[German]Hotpatching has been announced for Windows 11 24H2 and Windows Server 2025 for some time. This feature is now available for users of Windows 11 24H2 Enterprise, i.e. the restart after an update installation can be omitted a few times a year. However, there are certain restrictions that should be observed.
Advertising
What does hotpatching mean?
In the support article Hotpatch for virtual machines from October 2023, Microsoft describes the chosen approach for hotpatching as a method for installing operating system security updates on supported virtual machines (VMs) under Windows Server Datacenter: Azure Edition without requiring a reboot after installation. The in-memory code of running processes is patched without having to restart the process.
Microsoft has been working on this topic for some time. But hotpatching is a term that runs through the announcements like a mirage. In July 2022, I reported in the blog post VMs running Windows Server Datacenter 2022 on Azure with Desktop Experience: Hotpatching available that a corresponding function was available for Windows Server Datacenter 2022 on Azure.
And the blog post Windows Server 2025 introduced I mentioned at the beginning of 2024 also, that this product have hotpatching on board. Furthermore, hotpatching was announced for Windows 11 24H2, I published some details about Microsoft's plans for hotpatching in February 2024 in the blog post Windows 11 24H2: Is Microsoft planning "hotpatching" (Update installation without reboot)?
Hotpatching available in Windows 11 24H2
On April 2, 2025, I came across the following tweet from Windows IT Pro, where the topic of "hotpatch updates" for Windows 11 Enterprise systems is mentioned. Microsoft has described the whole thing in more detail in the Techcommunity article Hotpatch for Windows client now available.
Advertising
Hotpatch updates are now available for Windows 11 Enterprise version 24H2, but only for x64 (AMD/Intel) CPU devices. ARM systems running Windows 11 24H2 should receive this feature later.
What administrators need to do
Administrators must first create a hotpatch-enabled quality update policy in Windows Autopatch via the Microsoft Intune console. All eligible Windows 11 Enterprise, version 24H2 devices managed by this policy will be offered hot patch updates on a quarterly cycle..
The hot patch updates are distributed in the same way as the standard updates. However, devices that receive the hotpatch update will see a different KB number (for the hotpatch version) and a different operating system version than devices that receive the standard update, which requires a reboot. Hotpatch updates are released in a quarterly cycle:
- Cumulative baseline month: In January, April, July and October, devices install the monthly fixed security update and reboot. This update contains the latest security fixes, cumulative new features and improvements since the last cumulative baseline update.
- The following two months: The devices receive hot patch updates that only contain security updates and do not require a reboot. These devices catch up with the features and improvements with the next cumulative baseline month (quarterly).
This cycle reduces the number of reboots required for Windows updates from twelve to just four per year, thanks to the eight planned hotpatch updates per year.
Requirements for hot patch updates
The following requirements must be met in order to process hot patch updates.
- A Microsoft subscription that includes Windows 11 Enterprise E3, E5 or F3, Windows 11 Education A3 or A5 or a Windows 365 Enterprise subscription.
- Devices running Windows 11 Enterprise, version 24H2 (build 26100.2033 or later), with the latest base update installed.
- An x64 CPU, including AMD64 and Intel (Note: Arm®64 devices are still in public preview).
- Microsoft Intune to manage the deployment of hotpatch updates with a hotpatch-enabled Windows Quality Update policy.
And finally, Virtualization Based Security (VBS) must be enabled.
Advertising
