Skilling snack: Hotpatch on Windows client and server

Hotpatch updates help you ensure rapid protection by installing Windows security updates without having to restart your devices. These updates provide the same level of security as the standard monthly security updates and take effect immediately, without requiring user attention or affecting user productivity. This type of Windows update has been available on Windows Server for the last two years and is now in public preview for Windows 11, version 24H2 Enterprise client devices. Please refer to the links below for more about the technical functionality of hotpatch updates for client and server devices.

Time to learn: 100 mins

Start here

If you only have time for one resource, this is it:

• Ask Microsoft Anything (AMA): Hotpatching Windows – client and server (33 mins): Get tips on how to enable hotpatch updates for client devices and servers. Hear Microsoft answer questions from the community. Gain the confidence you need to enable day-one protection.
  Windows 11 + Server + Security + Update management

Windows client

What's new

• Hotpatch for client comes to Windows 11 Enterprise (3 mins): Preview hotpatching today! In addition to the overview of benefits and how it works, get started with the prerequisites and tips to enable hotpatching with Windows Autopatch.
  Windows 11 + 24H2 + Enterprise + Microsoft Intune + Windows Autopatch

• Hotpatch updates (public preview) (3 mins): Visit our evergreen documentation of hotpatching for Windows client. Learn about key benefits, eligibility requirements, the release cycle, and steps to enroll devices to receive hotpatch updates.
  Preview + Business premium + A3 + E3 + F3 + 24H2 + VBS + Baseline + LCU + Quality

• Hotpatch quality update report (public preview) (3 mins): View current hotpatch update status for all devices per policy. See numbers and names of devices that are up to date, hotpatched, not up to date, in progress, not ready, or paused. Display your reports by percentage or by device count.
  Preview + Reports + Windows Autopatch + Policy + Quality updates

Prerequisites

• Virtualization-based security (VBS) (5 mins): Enable virtualization-based security (VBS) for a device to be offered hotpatch updates. When you set up VBS for the first time, you'll need to restart the device.
  VBS + Memory + Integrity + Hypervisor-protected code integrity (HVCI) + Kernel + Hardware + Security + VM + Virtualization

• Disable Compiled Hybrid Portable Execution (CHPE) use (ARM64 only devices) (1 min): Manually set the following registry key on Windows 11, version 24H2 ARM64 CPU based devices and restart the device for the setting to take effect.
  
  
  • Registry key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value: HotPatchRestrictions=1

This setting helps ensure that these devices are fully secure when you install hotpatch updates starting with the December 2024 update.

Important This setting forces the use of x86-only binaries. CHPE binaries are compatible with Windows OS x86 and include native ARM64 code to improve performance. However, they may not be compatible with some apps. Test for any application compatibility or performance impacts before rolling out widely.

ARM64 + CHPE + Registry key

Release notes

• Release notes for hotpatch public preview on Windows 11, version 24H2 Enterprise clients (time varies): Find information on the improvements and fixes included with each hotpatch update, as well as the baseline and hotpatch update schedule.
  Windows 11 + 24H2 + Enterprise + Public Preview

Windows Server

Hotpatching technology

• Hotpatch for Windows Server (7 mins): Learn about the benefits and the workings of hotpatching for Windows Server 2025 and 2022. Note that Azure Arc-enabled hotpatch is currently in preview. Check the availability of hotpatching for your context, how to enable it, monitor it, or roll it back based on your infrastructure.
  Windows Server 2025 + Windows Server 2022 + Azure Arc + Azure Stack HCI + VM + Baselines + Group Policy + SCONFIG

• Enable hotpatch for Azure Arc-enabled servers (preview) (2 mins): Want to preview hotpatch on Azure Arc-enabled servers? All you need to do is deploy the Connected Machine agent and enable Windows Server hotpatch. Read how.
  Azure + Arc + Windows Server 2025 + Standard + Datacenter + VM

• Hotpatching: Improving server security and productivity (30 mins): Watch our engineers respond to common questions and scenarios around hotpatching on Windows Server. Learn what hotpatching is, how it simultaneously solves the need for security and productivity at your organization, and its planned roadmap.
  Windows Server + Security + Update + Cyberthreat + Productivity + Downtime

• Hotpatching on Windows (13 mins): Why do updates require restarts? What are the security issues with delayed patching? See how hotpatching helps solve these issues, including its architecture, its engine, and the function of the hotpatch address table (HPAT).
  Kernel + Driver + Security + VM + Azure + HPAT

Release notes

• Release notes for hotpatch on Windows Server 2025 Datacenter Azure Edition (time varies): Find information on the improvements and fixes included with each hotpatch update, as well as baseline and hotpatch update schedule.
  Windows Server 2025 + Datacenter + Azure

• Release notes for hotpatch in Azure Automanage for Windows Server 2022 (time varies): Find information on the improvements and fixes included with each hotpatch update, as well as baseline and hotpatch update schedule.
  Windows Server 2022 + Azure + Automanage

Ready to get compliant faster? Try hotpatching and let us know what you think!

For more resources on a variety of topics, check out our growing Windows skilling snacks library.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.