HANDS ON SharePoint
HANDS ON Teams
HANDS ON Lists
HANDS ON tek
M365 Admin
Reminder: Hotpatch eligibility and prerequisites
Hotpatch is an extension of Windows Update, designed to reduce downtime and disruptions by allowing the installation of Monthly B release security updates without requiring a device restart. We encourage users to test and use Hotpatch.
However, it’s important to note that not all devices are eligible for Hotpatch updates. We want to remind you of the prerequisites necessary to ensure a successful Hotpatch deployment across your environment. For complete details, see Windows Autopatch Hotpatch Updates.
When will this happen:
The Hotpatch feature is currently in public preview. We welcome users to test and use Hotpatch in production environments, as well as provide us their feedback. Enrollment to Hotpatch updates begins at the Intune admin center. See the resources at the Additional Information section, below.
How this will affect your organization:
If you’ve recently added devices to your Hotpatch policy as part of Windows Autopatch, please note the below prerequisites to ensure successful Hotpatch deployment.
All devices must meet the following prerequisites:
- Operating system: Devices must be running Windows 11 24H2, specifically the January 2025 Windows monthly security update – KB5050009 (OS Build 26100.2894) (baseline).
- Virtualization-Based Security (VBS): This must be enabled to ensure secure installation of Hotpatch updates. For details, see Memory integrity and VBS enablement.
Arm64 devices only: Disable compiled hybrid PE usage (CHPE), by making the following changes.
- Edit the Windows registry: Path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
- DWORD key value: HotPatchRestrictions = 1
- You must restart the computer after you set this registry key. Once set, you do not need to set it again because it will persist. See the documentation in the Additional Information section for additional details.
What you need to do to prepare:
In order to take advantage of the benefits of Hotpatch, devices must meet the necessary prerequisites. Review devices in your environment and see the resources at the Additional Information section below if deployment is not occurring as expected.
Devices that don’t meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. LCUs contain monthly updates that supersede the previous month’s updates containing both security and non-security releases. While LCUs require a system restart, they ensure that the device remains fully secure and compliant.
Additional information:
- For more details on device requirements, see Hotpatch updates (public preview) | Operating system configuration prerequisites
- To enroll in Hotpatch and see the latest release schedule, see Hotpatch updates (public preview) | Enroll devices to receive Hotpatch updates
- If you have any questions or need further assistance, please reach out to your Microsoft representative.
Message ID: MC999973
