
Forget Reboots, Live Patches are Coming to Windows 11 Enterprise Clients
Microsoft is introducing live patch updates for Windows 11 Enterprise, version 24H2, that allow critical security fixes to be applied without interrupting users. These updates, known as hotpatches, are available for x64 devices running on AMD or Intel CPUs. Hotpatch updates are designed to install quickly and take effect immediately. Unlike standard monthly security updates that require a system restart, hotpatch updates provide instant protection against vulnerabilities while allowing users to continue working. This new process can reduce the number of restarts from twelve per year to just four. The update schedule follows a quarterly cycle. In January, April, July, and October, devices install a complete security update with new features and fixes that do require a restart. In the two months that follow each of these baseline updates, devices receive hotpatch updates that only include security fixes and do not need a reboot. This approach ensures that essential protections are applied quickly without impacting daily work.
To use hotpatch updates, organizations need a Microsoft subscription that includes Windows 11 Enterprise (or Windows 365 Enterprise) and devices running build 26100.2033 or later. These devices must also be managed using Microsoft Intune, where IT administrators can set up a hotpatch-enabled quality update policy. The Intune admin center automatically detects eligible devices and manages the update process. Hotpatch updates are currently available on Intel and AMD-powered devices. For Arm64 devices, hotpatch updates are still in public preview and require an extra configuration step: disabling CHPE support via a registry key or the upcoming DisableCHPE CSP. This update system represents a more efficient way to secure Windows client devices. By minimizing the need for restarts and delivering updates in a predictable, quarterly cycle, Microsoft aims to help organizations protect their systems with minimal disruption. We expect these live patches to trickle down to more Windows 11 versions, like Home and Pro editions.
To use hotpatch updates, organizations need a Microsoft subscription that includes Windows 11 Enterprise (or Windows 365 Enterprise) and devices running build 26100.2033 or later. These devices must also be managed using Microsoft Intune, where IT administrators can set up a hotpatch-enabled quality update policy. The Intune admin center automatically detects eligible devices and manages the update process. Hotpatch updates are currently available on Intel and AMD-powered devices. For Arm64 devices, hotpatch updates are still in public preview and require an extra configuration step: disabling CHPE support via a registry key or the upcoming DisableCHPE CSP. This update system represents a more efficient way to secure Windows client devices. By minimizing the need for restarts and delivering updates in a predictable, quarterly cycle, Microsoft aims to help organizations protect their systems with minimal disruption. We expect these live patches to trickle down to more Windows 11 versions, like Home and Pro editions.