Windows 11 Enterprise users can now install updates without requiring a system restart.
After earlier experiments and announcements, including for Windows Server, Microsoft is now launching ‘hotpatch’ updates for Windows 11 in practice. Hotpatches are updates that can be installed without requiring a PC restart. This minimizes the impact of sometimes critical patches, increasing the likelihood of them being installed quickly.
The hotpatch updates are initially coming to Windows 11 Enterprise. The system is currently only compatible with Windows 11 Enterprise 24H2 for x64 (for x86 – Intel or AMD).
Policy Rules
To get started with hotpatches, the IT administrator must first grant permission via policy in Windows Autopatch in the Intune console. To do this, navigate to Devices > Windows updates > Create Windows quality update policy and set the value for the hotpatch capability to Allow.
All compatible systems covered by the policy will enter a hotpatch cycle. Microsoft will roll out hotpatches in a similar pattern to regular updates, but they have different KB numbers. The policy rule automatically detects whether systems are compatible. You can therefore enable hotpatches uniformly, even when non-compatible devices fall under the policy.
Cadence
The current plan is to launch an update with features and other changes that do require a restart every quarter. This will then come to all systems in the same way. Microsoft provides the hotpatch updates in the two months between each quarter. This means that Windows 11 Enterprise systems theoretically only need to restart four times a year for a reboot, instead of twelve times.
Microsoft also notes that there are additional conditions to utilize the system:
A Microsoft subscription Windows 11 Enterprise E3, E5, or F3, Windows 11 Education A3 or A5, or a Windows 365 Enterprise subscription;
- Windows 11 Enterprise version 24H2 (Build 26100.2033 or newer)
- An x64 CPU from Intel or AMD;
- Microsoft Intune to manage the deployment of hotpatch updates;
- Virtualization-based Security (VBS) must be enabled.
Microsoft is still working on hotpatch updates for ARM systems. These are coming, but are still in public preview.
Many Benefits, Not for Everyone
Microsoft rightly points out the significant security benefits that hotpatch updates bring. By not asking users to restart, important security updates can be automatically integrated in the background. Zero-day attacks by hackers typically target vulnerable systems that haven’t been patched yet, but for which a patch was actually already available. This approach makes that scenario less likely.
The focus on Windows 11 Enterprise and associated subscription is interesting. Because hotpatches benefit security, one might assume that Microsoft would opt for a broad rollout with as few conditions as possible. It’s unclear whether Windows 11 Pro and Home systems will soon follow with this capability, and what conditions might be attached to that.