Blog Post

Windows IT Pro Blog
4 MIN READ

Skilling snack: Hotpatch on Windows client and server

David_Callaghan's avatar
Dec 17, 2024

Hotpatch updates help you ensure rapid protection by installing Windows security updates without having to restart your devices. These updates provide the same level of security as the standard monthly security updates and take effect immediately, without requiring user attention or affecting user productivity. This type of Windows update has been available on Windows Server for the last two years and is now in public preview for Windows 11, version 24H2 Enterprise client devices. Please refer to the links below for more about the technical functionality of hotpatch updates for client and server devices.

Time to learn: 100 mins

Start here

If you only have time for one resource, this is it:

Windows client

What's new

  • Hotpatch for client comes to Windows 11 Enterprise (3 mins): Preview hotpatching today! In addition to the overview of benefits and how it works, get started with the prerequisites and tips to enable hotpatching with Windows Autopatch.
    Windows 11 + 24H2 + Enterprise + Microsoft Intune + Windows Autopatch
  • Hotpatch updates (public preview) (3 mins): Visit our evergreen documentation of hotpatching for Windows client. Learn about key benefits, eligibility requirements, the release cycle, and steps to enroll devices to receive hotpatch updates.
    Preview + Business premium + A3 + E3 + F3 + 24H2 + VBS + Baseline + LCU + Quality
  • Hotpatch quality update report (public preview) (3 mins): View current hotpatch update status for all devices per policy. See numbers and names of devices that are up to date, hotpatched, not up to date, in progress, not ready, or paused. Display your reports by percentage or by device count.
    Preview + Reports + Windows Autopatch + Policy + Quality updates

Prerequisites

  • Virtualization-based security (VBS) (5 mins): Enable virtualization-based security (VBS) for a device to be offered hotpatch updates. When you set up VBS for the first time, you'll need to restart the device.
    VBS + Memory + Integrity + Hypervisor-protected code integrity (HVCI) + Kernel + Hardware + Security + VM + Virtualization
  • Disable Compiled Hybrid Portable Execution (CHPE) use (ARM64 only devices) (1 min): Manually set the following registry key on Windows 11, version 24H2 ARM64 CPU based devices and restart the device for the setting to take effect.

    • Registry key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
    • Value: HotPatchRestrictions=1

This setting helps ensure that these devices are fully secure when you install hotpatch updates starting with the December 2024 update.

Important This setting forces the use of x86-only binaries. CHPE binaries are compatible with Windows OS x86 and include native ARM64 code to improve performance. However, they may not be compatible with some apps. Test for any application compatibility or performance impacts before rolling out widely.

ARM64 + CHPE + Registry key

Release notes

Windows Server

Hotpatching technology

  • Hotpatch for Windows Server (7 mins): Learn about the benefits and the workings of hotpatching for Windows Server 2025 and 2022. Note that Azure Arc-enabled hotpatch is currently in preview. Check the availability of hotpatching for your context, how to enable it, monitor it, or roll it back based on your infrastructure.
    Windows Server 2025 + Windows Server 2022 + Azure Arc + Azure Stack HCI + VM + Baselines + Group Policy + SCONFIG
  • Enable hotpatch for Azure Arc-enabled servers (preview) (2 mins): Want to preview hotpatch on Azure Arc-enabled servers? All you need to do is deploy the Connected Machine agent and enable Windows Server hotpatch. Read how.
    Azure + Arc + Windows Server 2025 + Standard + Datacenter + VM
  • Hotpatching: Improving server security and productivity (30 mins): Watch our engineers respond to common questions and scenarios around hotpatching on Windows Server. Learn what hotpatching is, how it simultaneously solves the need for security and productivity at your organization, and its planned roadmap.
    Windows Server + Security + Update + Cyberthreat + Productivity + Downtime
  • Hotpatching on Windows (13 mins): Why do updates require restarts? What are the security issues with delayed patching? See how hotpatching helps solve these issues, including its architecture, its engine, and the function of the hotpatch address table (HPAT).
    Kernel + Driver + Security + VM + Azure + HPAT

Release notes

Ready to get compliant faster? Try hotpatching and let us know what you think!

For more resources on a variety of topics, check out our growing Windows skilling snacks library.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Updated Dec 17, 2024
Version 1.0
  • AlexJcs's avatar
    AlexJcs
    Iron Contributor

    Hotpatch, espacially on Windows clients will be a gamer changer and will help to secure so much more devices and will bring so much peace to IT admins!

    • Laurie_Aldam's avatar
      Laurie_Aldam
      Brass Contributor

      We just force our clients to restart, is this really much more secure?

      Maybe if you have a scenario where you have to enter a PIN or password to boot it will be less of a frustration to end users. But Windows is very good these days at restarting the device and reopening the apps users were working in. Although it could be of some benefit if your users are using third party apps that don't have this functionality.

      Also having computers reboot occasionally is not a bad thing, the whole 'tried turning it off and on again' is a cliché for a reason, it can fix all sorts of issues.

      I do like this added functionality, I just fail to see much of an added benefit if your clients are forced to restart.