Hotpatch readiness: Enable VBS at scale

Editor's note 8.20.2025 – Minor revisions have been made to include additional information regarding Hypervisor Enforced Code Integrity settings.

If you're looking to bring hotpatch to your environment, there’s one key requirement to start with: virtualization-based security (VBS) must be enabled on your devices. The good news? Enabling VBS is straightforward, and we’ll show you how, whether you're testing on a single device or deploying at scale with Microsoft Intune.

With the hotpatching feature of Windows Autopatch, you can apply security updates to Windows without requiring a restart. This helps minimize downtime and prevents the interruption of user experiences. Hotpatching is no longer just an emerging solution; it’s becoming a trusted part of the update strategy for organizations of all sizes. Across industries, IT teams are embracing the ability to improve patch compliance and reduce risk without the operational disruption of traditional update cycles.

Why VBS is critical for hotpatching

VBS uses hardware virtualization to isolate a secure region of memory, protecting against kernel-level exploits and other advanced threats. It’s a foundational requirement for enabling hotpatching on Windows client, and it helps ensure your endpoints are secure and ready for patching.

Enable VBS

Before you enroll devices in hotpatch updates, check that devices meet the hardware requirements for VBS (e.g., virtualization support, Trusted Platform Module 2.0).

Watch our video and read further on how you can enable, validate, and monitor VBS at scale or manually. Check out why we recommend using Microsoft Intune. Then learn how you could use PowerShell and Windows Command Prompt instead of Intune.

Let’s walk through the video steps.

Time saver: Enabling VBS at scale with Microsoft Intune

For production environments, Microsoft Intune provides a scalable and policy-driven approach to enable VBS across your device fleet. Windows Autopatch is built on top of Intune, so using your current management experience will save you time and effort. Just follow this step-by-step guide to configuring policies in the Intune admin center.

• Go to Devices > Manage Devices > Configuration.
• Under the Policies tab, create a new profile by selecting Create > New policy.
• In the Create a profile flyout, select Windows 10 and later.
• For profile type, select Settings catalog.
• On the next screen, name your profile under Basics.
• Navigate to the Configuration settings tab and select Add settings.
• In the Settings picker flyout, start typing “Virtualization Based Technology” and select it from the search results.
• Locate and select the Hypervisor Enforced Code Integrity setting name among the results to enable memory integrity.
  
  Configuration tab in the Intune admin center with the Settings picker flyout
• In the Hypervisor Enforced Code Integrity drop down menu, select either (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock or (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock.

Note: UEFI lock is a firmware-enforced security mechanism that ensures critical protections cannot be disabled remotely or via software policy changes. Learn more about UEFI.

• Complete the wizard by setting scope, assignments, and reviewing your configuration.

Note: You can also use the HypervisorEnforcedCodeIntegrity node in the VirtualizationBasedTechnology configuration service provider (CSP) to enable VBS. We don’t recommend using Group Policy Objects (GPOs) for enabling VBS with Intune environments because the relevant GPOs are deprecated. Consider importing your GPOs into Intune instead.

Enabling VBS manually on a single device

If you're validating configurations or running a pilot, you can enable VBS manually using either PowerShell or Windows Command Prompt.

PowerShell method

Use the following PowerShell script to enable VBS:

Windows Command Prompt method

Alternatively, enable VBS using this command in an elevated command prompt:

Validate and monitor VBS enablement

Restart your devices to ensure that VBS turns on. Once enabled, it will take some time for the policy to be deployed to the target devices in scope. Check the VBS status and monitor it for any issues in one of the following ways.

In the Intune admin center

From the Microsoft Intune admin center, go to Devices > Managed devices > Configuration. Select the CSP policy you’ve created and review the results, as illustrated below. See device configuration policies with Microsoft Intune.

VBS configuration policy status in the Intune admin center

In PowerShell

In PowerShell, change the value of VirtualizationBasedSecurityStatus from 0 to whatever value you’ve selected for VBS. See Enable memory integrity for detailed instructions.

VBS status shown in PowerShell

In Windows Settings

If applied through CSP, check VBS enablement on each device manually in Windows Settings. Navigate to Accounts > Access work or school and select the accounts managed by your organization. Under Areas managed, review listed policies. If you see VirtualizationBasedTechnology, VBS is enabled on the device.

VBS status shown in Windows Settings

Finally, use Intune reporting to monitor compliance and troubleshoot any deployment issues. For help, visit Monitor device configuration policies in Microsoft Intune.

By enabling VBS, you're not only meeting the prerequisites for hotpatching—you’re also strengthening your organization’s security posture with minimal overhead. Learn how to get started and enroll in hotpatch updates today:

• Hotpatch updates
• Release notes for hotpatch on Windows 11, version 24H2 Enterprise clients
• Hotpatch for client: Frequently asked questions
• Windows Autopatch: Frequently asked questions

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q\&A.