Enabling hotpatch for Windows 11 Enterprise

This week is all about the latest changes in updating Windows 11 devices. That change is the introduction of hotpatch updates for Windows 11 Enterprise. Hotpatching helps organizations with keeping Windows secure, while minimizing the disruptions for the user. A significant step in keeping Windows more secure and productive. Hotpatching removes the requirement for Windows devices to reboot after every update installation, while still providing a complete set of security fixes. That’s exactly the point of importance for the user experience, as the device has less required reboots. This post will start with a brief introduction about Windows hotpatch, followed with the configuration steps. This post will end with experiencing the configuration.

Note: The hotpatch technology is already being used for two years on Windows Server and is now available (in preview) for Windows 11 Enterprise, version 24H2 and later.

Introducing Windows hotpatch on Windows 11 Enterprise

When discussing the Windows hotpatch functionality for Windows 11 Enterprise, it all starts with the expected behavior. Hotpatch updates are the monthly security updates (also known as the B-release) that can be installed without restarting the device. That helps with reducing the downtime and disruptions. And by minimizing the need to restart, it makes it a lot easier for organizations to maintain the security of their devices on the required level. For that, it is important to understand the there is a difference between baseline releases and hotpatch releases. The baseline releases contain he latest security fixes, new features, and other enhancements, and still requires a reboot, while the hotpatch releases only contains security fixes and don’t require a reboot. The baseline releases are released every quarter of the year, as shown in the table below.

	Jan	Feb	Mar	Apr	May	Sept	July	Aug	Sept	Oct	Nov	Dec
Baseline Release
Hotpatch Release

Besides the different release, it also important to understand when Windows 11 Enterprise devices are eligible for hotpatch updates. Not only is Windows 11 version 24H2 or later required, but also Virtualization-Based Security (VBS) must be enabled to ensure the secure installation of hotpatch updates. And besides all of that, it’s important that the latest Baseline Release is installed. When a device turns out to be not eligible for hotpatch updates, it automatically receives the Latest Cumulative Update (LCU) instead. That LCU contains the monthly updates that supersede the previous month’s updates containing both security and non-security releases. Besides that, LCUs require the device to restart.

Configuring Windows hotpatch

When looking at the configuration of Windows hotpatch, it all starts with the Update CSP (the update section in the Policy CSP). That CSP now contains an additional setting that is used to enable Windows hotpatch on a Windows 11 device and that setting is AllowRebootlessUpdates. That setting will make sure that eligible devices enroll for Windows hotpatch updates. To configure that behavior, the new Windows quality update policy is introduced. At this moment that policy only contains the setting to configure the Windows hotpatch behavior. The following six steps walk through creating that policy with the required configuration.

1. Open the Microsoft Intune admin center portal and navigate to Devices > Windows updates
2. On the Devices | Windows updates page, go to the Quality updates tab and click Create > Windows quality update policy
3. On the Basics page, specify at least a unique name for the policy and click Next
4. On the Settings page, as shown below in Figure 1, configure at least the following settings and click Next

• The slider with Apply the latest cumulative quality updates for security is automatically Allow (1)
• Switch the slider with When available, apply without restarting the device (“hotpatch”) to Allow (2) to actually enabled Windows hotpach on the device

5. On the Assignments page, select the required user or device group and click Next
6. On the Review + create page, verify the provided configuration and click Create

Note: After configuring Windows hotpatch, the installation of updates still follow the configuration of the Update Ring.

Experiencing the Windows hotpatch configuration

When the configuration for Windows hotpach are in place, it’s time to verify the configuration. As always, there are multiple ways to achieve that verification. First of all, there is a new report available within the Windows Autopatch reports that contains the hotpatch quality update information. That report can be found via Reports > Windows Autopatch > Windows quality updates > Hotpatch quality updates. Besides that, the most direct information can be found locally on the device itself. Locally on the device there are multiple places available that show the successful configuration of enabling Windows hotpatch. The easiest is simply looking the hotpatch update that is installed and the message that is shown after the installation.

Another method locally on the device is by looking at the actually applied configuration. The best and easiest places to look at, are the registry on the device and the Settings app. Both provide a clear indication of the newly applied configuration. Besides that, of course the Event Viewer also contains details about the recently applied configuration. Below in Figure 2 is an overview of the applied configuration in the Settings app (via Windows Update > Advanced Options > Configured update policies) (1) and the registry (2). Especially the latter also shows the direct link with the setting in the Update CSP, being AllowRebootlessUpdates.

More information

For more information regarding the Windows hotpatch configuration options, refer to the following docs.

• Hotpatch for client comes to Windows 11 – Windows IT Pro Blog
• Hotpatch updates | Microsoft Learn
• Hotpatch quality update report | Microsoft Learn