Microsoft has announced that Hotpatch updates for Windows 11 Enterprise are now generally available through Intune, marking a significant advancement in how organizations can maintain security and productivity with minimal user disruption. Earlier on, I shared what little was floating around about Autopatch, buried in an article about the Windows Servicing Stack.
What is Hotpatch?
Hotpatch is a new mechanism that allows security updates to be deployed and applied without requiring a device restart. Organizations can quickly patch vulnerabilities while avoiding the downtime and workflow interruptions typically associated with traditional updates.
Key Benefits of Hotpatch Updates
- No Restart Required: Hotpatch updates are applied instantly, without forcing users to reboot their devices. This helps maintain productivity and reduces the impact of security maintenance.
- Faster Security Compliance: Organizations can achieve quicker compliance with security requirements, as critical patches are deployed and effective immediately.
- Seamless Integration: Existing update ring configurations in Intune are honored, so administrators do not need to overhaul their update management strategies to take advantage of Hotpatch.
- Visibility and Reporting: The Hotpatch quality update report in Intune provides detailed, policy-level visibility into update status across all managed devices.
How to Enable Hotpatch in Intune
- Go to the Intune admin center.
- Navigate to Devices > Windows updates > Create Windows quality update policy.
- In the policy settings, toggle “Allow” for Hotpatch updates.
- Assign the policy to eligible devices.
Intune will automatically detect if targeted devices are eligible for Hotpatch. Devices running Windows 10 or 11 versions earlier than 24H2 will continue receiving standard monthly security updates.
Eligibility and Requirements
- Supported Versions: Windows 11 Enterprise, version 24H2 or later, on x64 (AMD/Intel) CPUs. Arm64 support is in public preview and requires additional configuration.
- Licensing:
- Windows 11 Enterprise E3, E5, or F3
- Windows 11 Education A3 or A5
- Windows 365
- Baseline Updates: Devices must be on the latest baseline release to qualify for Hotpatch. Baseline updates are released quarterly and require a restart, while Hotpatch updates are released in the intervening months and do not require a restart.
- Security Settings: Virtualization-based Security (VBS) must be enabled on eligible devices.
Release Cycle
| Quarter | Baseline Update (Restart Required) | Hotpatch (No Restart Required) |
| Q1 | January | February, March |
| Q2 | April | May, June |
| Q3 | July | August, September |
| Q4 | October | November, December |
Below, you can see the two update streams, with hot patching at the top and devices that are not hot patch capable at the bottom. Both devices apply patches using Windows Update for Business controls, but Hotpatch devices might only have Hotpatch enabled and no custom rings. If we were to compare a hot patch machine to a non-hot patch machine, we would see a patching pattern.
Typical devices would patch once a month and reboot, but Hotpatch devices will reboot every quarter, leveraging in-memory patching that does not require a restart. The Hotpatch updates are only security fixes, and feature updates will always require a reboot.
Source: Microsoft
What Happens to Ineligible Devices?
Devices that do not meet Hotpatch prerequisites will automatically receive the standard Latest Cumulative Update (LCU), which does require a restart but ensures ongoing security and compliance. This is your current Windows update experience and nothing changes for ineligible devices.
Why This Matters
The general availability of Hotpatch for Windows 11 Enterprise via Intune is a significant step forward for IT administrators seeking to balance robust security with a seamless user experience. Organizations can deploy critical security patches faster, reducing vulnerability windows while minimizing user disruption, a win for both security teams and end users.
Next Steps
Organizations using Intune are encouraged to review their device eligibility and update policies to take advantage of Hotpatch. Refer to Microsoft’s official documentation and release notes for more information and detailed setup instructions.
Resources
Want to go deeper? Here are some resources to help you out.
Hotpatch for Windows client now available – Windows IT Pro Blog
Hotpatch updates | Microsoft Learn
Skilling snack: Hotpatch on Windows client and server | Microsoft Community Hub
