Microsoft has recently announced a significant enhancement to its Windows Autopatch service by enabling hotpatching for Windows 11 clients by default. This development aims to streamline the update process for enterprise customers, reducing the frequency of system restarts required after security updates from monthly to just four times per year.
Hotpatching is a technology that allows security updates to be applied to a system without necessitating a reboot. By modifying in-memory code, hotpatch updates take effect immediately upon installation, providing rapid protection against vulnerabilities while minimizing user disruptions. This approach ensures that devices remain secure and operational without the downtime typically associated with traditional update processes.
The implementation of hotpatching follows a structured quarterly cycle:
- Baseline Month: In January, April, July, and October, devices install a cumulative baseline update that includes the latest security fixes, new features, and enhancements. This update requires a system restart to take effect.
- Hotpatch Months: In the subsequent two months following each baseline update, devices receive hotpatch updates that contain only security fixes. These updates do not require a restart, allowing users to continue their work uninterrupted.
To leverage hotpatching, organizations must meet specific prerequisites:
- Licensing: Eligible licenses include Windows 11 Enterprise E3 or E5, Windows 11 Education A3 or A5, Microsoft 365 F3, or Windows 365 Enterprise.
- Operating System: Devices must run Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later).
- Hardware: An x64 CPU (AMD/Intel) is required. Hotpatching for Arm64 devices is currently in public preview and requires additional configuration, such as disabling Compiled Hybrid PE (CHPE) usage.
- Management Tools: Microsoft Intune is necessary to manage the deployment of hotpatch updates through a hotpatch-enabled Windows quality update policy.
- Security Features: Virtualization-Based Security (VBS) must be enabled and running on the devices.
- Navigate to the Microsoft Intune admin center.
- Go to Devices > Windows updates > Create Windows quality update policy.
- Under the Settings section, locate the option "When available, apply without restarting the device ('hotpatch')" and toggle it to Allow.
It's important to note that devices not meeting the prerequisites for hotpatching will continue to receive standard cumulative updates that require a restart. Therefore, organizations should ensure that their devices are properly configured to take full advantage of hotpatching capabilities.
The introduction of default hotpatching in Windows Autopatch represents a significant step forward in Microsoft's efforts to provide seamless and efficient update management solutions for enterprise customers. By reducing the need for frequent restarts, organizations can maintain higher levels of productivity while ensuring their systems are protected against emerging security threats.
For more detailed information on hotpatching and its implementation, refer to Microsoft's official documentation on Hotpatch updates and the Windows Autopatch FAQ.
Source: heise online Microsoft enables hot patching for Windows 11 by default
