The Quarterly Cadence — Read This First
Hotpatch does not eliminate reboots entirely. It reduces them. Microsoft follows a fixed quarterly rhythm: one baseline month per quarter requires a full restart, the other two months deliver hotpatch updates that take effect without one.
QuarterBaseline (restart required)Hotpatch months (no restart)Q1JanuaryFebruary, MarchQ2AprilMay, JuneQ3JulyAugust, SeptemberQ4OctoberNovember, December If a device misses a baseline month and is still on an older cumulative update, it will receive both the baseline (restart) and the hotpatch in the same cycle — even during a hotpatch month. Keeping devices current on the baseline is what unlocks the no-restart months.
Prerequisites
These are stricter than most documentation implies — validate all three before deploying.
- OS: Windows 11 Enterprise (24H2 or later) or Windows Server 2025. Windows 10, Pro, and Education editions are not supported.
- Join type: Entra-joined only. Hybrid-joined and workplace-registered devices fall back to the standard Latest Cumulative Update (LCU) with a restart required.
- Virtualization-based Security (VBS): Must be active and running — enabled in BIOS/UEFI is not enough. Devices with VBS enabled but not running are flagged as ineligible and receive LCU instead.
- Arm64 only — disable CHPE: Hotpatch is incompatible with Compiled Hybrid Portable Executable (CHPE) binaries on Arm64. Set the following registry key once and restart:
Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management Value: HotPatchRestrictions = 1 (DWORD)
Devices that fail any prerequisite are not blocked — they silently fall back to LCU (restart required) and stay compliant. The Hotpatch quality updates report shows which devices are receiving hotpatch vs. LCU and why.
Enable Hotpatch — Two Configuration Paths
Option 1: Tenant-level default
Applies to all managed devices not explicitly assigned to a quality update policy. This is the fastest way to enable hotpatch org-wide.
- In the Intune admin center, go to Tenant administration > Windows Autopatch > Tenant management
- Select the Tenant settings tab
- Toggle "When available, apply updates without restarting the device (hotpatch)" to Allow
Option 2: Quality update policy (recommended for staged rollout)
Use this when you want to target specific groups — test ring first, then broad production.
- Go to Devices > Windows updates > Quality updates tab
- Select Create > Windows quality update policy
- Give the policy a name and click Next
- Under Settings, set "When available, apply without restarting the device (hotpatch)" to Allow
- Assign to a device group and create
When a device is assigned to a quality update policy, that policy's hotpatch setting overrides the tenant default. Your existing update ring deferral and active-hour configurations are preserved — hotpatch policy layers on top, it does not replace them.
Verify Device Eligibility with PowerShell
Before rolling out broadly, audit which devices are actually eligible. Run this locally on a target device to check VBS status:
<#
.SYNOPSIS Checks local VBS status to verify hotpatch eligibility.
.NOTES Author: Souhaiel MORHAG | msendpoint.com | GitHub: https://github.com/Msendpoint | License: MIT | Version: 1.0
#>
$guard = Get-WmiObject -Namespace root\Microsoft\Windows\DeviceGuard -Class Win32_DeviceGuard
switch ($guard.VirtualizationBasedSecurityStatus) {
0 { Write-Host "VBS NOT enabled — device will receive LCU (restart required)" -ForegroundColor Red }
1 { Write-Host "VBS enabled but not running — check BIOS/UEFI Secure Boot settings" -ForegroundColor Yellow }
2 { Write-Host "VBS running — device eligible for hotpatch" -ForegroundColor Green }
}
To enumerate Entra join status and OS version across your fleet using Microsoft Graph:
<#
.SYNOPSIS Reports devices eligible for hotpatch updates based on join type and OS version.
.NOTES Author: Souhaiel MORHAG | msendpoint.com | GitHub: https://github.com/Msendpoint | License: MIT | Version: 1.0
#>
Connect-MgGraph -Scopes "Device.Read.All"
$devices = Get-MgDevice -Filter "operatingSystem eq 'Windows'" -All
$report = foreach ($d in $devices) {
$build = [version]($d.OperatingSystemVersion -replace '^10\.0\.')
[PSCustomObject]@{
Name = $d.DisplayName
OSVersion = $d.OperatingSystemVersion
JoinType = $d.TrustType # AzureAd = Entra-joined, ServerAd = hybrid
Build24H2Plus = ($d.OperatingSystemVersion -ge "10.0.26100")
EntraJoined = ($d.TrustType -eq "AzureAd")
LikelyEligible = ($d.TrustType -eq "AzureAd") -and ($d.OperatingSystemVersion -ge "10.0.26100")
}
}
$report | Sort-Object LikelyEligible -Descending | Format-Table -AutoSize
Note: This script indicates likely eligibility based on join type and build number. VBS status is only verifiable locally or through Intune's device compliance data — the Graph API does not expose VBS state directly.
Monitor Rollout
The dedicated report is at Reports > Windows Autopatch > Windows quality updates > Reports tab > Hotpatch quality updates report. It shows per-device whether the last update was delivered as a hotpatch or LCU, and surfaces devices with the Hotpatch - VBS not running alert.
In Windows Settings on any enrolled device, confirm enrollment under: Settings > Windows Update > Advanced options > Configured update policies — look for "Enable hotpatching when available".
Rollback
Automatic rollback is not supported. If a hotpatch update causes an issue, uninstall it manually through Settings or DISM, then install the standard LCU. Both operations require a device restart. For the DISM approach:
# List installed packages to find the hotpatch KB DISM /Online /Get-Packages /Format:Table | findstr KB # Uninstall by package name DISM /Online /Remove-Package /PackageName:<Package_Full_Name>
