Intune – Hotpatch is becoming available for client devices

Leave a Comment / Beta / Preview, Endpoint Configuration Manager, Microsoft Intune / By / / Endpoint Configuration Manager, Intune, Microsoft Intune, Update Management, Updates deployment, Windows Update

You may have been aware of a major overhaul for Windows Update to allow deploying Windows Updates without having to restart (see Hotpatch for Windows Server | Microsoft Learn).

This ‘hotpatch’ capability has been introduced first for Windows Server (2022, 2025) running in Azure and then started to be extended to Windows Server running on-premises (in preview).

Well, the good news is this is now being extended to also client devices – including cloud PC [AVD, Cloud PC] (Windows 11 24H2) in preview too.

Before we go a bit further in details to implement hotpatching for client devices (or even for servers as the requirements are the same), you need to ensure you have Virtualization-based security features enabled (Virtualization-based Security (VBS) | Microsoft Learn) and have the proper licensing Microsoft 365 Business Premium or Microsoft 365 A3/A5 (including Education) (Prerequisites | Microsoft Learn)

Now, you can create a Quality Updates profile (from the Devices\Manage updates\Windows updates blade from the Intune portal)

image

When configuring this update profile, you have to turn on the “When available, apply without restarting the device” option to enable hotpatching on your devices

image

While hotpatching is installing updates without the need to restart, there will still be a need for device restart at some point anyway.

A device restart with hotpatching will be required every quarter (January, April, July and October).

Off course, hotpatching does not apply to feature updates (23H2 to 24H1), drivers updates and (at least at this stage, maybe this will change in the future) non security updates (restart depends on the update).

Once deployed and applied, the client device Windows Update will report as shown in the screenshot below (update was installed without a restart)

image

You can confirm the hotpatching policy has been applied by checking Settings\Windows Update\Advanced Options\Configured update policies and look for Enable hotpatching when available

image

It can also be double check using the following registry keys and values

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update
  • AllowRebootlessUpdates: value set to 1 – type REG_DWORD
  • AllowRebootlessUpdates_ProviderSet: value set to 1 – type REG_DWORD
  • AllowAutoUpdate_WinningProvider: value set to a GUID – TYPE REG_SZ

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.