MC1046878 – M365 Change Digest

One-line summary

Hotpatch updates are now generally available for Windows 11 Enterprise 24H2 (x64), enabling rapid, restart-free security updates via Windows Autopatch and Intune; Arm64 support remains in preview.

Similar updates

Details

Body (from Message Center)

Updated April 3, 2025: The language in the first paragraph was updated to provide more clarity on the update process.

Hotpatch updates are now available for organizational devices on Windows 11 Enterprise, version 24H2 and x64 (AMD/Intel) CPU. With hotpatch updates, you can quickly take measures to help protect your organization from cyberattacks, while minimizing user disruptions. You’ll first create a hotpatch-enabled quality update policy in Windows Autopatch through the Microsoft Intune console. Eligible devices managed by this policy will be offered hotpatch updates in a quarterly cycle. Eight months out of twelve, you won’t need to restart the device for the security update to take effect.

When will this happen:

Hotpatch updates are generally available on Intel and AMD-powered devices as of today, April 2, 2025, with the feature becoming available on Arm64 devices at a later date.
For Arm64 devices, hotpatch updates are still in public preview.
A new DisableCHPE CSP will be available for Arm64 devices shortly after the April 2025 security update.

How this will affect your organization:

Hotpatch updates take effect immediately upon installation, providing rapid protection against vulnerabilities. Devices receive the same level of security patching as the monthly standard security updates released on the second Tuesday of every month. Users can continue their work without interruptions while hotpatch updates are installed. Hotpatch updates don’t require the PC to restart for the remainder of the quarter. (Note: OS features, firmware, and/or application updates may still cause a restart in the quarter.)

What you need to do to prepare:

Check if your devices are eligible for hotpatch updates by reading Additional information. If you meet the prerequisites, you can opt devices in (or out) for automated hotpatch update deployment using Windows Autopatch. From the Microsoft Intune admin center, navigate to Devices > Windows updates > Create Windows quality update policy and toggle it to Allow.

Additional information:

Read more about hotpatch for Windows client, its benefits, how it works, and how your organization can take advantage of it today.

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Check device eligibility for hotpatch",
      "Create/update Windows quality update policy in Intune",
      "Opt devices in or out of hotpatch deployment"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Hotpatch updates are now generally available for Windows 11 Enterprise 24H2 (x64), enabling rapid, restart-free security updates via Windows Autopatch and Intune; Arm64 support remains in preview.",
    "ai_topics": [
      "Windows",
      "Windows Autopatch",
      "Intune"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1046878",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-04-09T18:13:50Z",
    "ms_products": [
      "Windows",
      "Windows Autopatch"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows",
      "Windows Autopatch"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "(Updated) Hotpatch for Windows client now available"
  }
}