← Back
Hotpatching now enabled by default for new Windows quality update policies
MC1107364 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-07-01 16:59:27
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs

One-line summary

New Windows quality update policies in Autopatch now enable hotpatch by default, improving security compliance and reducing downtime for supported devices.

Similar updates

More like this
MC1115741 Hotpatching now available for 64-bit Arm architecture
Hotpatching now available for 64-bit Arm architecture Hotpatching for Windows 11 24H2 Arm64 devices is now generally available, enabling security updates without restarts; admins must disable CHPE and enroll devices in a hotpatch policy. Hotpatching is now available for Windows 11, version 24H2 Arm64 devices. All you need to do is check your.
MC1046878 (Updated) Hotpatch for Windows client now available
(Updated) Hotpatch for Windows client now available Hotpatch updates are now generally available for Windows 11 Enterprise 24H2 (x64), enabling rapid, restart-free security updates via Windows Autopatch and Intune; Arm64 support remains in preview. Hotpatch updates are now available for organizational devices on Windows 11 Enterprise, version.
MC1068760 Resources to get started with hotpatch updates for Windows 11, version 24H2
Prerequisites include:  Windows Autopatch prerequisites   Devices running Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later) and with the current baseline update installed  An x64 CPU including AMD64 and Intel (Note: Arm64 devices are still in public preview)  Microsoft Intune to manage deployment of hotpatch updates with a.
MC1138549 Hotpatch readiness: Enable VBS at scale
Hotpatch readiness: Enable VBS at scale To use Windows Autopatch hotpatching (security updates without restart), you must enable virtualization-based security (VBS) on Windows clients using Intune, PowerShell, or Command Prompt. Prepare for hotpatch in your environment by meeting a key requirement to enable virtualization-based security (VBS) on.
MC999973 Reminder: Hotpatch eligibility and prerequisites
Reminder: Hotpatch eligibility and prerequisites Hotpatch for Windows Autopatch is in public preview; devices need Windows 11 24H2 with Jan 2025 update, VBS enabled, and specific registry changes for Arm64 to deploy without restarts. (Updated 2/7 8:00pm to call out additional prerequisites related to OS version) Hotpatch is an extension of.
MC1185309 Windows Autopatch for the US government: How to get started
How this will affect your organization:   This is what Windows Autopatch allows you to accomplish for your GCC devices:  Control over which content is approved for deployment to which devices  Automation of a safe rollout process  Faster security with hotpatching  Pausing or expediting monthly quality updates or drivers  Simplified update.

Details

Body (from Message Center)

Newly created Windows quality update policies now have hotpatch updates enabled by default to streamline policy creation. 
 
When will this happen: 
This feature is now available for all Windows Autopatch users.
 
How this will affect your organization: 
Organizations using Windows Autopatch will benefit from faster security compliance and reduced downtime for devices running supported Windows editions. 
 
What you need to do to prepare: 
Create your new Windows Autopatch quality update policies today, with hotpatch enabled by default, to ensure your organization starts receiving hotpatches as early as August 2025. For new policies, hotpatch updates will be enabled by default. Just review and deploy them as usual.

To create a new quality update policy, follow the steps here:
  1. Go to the Microsoft Intune admin center.
  2. Navigate to Devices > Windows updates > Quality updates.
  3. Select Create, and select Windows quality update policy.
  4. Under the Basics section, enter a name for your new policy and select Next.
  5. Under the Settings section, "When available, apply without restarting the device ("Hotpatch") will be set to Allow
  6. Select the appropriate Scope tags or leave as Default. Then, select Next.
  7. Assign the devices to the policy and select Next.
  8. Review the policy and select Create.

To enable hotpatch updates on your existing quality update policies, follow the steps here: 
  1. Go to the Microsoft Intune admin center
  2. Navigate to Devices > Windows updates > Quality updates
  3. Select the quality update policy you wish to modify. A new screen with its properties will appear. 
  4. Select Edit in the “Settings” section. 
  5. Under “Automatic update deployment” settings, locate the option "When available, apply without restarting the device ("hotpatch")." 
  6. Toggle it to Allow.  
 
Additional information: 

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review and deploy new quality update policies",
      "Enable hotpatch on existing policies if desired"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "New Windows quality update policies in Autopatch now enable hotpatch by default, improving security compliance and reducing downtime for supported devices.",
    "ai_topics": [
      "Windows",
      "Intune"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1107364",
    "importance": 0,
    "is_major_change": false,
    "last_modified": "2025-07-01T16:59:27Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Hotpatching now enabled by default for new Windows quality update policies"
  }
}