Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-08-20 17:04:15
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
—
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs
One-line summary
To use Windows Autopatch hotpatching (security updates without restart), you must enable virtualization-based security (VBS) on Windows clients using Intune, PowerShell, or Command Prompt.
Similar updates
More like thisMC999973 Reminder: Hotpatch eligibility and prerequisites
Reminder: Hotpatch eligibility and prerequisites Hotpatch for Windows Autopatch is in public preview; devices need Windows 11 24H2 with Jan 2025 update, VBS enabled, and specific registry changes for Arm64 to deploy without restarts. All devices must meet the following prerequisites: Operating system : Devices must be running Windows 11 24H2,.
MC1068760 Resources to get started with hotpatch updates for Windows 11, version 24H2
...or Windows client now available Technical documentation, including prerequisites, enrollment instructions, and troubleshooting: Hotpatch updates Windows 11, version 24H2 Enterprise hotpatch calendar: Windows 11 hotpatch calendar Monthly update contents: Release notes for hotpatch public preview on Windows 11, version 24H2 Enterprise.
MC1046878 (Updated) Hotpatch for Windows client now available
(Updated) Hotpatch for Windows client now available Hotpatch updates are now generally available for Windows 11 Enterprise 24H2 (x64), enabling rapid, restart-free security updates via Windows Autopatch and Intune; Arm64 support remains in preview. Updated April 3, 2025: The language in the first paragraph was updated to provide more clarity on.
MC1107364 Hotpatching now enabled by default for new Windows quality update policies
Hotpatching now enabled by default for new Windows quality update policies New Windows quality update policies in Autopatch now enable hotpatch by default, improving security compliance and reducing downtime for supported devices. How this will affect your organization: Organizations using Windows Autopatch will benefit from faster security.
MC1115741 Hotpatching now available for 64-bit Arm architecture
Hotpatching now available for 64-bit Arm architecture Hotpatching for Windows 11 24H2 Arm64 devices is now generally available, enabling security updates without restarts; admins must disable CHPE and enroll devices in a hotpatch policy. More enterprise environments can now experience the power of security updates that... Hotpatching for Windows.
MC1106737 Get started with June 2025 improvements in Windows 11
Get started with June 2025 improvements in Windows 11 Monthly recap highlights new Windows 11, Intune, and Windows Server features like hotpatching, RBAC in Autopatch, and security updates; most improvements are already available or rolling out. ...er 2025 Configuring role-based access control (RBAC) in Windows AutopatchIt includes highlights.
Details
Body (from Message Center)
Prepare for hotpatch in your environment by meeting a key requirement to enable virtualization-based security (VBS) on Windows client. With the hotpatching feature of Windows Autopatch, you can apply security updates to Windows without requiring a restart. VBS protects against kernel-level exploits and other advanced threats to help ensure your endpoints are secure and ready for patching. It’s straightforward to enable VBS, and here we’ll show you how—whether deploying at scale with Microsoft Intune or on a single device using PowerShell or Windows Command Prompt.
How this will affect your organization:
You’ll need to enable VBS as a requirement for hotpatch, which applies security updates to Windows without requiring a restart. Hotpatch minimizes downtime while improving patch compliance and reducing risk.
What you need to do to prepare:
You’ll need to ensure VBS is enabled for hotpatch. Learn the steps to take for three different methods of enabling VBS at your organization—whether at scale using Microsoft Intune or on single devices using PowerShell or Windows Command Prompt. Then learn how to validate and monitor VBS.
To enable VBS using the Intune method, follow these steps:
- In the Intune admin center, go to Devices > Manage Devices > Configuration.
- Under the Policies tab, create a new profile by selecting Create > New policy.
- In the Create a profile flyout, select Windows 10 and later.
- For profile type, select Settings catalog.
- On the next screen, name your profile under Basics.
- Navigate to the Configuration settings tab and select Add settings.
- In the Settings picker flyout, start typing “Virtualization Based Technology” and select it from the search results.
- Locate and select the Hypervisor Enforced Code Integrity setting name among the results to enable memory integrity.
- Complete the wizard by setting scope, assignments, and reviewing your configuration.
Additional information:
- Find step-by-step instructions to enable VBS and to validate and monitor enablement at Hotpatch readiness: Enable VBS at scale
- Dive deeper into Hotpatch updates
- Review the release notes for hotpatch on Windows 11, version 24H2 Enterprise clients
- Learn more from Hotpatch for client: Frequently asked questions and Windows Autopatch: Frequently asked questions
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": null,
"ai_actions": [
"Enable VBS on Windows clients",
"Use Intune, PowerShell, or Command Prompt to configure VBS",
"Validate and monitor VBS enablement"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "To use Windows Autopatch hotpatching (security updates without restart), you must enable virtualization-based security (VBS) on Windows clients using Intune, PowerShell, or Command Prompt.",
"ai_topics": [
"Windows",
"Intune",
"Autopatch"
],
"category": "stayInformed",
"details_map": {},
"id": "MC1138549",
"importance": 0,
"is_major_change": false,
"last_modified": "2025-08-20T17:04:15Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "Hotpatch readiness: Enable VBS at scale"
}
}