client devices, you will need:- A Microsoft subscription that includes Windows 11 Enterprise E3, E5, or F3, Windows 11 Education A3 or A5, or a Windows 365 Enterprise subscription
- Devices running Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later) and with the current baseline update installed
- An x64 CPU including AMD64 and Intel (Note: Arm®64 devices are still in public preview)
- Microsoft Intune to manage deployment of hotpatch updates with a hotpatch-enabled Windows quality update policy
- Virtualization-based Security (VBS) enabled
- Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
- DWORD Key value: HotPatchRestrictions=1
If you meet the prerequisites for hotpatch updates, you can opt devices in (or out) for automated hotpatch update deployment using Windows Autopatch. From the Microsoft Intune admin center, navigate to Devices > Windows updates > Create Windows quality update policy and toggle it to Allow.
Enabling hotpatch updates by creating a Windows quality update policy in the Intune admin center.
Enroll and prepare now
Good news: The Windows quality update policy can auto-detect if your targeted devices are eligible for hotpatch updates. Devices running Windows 10 and Windows 11, version 23H2 and lower will continue to receive the standard monthly security updates, helping ensure that your ecosystem stays protected and productive.Maintain robust security with hotpatch updates
The general availability of hotpatch technology for Windows clients marks a significant step forward in enhancing security and productivity for Windows 11 Enterprise users.Hotpatch updates help ensure that devices are secured and that users stay productive with minimal disruptions. We encourage organizations to take advantage of this new feature to maintain a robust security posture while minimizing the impact on the user experience. Hotpatch updates are generally available on Intel and AMD-powered devices as of today, April 2, 2025, with the feature becoming available on Arm64 devices at a later date.
For more information, please refer to:
- Hotpatch updates (technical documentation)
- Hotpatch for client comes to Windows 11 Enterprise
- Skilling snack: Hotpatch on Windows client and server
- The hottest way to update Windows 11 and Windows Server 2025
- Hotpatch release notes
Source:
Hotpatch for Windows client now available - Windows IT Pro Blog
Help ensure your devices stay protected while users stay productive with minimal disruptions.
techcommunity.microsoft.com
