A Complete Guide to Configuring and Verifying Windows Hotpatch Updates on Windows 11 Enterprise
Matthew Tinney
A Focused, Compassionate Visionary, Father of Twin Boys. Author of "Driven by Heart: Transforming IT from the Inside Out"
Let’s talk about the most remarkable recent update for Windows 11. It introduces Hotpatch updates for Windows 11 Enterprise, version 24H2, and later.
Why is it significant for businesses?
Hotpatch allows security updates to be applied without requiring a system reboot.
Traditionally, installing updates on Windows devices often involved rebooting. This disruption was not good for workflows and employee productivity. But hotpatching addresses these issues by simply eliminating the need for restarts or downtime while providing all the necessary security fixes in a seamless manner.
Hotpatch, which has already been working on Windows Server for two years, is now available (in preview) for Windows 11.
This enhancement is undoubtedly a crucial development for organizations whose business types mandate minimum instances of downtime and require their systems to be up all the time.
In this blog post, we’ll learn the concept of hotpatching in detail and see how, step-by-step, we can configure Windows Hotpatch.
Overview of Windows Hotpatch for Windows 11 Enterprise
Hotpatching is a major shift in Windows 11 Enterprise update handling. They are a part of the regular monthly security patches (also known as the B-release). But the key difference is auto installation. So, you need to distinguish between baseline releases and hotpatch updates.
Baseline releases are typically deployed every quarter. They include the latest security updates, features, system enhancements, but they still require a reboot. On the flip side, hotpatch updates focus exclusively on security fixes.
If you understand this difference, you can manage your update schedules quite effectively. This way, you ensure your security is maintained without sacrificing efficiency.
Eligibility Criteria for Windows Hotpatch Updates
You need to meet some specific requirements to take advantage of hotpatch updates on Windows 11 Enterprise.
First, the devices must be using Windows 11 version 24H2 or later.
Then, you must enable Virtualization-Based Security (VBS) to ensure secure installation. Another prerequisite is having the latest Baseline Release installed on the device.
领英推荐
If your devices do not meet this criteria, they will automatically receive the Latest Cumulative Update (LCU) instead. LCUs include the monthly updates that replace the previous month’s releases. They contain both security and non-security fixes. However, unlike hotpatch updates, LCUs require a system restart.
Configuring Windows Hotpatch Updates
In the Policy CSP, Update CSP (Configuration Service Provider), and configure Windows hotpatch for Windows 11.
You’ll find a new setting, AllowRebootlessUpdates. It has recently been added to this section. This is the setting that enables devices to receive hotpatch updates by ensuring eligible devices are enrolled properly.
There is this new policy recently created for Windows quality updates, solely focused on configuring the behavior of hotpatch updates.
Below are the six steps required to set up this policy:
a: Set the slider for Apply the latest cumulative quality updates for security to Allow.
b: Set the slider for When available, apply without restarting the device (“hotpatch”) to Allow. This will enable hotpatch on the device.
You have successfully enabled Windows hotpatching on eligible devices. However, remember, the configurations of the Update Ring will still be on.