Today I want to talk a little bit about Hotpatch updates, what they are, how you can enable them and how they have the potential to change the way we look at security updates.
What are Hotpatch Updates?
Hotpatch updates allow you for the first time in Windows to install security updates without needing to reboot the device to actually apply them.
As you can see, Hotpatch will allow you to only reboot once a quarter to install the baseline update (January, April, July, October) and will allow rebootless Hotpatching in the other months:
As you can see in the Windows Update history, the Hotpatch updates have a lower build number compared to the normal updates:
March 11, 2025—Hotpatch public preview KB5053636 (OS Build 26100.3403) – Microsoft Support
March 11, 2025—KB5053598 (OS Build 26100.3476) – Microsoft Support
This allows you to install the regular update over the Hotpatch update of the same month, in case you need some of the non-security related fixed from this month and don’t want to wait for the next baseline update to get these applied. Just be sure to bear this in mind, when working with reports that are not Hotpatch aware, a lower build number does not necessarily mean, it’s missing an update, as the Hotpatch updates contains all security related fixes that the normal LCU has in it.
Prerequisites
- Windows 11 24H2
- Enabled Virtualization based security (VBS)
- (ARM64 devices only) disable CHPE (sample Intune Remediation script available on GitHub: detection and remediation)
How to configure in Intune
Configuration in Intune is super easy, just create a new “Windows quality update policy” in the Windows Update blade:
Give it a name:
Enable Hotpatch updates:
As usual apply Scope Tags if needed in your org:
And assign the Policy to your devices:
After a review, you can create the policy and start getting Hotpatch updates:
You can check if the policy got applied to the client. In the configured update policies, it should show that hotpatching is enabled:
User experience
Coming from the baseline update from January (KB5050009), the user will get the Hotpatch capable version (KB5053636) of the march update offered:
And a few min later, we get greeted with this nice green banner of success, telling me, we successfully hotpached this device and it’s now secure without needed to reboot:
Conclusion
For me Hotpatching our devices is it not only about to eliminate the need for the user to reboot the device once a month, but more that it will ensure the device is secure the second the update gets applied and not only after a few days when your uses finally decided to reboot their device. This is one of the rare occasions where security comes with a better user experience at the same time 🙂
Leave a Reply