Windows Hotpatch is here for Windows 11 24H2 endpoints. Hotpatch has been available for a bit for Windows server, but it’s now available in public preview for Windows 11 as well. Head directly to the bottom of this post to see how to enable hotpatch on your devices.
What is Windows 11 Hotpatch?
Windows 11 Hotpatch gives you the ability to apply security updates without restarting a device. Which means more updates behind the scenes and less restarting for updates for end users.
Hotpatch Release Cycle
Devices that are opted into hotpatching, will now receive feature and quality updates every 2 months, or 4 months each year (January, April, July, October). Every other month will be security updates only, and be delivered via hotpatching 8 months of the year (February, March, May, June, August, September, November, December).
Security takes presidence over hotpatching, if a security update cannot be delivered via hotpatch, the hotpatch for that month will be cancelled.
Tips and Prerequisites
- Admins can still manually push feature updates if needed.
- Hotpatch updates can be uninstalled in update history just like any other KB update, however uninstalling a hotpatch does require a restart.
- ARM64 endpoints must disable CHPE before hotpatch, but beware, some devices could have a dependency on CHPE, so be sure to test this before rolling it out. Below is the registry key to control this setting.
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
- DWORD Key Value: HotPatchRestrictions=1
- Memory Integrity / VBS must be enabled. If you are already taking advantage of Secure Boot (you should if your not), this is likely enabled. But you can double check under the Core isolation setting in Windows.
How do I take advantage of Hotpatch?
First, devices need to be on Windows 11 24H2 Enterprise. Then, we’ll use Microsoft Intune to enable Hotpatch.
