Microsoft Enables Hotpatching by Default for New Windows Quality Update Policies
Microsoft Intune update policies now include hotpatching by default to enhance security and minimize disruptions.
Key Takeaways:
- Microsoft now enables hotpatching by default in new Windows update policies via Intune.
- The feature helps reduce system downtime by applying updates without requiring a reboot.
- Admins can enable hotpatching on existing policies and must meet certain device and configuration requirements.
Microsoft has announced that the hotpatching feature is now enabled by default for all new Windows quality update policies created through Microsoft Intune. This new feature should help organizations improve security compliance and reduce downtime for Windows devices.
Hotpatching is a Windows update feature that allows certain updates (especially security patches) to be applied without rebooting the system. Instead, it applies changes directly to the system’s memory while it’s running, which helps maintain uptime and reduces disruptions for users. This feature is particularly useful in enterprise environments where minimizing downtime is important, as it ensures systems stay secure and operational without interrupting workflows.
How to enable hotpatch updates?
Microsoft notes that hotpatch updates will be enabled by default for all new Windows AutoPatch policies, and IT admins will need to simply review and deploy them. However, administrators can enable hotpatch updates on their existing policies by following the steps mentioned below:
- Navigate to the Microsoft Intune admin center.
- Head over to Devices > Windows updates > Quality updates.
- Choose the quality update policy to modify to view a new screen with its properties.
- Click Edit in the “Settings” section.
- Use the toggle to enable the option “When available, apply without restarting the device (“hotpatch”)” option available under “Automatic update deployment” settings.
Prerequisites for enabling hotpatching?
To receive hotpatch updates, devices must meet specific requirements. They need to be running Windows 11 Enterprise version 24H2 or later and must be on the latest baseline release, which Microsoft provides quarterly through standard cumulative updates. Additionally, Microsoft Intune must be used to manage the deployment of these updates, with the Windows quality update policy configured to enable hotpatching.
Microsoft says that administrators must enable Virtualization-based security (VBS) on their Windows devices. You can learn more about enrolling devices to receive hotpatch updates on this support page.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
