Hotpatch for Windows client now available

Hotpatch updates for Windows 11 Enterprise, version 24H2 for x64 (AMD/Intel) CPU devices are now available. With hotpatch updates, you can quickly take measures to help protect your organization from cyberattacks, while minimizing user disruptions.

Hotpatching represents a significant advancement in our journey to help you, and everyone who uses Windows, stay secure and productive. So, let's talk about the benefits, how it works, and how you and your organization can take advantage of this advancement as part of your Windows servicing journey.

Benefits of hotpatch updates

Hotpatching offers numerous enhancements when it comes to keeping Windows client devices up to date:

• Immediate protection: Hotpatch updates take effect immediately upon installation, providing rapid protection against vulnerabilities.
• Consistent security: Devices receive the same level of security patching as the monthly standard security updates released on the second Tuesday of every month.
• Minimized disruptions: Users can continue their work without interruptions while hotpatch updates are installed. Hotpatch updates don't require the PC to restart for the remainder of the quarter. (Note: OS features, firmware, and/or application updates may still cause a restart in the quarter.)

The Windows Update settings page shows a message that the latest security update was installed without a restart.

How hotpatch technology works

You'll first create a hotpatch-enabled quality update policy in Windows Autopatch through the Microsoft Intune console. All eligible Windows 11 Enterprise, version 24H2 devices managed by this policy will be offered hotpatch updates in a quarterly cycle, as shown below. The hotpatch updates follow the same ring deployment schedule as standard updates. Devices receiving the hotpatch update will see a different KB number tracking the hotpatch release and a different OS version than devices receiving the standard update that requires a restart.

A diagram showing baseline and hotpatch months, illustrating that no restarts are needed on hotpatch month.

Hotpatch updates operate on a quarterly cycle:

• Cumulative baseline month: In January, April, July, and October, devices install the monthly fixed security update and restart. This update includes the latest security fixes, cumulative new features, and enhancements since the last cumulative baseline.
• Subsequent two months: Devices receive hotpatch updates, which only include security updates and do not require a restart. These devices will catch up on features and enhancements with the next cumulative baseline month (quarterly).

This cycle reduces the number of required restarts for Windows updates from twelve to just four per year, thanks to eight planned hotpatch updates annually:

Get started with hotpatch

To enable hotpatching for Windows client devices, you will need:

• A Microsoft subscription that includes Windows 11 Enterprise E3, E5, or F3, Windows 11 Education A3 or A5, or a Windows 365 Enterprise subscription
• Devices running Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later) and with the current baseline update installed
• An x64 CPU including AMD64 and Intel (Note: Arm®64 devices are still in public preview)
• Microsoft Intune to manage deployment of hotpatch updates with a hotpatch-enabled Windows quality update policy
• Virtualization-based Security (VBS) enabled

For Arm64 devices, hotpatch updates are still in public preview, so there is an additional prerequisite. Specifically, you will need to set the following registry key to turn off CHPE support:

• Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
• DWORD Key value: HotPatchRestrictions=1

A new DisableCHPE CSP will be provided as an alternative to manually setting the HotPatchRestrictions registry key as shown above. Restart the device to ensure the operating system is enforcing the setting. You only need to set this once. This new CSP will be available shortly after the April 2025 security update. Devices must disable CHPE to be eligible for hotpatch updates.

If you meet the prerequisites for hotpatch updates, you can opt devices in (or out) for automated hotpatch update deployment using Windows Autopatch. From the Microsoft Intune admin center, navigate to Devices > Windows updates > Create Windows quality update policy and toggle it to Allow.

Enabling hotpatch updates by creating a Windows quality update policy in the Intune admin center.

Enroll and prepare now

Good news: The Windows quality update policy can auto-detect if your targeted devices are eligible for hotpatch updates. Devices running Windows 10 and Windows 11, version 23H2 and lower will continue to receive the standard monthly security updates, helping ensure that your ecosystem stays protected and productive.

Maintain robust security with hotpatch updates

The general availability of hotpatch technology for Windows clients marks a significant step forward in enhancing security and productivity for Windows 11 Enterprise users.

"Hotpatching has been a game-changer for keeping our devices secure without disrupting work. Initially, we didn't realize how significant it was to have security updates take effect immediately—without waiting for a reboot. But now, we see the real advantage: security is applied instantly, reducing risk and improving efficiency."

-- Michael Meier, Senior System Administrator, Krones AG

Hotpatch updates help ensure that devices are secured and that users stay productive with minimal disruptions. We encourage organizations to take advantage of this new feature to maintain a robust security posture while minimizing the impact on the user experience. Hotpatch updates are generally available on Intel and AMD-powered devices as of today, April 2, 2025, with the feature becoming available on Arm64 devices at a later date.    

For more information, please refer to:

• Hotpatch updates (technical documentation)
• Hotpatch for client comes to Windows 11 Enterprise
• Skilling snack: Hotpatch on Windows client and server
• The hottest way to update Windows 11 and Windows Server 2025
• Hotpatch release notes

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.