Microsoft is rolling out hotpatching for Windows 11 devices managed through Microsoft Intune and Windows Autopatch, but not every machine qualifies \u2014 and it won't eliminate all reboots. The feature, designed to slash the number of monthly restart events caused by security updates, is now entering broader deployment after months of public preview and private validation. For IT administrators, understanding the precise eligibility gates, baseline update rules, and pilot mechanisms is essential before flipping the switch.

What is Windows 11 hotpatching?

Hotpatching delivers security patches to the running Windows kernel and components without requiring a system restart. It works by applying code changes in memory using Virtualization-Based Security (VBS) \u2014 a hardware-backed isolation technology that creates a secure region of memory where patching operations run outside the normal OS kernel. Because the patch is applied to the in-memory image rather than the on-disk version, the update takes effect immediately and persists until the next reboot, at which point the underlying binaries are refreshed.

Microsoft first introduced hotpatching with Windows Server Azure Edition and has gradually expanded it to client Windows. For Windows 11, the capability is restricted to Enterprise and Education editions (E3/E5/A3/A5 licenses) and requires cloud-attached management through Intune or Windows Autopatch. Home, Pro, and unmanaged devices are not eligible.

Crucially, hotpatching is not a permanent \u201cno reboot\u201d guarantee. Each quarter, a baseline update must be installed that does require a restart. The two intervening monthly security updates can then be hotpatched, avoiding a reboot. This cadence \u2014 one baseline reboot per quarter, three total update cycles with only one restart \u2014 reduces the overall reboot burden by roughly two-thirds for most organizations.

Eligibility: the hardware and software gates

Before a Windows 11 device can receive hotpatches, it must clear several gates:

  • Edition and licensing: Windows 11 Enterprise E3/E5 or Education A3/A5. Mixed-license environments should verify license assignments in Microsoft 365 admin center or Azure AD.
  • Management channel: Devices must be enrolled in Microsoft Intune or Windows Autopatch. Co-management with Configuration Manager is not supported for hotpatch download, though ConfigMgr can still handle baselines.
  • Virtualization-Based Security (VBS) enforce mode: Hotpatching requires VBS to be enabled and running in enforced mode. This means Hypervisor-Enforced Code Integrity (HVCI), also known as Memory Integrity, must be on. Devices without the necessary hardware (e.g., older CPUs lacking SLAT or IOMMU) cannot turn on HVCI and are automatically excluded.
  • Secure Boot: Must be enabled. Without it, the VBS trust chain is broken, and hotpatch will not function.
  • Baseline update installed: Each quarterly hotpatch cycle starts with a specific cumulative update that acts as the baseline. Only devices running that exact baseline build can receive the subsequent hotpatches. If a device falls behind or installs a later update, it must re-establish the baseline \u2014 which involves a reboot.
  • Windows 11 version: Hotpatch is supported on Windows 11 version 22H2 and later. Devices must be on a supported build number within those versions. Microsoft publishes the required baseline KB numbers in its hotpatch deployment guide.

IT admins can check readiness using the Microsoft Intune admin center or Windows Autopatch reports. The \u2018Hotpatch compatibility\u2019 report in Autopatch shows which devices meet all the prerequisites, and the Intune \u2018Feature update\u2019 and \u2018Quality update\u2019 reports expose per-device VBS and Secure Boot status.

The rollout phases: pilot, baseline, broad

Microsoft has structured the rollout in three deliberate phases:

1. Pilot phase

Organizations start by selecting a pilot device group (usually IT department and early adopters) in Intune or Autopatch. Microsoft then pre-populates these devices with the baseline update. During the pilot, which often spans one full quarterly cycle, admins validate application compatibility, performance, and the hotpatch installation experience. Any issues can be reported through standard support channels or the Windows Feedback Hub.

2. Baseline installation

Once the pilot succeeds, the baseline update is deployed to all eligible devices. This is a regular cumulative update that requires a download, installation, and a restart. The baseline serves as the trusted starting point for hotpatching; without it, subsequent hotpatches will not be offered.

3. Broad hotpatch deployment

For the two months following the baseline, Microsoft releases a security update that is delivered as a hotpatch. Devices that meet all eligibility rules and have the correct baseline will receive the patch, which installs in seconds with no reboot. The process is virtually transparent to end users. After three months, a new baseline is released, and the cycle repeats.

Administrators can monitor hotpatch delivery through the Windows Update for Business reports in Intune or the Autopatch dashboard. Successful hotpatch installations appear as \u2018Security update\u2019 events with a \u2018No reboot required\u2019 tag.

What hotpatch does \u2014 and does not \u2014 cover

Microsoft\u2019s messaging has shifted from the initial \u201cnearly all monthly updates\u201d to a more precise scope. Hotpatching currently applies only to monthly security updates, not to optional non-security preview updates, .NET framework patches, or out-of-band emergency fixes. Additionally, hotpatches do not include:

  • Driver updates
  • Servicing stack updates (SSU)
  • Feature updates
  • Definition updates for Windows Defender (though these are typically handled through separate channels)

In practice, most devices will still require a reboot at least once a quarter for the baseline, and possibly more often if other update types demand it. However, for security-conscious organizations that stick to the monthly security update routine, hotpatch removes the most common reboot triggers.

Preparing your environment: a practical checklist

  1. Audit licenses and editions: Confirm that all eligible devices are on Windows 11 Enterprise or Education, with the correct subscription licensing. The \u2018Microsoft 365 license\u2019 report in Intune is helpful here.
  2. Enable VBS and HVCI: On modern hardware, VBS and Memory Integrity are often enabled by default. Use the \u2018Windows Security\u2019 app or Group Policy to verify and enable. For managed devices, push the policy \u2018Turn on Virtualization Based Security\u2019 via Intune.
  3. Turn on Secure Boot: Most enterprise PCs ship with Secure Boot enabled, but verify through the firmware settings or using msinfo32.exe.
  4. Ensure devices are on a supported build: Hotpatch requires at least Windows 11, version 22H2 with the latest servicing stack updates. Use Intune\u2019s \u2018Windows Update rings\u2019 to keep devices current.
  5. Enroll in Windows Autopatch (or pure Intune): While hotpatch can work with Intune alone, Autopatch automates the baseline/pilot/hotpatch cadence, significantly reducing administrative overhead.
  6. Set up pilot groups: In Autopatch, configure a \u2018Test\u2019 deployment ring with a small number of devices. In standalone Intune, create a custom device group and target it with the initial baseline.
  7. Communicate with end users: While hotpatch is silent, the quarterly baseline reboot is not. Notify users about the planned restart window.

Known limitations and caveats

Hotpatching is not a silver bullet. During the public preview, some admins reported that hotpatch delivery could be delayed by several days compared to traditional updates, though Microsoft has since improved its release pipeline. Additionally, devices that frequently hibernate or are turned off for extended periods may miss a hotpatch window. If they miss two consecutive hotpatches, they must apply the full baseline (with a reboot) to catch up.

Third-party security products that hook deeply into the kernel may conflict with VBS and hotpatch. Microsoft recommends testing with your endpoint protection and EDR solutions during the pilot phase.

Finally, the feature is exclusive to the cloud-managed, Intune-centric world. Organizations still reliant on on-premises Configuration Manager or WSUS will not be able to use hotpatching without transitioning their update management to the cloud.

The bigger picture: Microsoft\u2019s reboot-reduction journey

Hotpatching is one piece of a broader Microsoft strategy to minimize user disruption from updates. Features like \u2018Active Hours\u2019, \u2018Update Stack Package\u2019, and \u2018Unified Update Platform\u2019 have already shrunk offline time, but hotpatching is the most direct answer to the reboot problem. By moving Windows 11 to a modern servicing model that keeps the kernel running while patching vulnerabilities, Microsoft brings its client OS closer to the resilience long offered by certain server and Linux distributions.

As the Windows 11 ecosystem matures and VBS-capable hardware becomes ubiquitous, hotpatching coverage may expand to more update types and even to consumer editions. For now, though, it remains an enterprise-exclusive tool \u2014 one that demands careful planning and a clear-eyed understanding of its requirements and cadence.