MC999973 - Reminder: Hotpatch eligibility and prerequisites

Reminder: Hotpatch eligibility and prerequisites
ID	Workload	Category	Classification	Severity	Start Time	Last Updated
MC999973	Windows	Stay Informed	Admin impact	normal	07-Feb-2025 22:51	07-Feb-2025 22:51
Update: 07-Feb-2025 22:51 (Updated 2/7 8:00pm to call out additional prerequisites related to OS version) Hotpatch is an extension of Windows Update, designed to reduce downtime and disruptions by allowing the installation of Monthly B release security updates without requiring a device restart. We encourage users to test and use Hotpatch. However, it's important to note that not all devices are eligible for Hotpatch updates. We want to remind you of the prerequisites necessary to ensure a successful Hotpatch deployment across your environment. For complete details, see Windows Autopatch Hotpatch Updates. When will this happen: The Hotpatch feature is currently in public preview. We welcome users to test and use Hotpatch in production environments, as well as provide us their feedback. Enrollment to Hotpatch updates begins at the Intune admin center. See the resources at the Additional Information section, below. How this will affect your organization: If you've recently added devices to your Hotpatch policy as part of Windows Autopatch, please note the below prerequisites to ensure successful Hotpatch deployment. All devices must meet the following prerequisites: Operating system: Devices must be running Windows 11 24H2, specifically the January 2025 Windows monthly security update - KB5050009 (OS Build 26100.2894) (baseline). Virtualization-Based Security (VBS): This must be enabled to ensure secure installation of Hotpatch updates. For details, see Memory integrity and VBS enablement. Arm64 devices only: Disable compiled hybrid PE usage (CHPE), by making the following changes. Edit the Windows registry: Path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management DWORD key value: HotPatchRestrictions = 1 You must restart the computer after you set this registry key. Once set, you do not need to set it again because it will persist. See the documentation in the Additional Information section for additional details. What you need to do to prepare: In order to take advantage of the benefits of Hotpatch, devices must meet the necessary prerequisites. Review devices in your environment and see the resources at the Additional Information section below if deployment is not occurring as expected. Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. LCUs contain monthly updates that supersede the previous month's updates containing both security and non-security releases. While LCUs require a system restart, they ensure that the device remains fully secure and compliant. Additional information: For more details on device requirements, see Hotpatch updates (public preview) \| Operating system configuration prerequisites To enroll in Hotpatch and see the latest release schedule, see Hotpatch updates (public preview) \| Enroll devices to receive Hotpatch updates If you have any questions or need further assistance, please reach out to your Microsoft representative.

Reminder: Hotpatch eligibility and prerequisites

Workload

Category

Classification

Severity

Start Time

Last Updated

MC999973

Windows

Stay Informed

Admin impact

normal

07-Feb-2025 22:51

Update: 07-Feb-2025 22:51

(Updated 2/7 8:00pm to call out additional prerequisites related to OS version)

Hotpatch is an extension of Windows Update, designed to reduce downtime and disruptions by allowing the installation of Monthly B release security updates without requiring a device restart. We encourage users to test and use Hotpatch.

However, it's important to note that not all devices are eligible for Hotpatch updates. We want to remind you of the prerequisites necessary to ensure a successful Hotpatch deployment across your environment. For complete details, see Windows Autopatch Hotpatch Updates.

When will this happen:

The Hotpatch feature is currently in public preview. We welcome users to test and use Hotpatch in production environments, as well as provide us their feedback. Enrollment to Hotpatch updates begins at the Intune admin center. See the resources at the Additional Information section, below.

How this will affect your organization:

If you've recently added devices to your Hotpatch policy as part of Windows Autopatch, please note the below prerequisites to ensure successful Hotpatch deployment.

All devices must meet the following prerequisites:

Operating system: Devices must be running Windows 11 24H2, specifically the January 2025 Windows monthly security update - KB5050009 (OS Build 26100.2894) (baseline).
Virtualization-Based Security (VBS): This must be enabled to ensure secure installation of Hotpatch updates. For details, see Memory integrity and VBS enablement.

Arm64 devices only: Disable compiled hybrid PE usage (CHPE), by making the following changes.

Edit the Windows registry: Path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
DWORD key value: HotPatchRestrictions = 1
You must restart the computer after you set this registry key. Once set, you do not need to set it again because it will persist. See the documentation in the Additional Information section for additional details.

What you need to do to prepare:

In order to take advantage of the benefits of Hotpatch, devices must meet the necessary prerequisites. Review devices in your environment and see the resources at the Additional Information section below if deployment is not occurring as expected.

Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. LCUs contain monthly updates that supersede the previous month's updates containing both security and non-security releases. While LCUs require a system restart, they ensure that the device remains fully secure and compliant.

Additional information:

For more details on device requirements, see Hotpatch updates (public preview) | Operating system configuration prerequisites
To enroll in Hotpatch and see the latest release schedule, see Hotpatch updates (public preview) | Enroll devices to receive Hotpatch updates
If you have any questions or need further assistance, please reach out to your Microsoft representative.