Event details

Are you ready to experience seamless security updates with minimal disruption? Let’s dive into hotpatching for Windows 11, version 24H2 and Windows Server 2025 machines connected to Azure Arc! Hotpat...
Heather_Poulsen
Updated Mar 12, 2025
Technical Takeoff
SkipToTheEndpoint's avatar
SkipToTheEndpoint
Brass Contributor
Mar 03, 2025

Hotpatching should be for specific use-case devices, not everything. 

Additionally, regarding VBS being a pre-req, any device that has been installed with Win11 22H2 or later has HVCI and VBS enabled by default. You can also enable VBS via the Settings Catalog in Intune, and it's really poor that option wasn't shown in the video at all. Just don't assign it to devices or you'll get a reboot during Autopilot.

IT_SystemEngineer's avatar
IT_SystemEngineer
Brass Contributor
Mar 03, 2025

So we can not use Hotpatching for example Citrix VMs, because it is not supported by Citrix Hypervisor (VBS requires nested virtualization support).

Right?

  • VishalBajaj's avatar
    VishalBajaj
    Icon for Microsoft rankMicrosoft
    Mar 03, 2025

    VBS does not require nested virtualization support. It can work in Guest mode too. But you will need a hypervisor that can

    1) Expose Virtual Trust Levels (VTLs) interfaces (which do not exist other than HyperV) OR

    2) Create a VM with nested virtualization support

     There is no need to create a nested VM in the VM

    • IT_SystemEngineer's avatar
      IT_SystemEngineer
      Brass Contributor
      Mar 04, 2025

      Okay. For Example:
      VMware ESXi 8.0 Hypervisor >> Win11 VMs >> Citrix 7 VDA LTSR >> GPO "Turn On VBS" = Enabled

      With this configuration, we get the following error during gpupdate:

      {F312195E-3D9D-447A-A3F5-08DFFA24735E} failed due to the error listed below.
      A hypervisor feature is not available to the user.

      Why do we get this error?
      Is it because the option "Virtualization Based Security" = Disabled in vSphere?