Microsoft Announces Hotpatching Support for Windows 11 Enterprise 24H2 PCs
Hotpatch updates allow seamless security updates without requiring device reboots.
Published: Apr 03, 2025
Key Takeaways:
- Hotpatch updates allow security updates to be applied without rebooting the device.
- Hotpatch updates follow a quarterly cycle, with non-rebooting security updates in alternate months and feature updates requiring a restart in other months.
- This feature is available for Intel and AMD-powered devices.
Microsoft has announced that hotpatch updates are available for Windows 11 Enterprise version 24H2 PCs with Intel and AMD processors. This feature enables users to apply OS security patches in the background, eliminating the need for device reboots.
How does the hotpatch feature work?
According to Microsoft, hotpatch updates follow the same ring deployment schedule as standard updates. However, devices receiving hotpatch updates will have a unique KB number for tracking, and they will display a different OS version compared to those that require a reboot for standard updates.
“With hotpatch updates, you can quickly take measures to help protect your organization from cyberattacks while minimizing user disruptions. You’ll first create a hotpatch-enabled quality update policy in Windows Autopatch through the Microsoft Intune console. Devices managed by this policy will be offered hotpatch updates in a quarterly cycle. Eight months out of twelve, you won’t need to restart the device for the security update to take effect,” Microsoft explained.
Microsoft says that hotpatch updates follow a quarterly cycle. In January, February, April, July, and October, devices receive security updates with new features and enhancements that require a restart. In the following two months, hotpatch updates are delivered, focusing solely on security fixes without the need for a restart, helping minimize downtime. Feature updates and enhancements are applied in the next quarterly cumulative baseline month.
Getting started with hotpatch updates
Microsoft hotpatching support is available for customers with Windows 11 Enterprise E3, E5, or F3, Windows 11 Education A3 or A5, or a Windows 365 Enterprise subscription. To use this feature, customers must have a Windows 11 Enterprise 24H2 PC with the latest baseline update installed, an x64 CPU (AMD64 or Intel), Virtualization-based Security (VBS) enabled, and Microsoft Intune to manage deployment with a hotpatch-enabled Windows quality update policy.
It’s important to note that hotpatch updates are currently available in public preview for Arm64 devices. However, IT admins can still disable CHPE support by setting the following registry key:
- Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
- DWORD Key value: HotPatchRestrictions=1
Microsoft notes that IT administrators can enable/disable hotpatch updates by heading to the Microsoft Intune admin center. From there, navigate to Devices > Windows updates > Create Windows quality update policy and toggle it to Allow.
Currently, hotpatch updates are available for Intel and AMD-powered Windows client devices. Microsoft also plans to make this feature generally available for Arm64 devices, though there is no ETA yet. We invite you to check out this support page to learn more about hotpatch updates.