On April 2, 2025, Hotpatching for Windows 11 Enterprise became available, followed by the availability of Hotpatching for Windows Server 2025 on July 1, 2025. This feature is designed to protect organizations from cyberattacks while minimizing user disruptions, as Hotpatch updates do not require a restart of the operating system.
Hotpatching explained
Key Benefits:
- Immediate Protection: Hotpatch updates take effect immediately upon installation, providing rapid protection against vulnerabilities.
- Consistent Security: Devices receive the same level of security patching as the monthly standard security updates.
- Minimized Disruptions: Users can continue their work without interruptions, as Hotpatch updates do not require a PC restart for the remainder of the quarter.
Hotpatching Cycle:
- Baseline Month: January, April, July, October – Devices install the monthly fixed security update and restart.
- Subsequent Two Months: Devices receive Hotpatch updates, which only include security updates and do not require a restart.
Hotpatching for Windows 11 Enterprise
Hotpatching for Windows 11 Enterprise protects organizations from cyberattacks by installing security updates automatically on eligible devices without the need to restart.
How It Works:
- Create a hotpatch-enabled quality update policy in Windows Autopatch through the Microsoft Intune console.
- Eligible Windows 11 Enterprise, version 24H2 devices managed by this policy will receive hotpatch updates in a quarterly cycle.
- Devices receiving hotpatch updates will see a different KB number and OS version than those receiving standard updates.
Requirements:
- Microsoft subscription including Windows 11 Enterprise F3/E3/E5, Windows 11 Education A3/A5, or Windows 365 Enterprise.
- Devices running Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later) with the current baseline update installed.
- x64 CPU (AMD64 and Intel); Arm64 devices are still in public preview.
- Microsoft Intune to manage the deployment of hotpatch updates.
- Virtualization-based Security (VBS) enabled.
Hotpatching for Windows Server 2025
Starting July 1, 2025, Hotpatching for Windows Server 2025 will be generally available as a subscription service. It comes at a cost of $1.50 per CPU core per month. This feature, previously available for the Azure Edition of Windows Server Datacenter, is now available for servers running outside of Azure, provided they are connected to Azure Arc.
How It Works:
- Hotpatching patches the in-memory code of running processes without the need to restart the process.
- Servers will still need to restart about four times yearly for baseline updates.
Enabling Hotpatching:
- Connect your server to Azure Arc.
- Sign into the Azure Portal, go to Azure Update Manager, select your Azure Arc-enabled server, and select the hotpatching option.
Requirements:
- Windows Server 2025 Standard or Datacenter connected to Azure Arc.
- Subscription to the Hotpatch service.
More information
- Windows Server Hotpatching announcement: https://www.microsoft.com/en-us/windows-server/blog/2025/04/24/tired-of-all-the-restarts-get-hotpatching-for-windows-server/.
- Windows 11 Enterprise Hotpatching announcement: https://techcommunity.microsoft.com/blog/windows-itpro-blog/hotpatch-for-windows-client-now-available/4399808.
- Licensing Requirements: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/overview/windows-autopatch-faq#what-are-the-licensing-requirements-for-windows-autopatch.
Get help from the experts in licensing
Feel free to reach out to us to get an individualized simulation for your business case in order to compare all your options and to make an informed decision.
