Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-07-15 17:01:17
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
—
Services
Windows
Tags
Admin impact
Master tags
Admin, Security
Roadmap IDs
One-line summary
Hotpatching for Windows 11 24H2 Arm64 devices is now generally available, enabling security updates without restarts; admins must disable CHPE and enroll devices in a hotpatch policy.
Similar updates
More like thisMC1126220 Get started with July 2025 improvements in Windows 11
How this will affect your organization: You can start seeing improvements across various workflows in your organization with: Refreshed media for inbox Windows apps General availability of hotpatching for Windows x64 and Arm64 devices General availability of hotpatching for Window Server 2025 through Azure Arc Windows Autopatch groups .
MC1171745 Hotpatch efficiency unlocked: Smaller update size
Hotpatch efficiency unlocked: Smaller update size Hotpatch updates are now generally available, offering smaller, faster security updates that install in the background without restarts, improving productivity and network performance. Hotpatch updates, which are smaller than standard Windows updates, bring faster security and improved.
MC1106737 Get started with June 2025 improvements in Windows 11
Get started with June 2025 improvements in Windows 11 Monthly recap highlights new Windows 11, Intune, and Windows Server features like hotpatching, RBAC in Autopatch, and security updates; most improvements are already available or rolling out. How this will affect your organization: You can start seeing improvements across various workflows.
MC1107364 Hotpatching now enabled by default for new Windows quality update policies
Hotpatching now enabled by default for new Windows quality update policies New Windows quality update policies in Autopatch now enable hotpatch by default, improving security compliance and reducing downtime for supported devices. Newly created Windows quality update policies now have hotpatch updates enabled by default to streamline policy.
MC1138549 Hotpatch readiness: Enable VBS at scale
Hotpatch readiness: Enable VBS at scale To use Windows Autopatch hotpatching (security updates without restart), you must enable virtualization-based security (VBS) on Windows clients using Intune, PowerShell, or Command Prompt. Prepare for hotpatch in your environment by meeting a key requirement to enable virtualization-based security (VBS) on.
MC1163560 Hotpatch-enrolled tenants upgrading to Windows 11, version 25H2
Hotpatch-enrolled tenants upgrading to Windows 11, version 25H2 Windows 11 25H2 upgrade starts Sept 30, 2025; upgrading during baseline months (e.g., October) keeps hotpatch eligibility, otherwise devices get standard updates until next baseline. Windows 11, version 25H2 is now being offered to eligible devices via feature updates. For customers.
Details
Body (from Message Center)
More enterprise environments can now experience the power of security updates that don’t require a restart. Hotpatching is now available for Windows 11, version 24H2 Arm64 devices. All you need to do is check your prerequisites, disable Compiled Hybrid PE (CHPE), and enroll these devices into a quality update policy with hotpatching enabled.
When will this happen:
Hotpatching for 64-bit Arm architecture is now generally available.
How this will affect your organization:
With hotpatching, your organization can benefit from:
- Faster compliance: Security updates are applied immediately, reducing the window of vulnerability.
- No downtime: Users stay productive—no forced restarts or interruptions.
- Smaller update payloads: Faster installs and easier update orchestration.
- Enterprise-grade control: Integrated with Microsoft Intune and Windows Autopatch for streamlined management.
What you need to do to prepare:
Read Hotpatching now available for 64-bit Arm architecture to check if you meet the prerequisites and additional guidance to get started.
A unique prerequisite for Arm64 devices is disabling Compiled Hybrid PE (CHPE). Do this in one of the following ways:
- Use the DisableCHPE policy. Apply the following configuration service provider (CSP) setting via Microsoft Intune or Group Policy, then restart the device once: ./Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1
- Use registry keys. You can also set the following registry key value to 1 and then restart the device once: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1
Additional information:
- Read Hotpatching now available for 64-bit Arm architecture for the complete announcement and technical guide.
- Find the DisableCHPE policy at System Policy CSP.
- Learn how to Enroll devices to receive hotpatch updates.
- Consult our comprehensive documentation on Hotpatch updates.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": null,
"ai_actions": [
"Check prerequisites for hotpatching",
"Disable Compiled Hybrid PE (CHPE) on Arm64 devices",
"Enroll devices in a hotpatch-enabled update policy"
],
"ai_master_tags": [
"Admin",
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Hotpatching for Windows 11 24H2 Arm64 devices is now generally available, enabling security updates without restarts; admins must disable CHPE and enroll devices in a hotpatch policy.",
"ai_topics": [
"Windows"
],
"category": "stayInformed",
"details_map": {},
"id": "MC1115741",
"importance": 1,
"is_major_change": false,
"last_modified": "2025-07-15T17:01:17Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "Hotpatching now available for 64-bit Arm architecture"
}
}