|
| 1 | +--- |
| 2 | +title: Windows quality update policy |
| 3 | +description: Use Hotpatch updates to receive security updates without restarting your device |
| 4 | +ms.date: 04/17/2025 |
| 5 | +author: Smritib17 |
| 6 | +ms.author: smbhardwaj |
| 7 | +manager: dougeby |
| 8 | +ms.reviewer: Mounika |
| 9 | +ms.topic: how-to |
| 10 | +ms.service: microsoft-intune |
| 11 | +ms.localizationpriority: high |
| 12 | +ms.subservice: protect |
| 13 | +ms.collection: |
| 14 | + - highpri |
| 15 | + - tier1 |
| 16 | +--- |
| 17 | + |
| 18 | +# Windows quality update policy |
| 19 | + |
| 20 | +Windows policy updates policy allows you to deploy Hotpatch updates. Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted. |
| 21 | + |
| 22 | +Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy. |
| 23 | + |
| 24 | +## Key benefits |
| 25 | + |
| 26 | +- Hotpatch updates streamline the installation process and enhance compliance efficiency. |
| 27 | +- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies. |
| 28 | +- The [Hotpatch quality update report](/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. |
| 29 | + |
| 30 | +## Prerequisites |
| 31 | + |
| 32 | +To benefit from Hotpatch updates, devices must meet the following prerequisites: |
| 33 | + |
| 34 | +- For licensing requirements, see [Prerequisites](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites) |
| 35 | +- Windows 11 Enterprise version 24H2 or later |
| 36 | +- Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). |
| 37 | +- Microsoft Intune to manage hotpatch update deployment with the [Windows quality update policy with hotpatch turned on](#enroll-devices-to-receive-hotpatch-updates). |
| 38 | + |
| 39 | +## Operating system configuration prerequisites |
| 40 | + |
| 41 | +To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates. |
| 42 | + |
| 43 | +### Virtualization based security (VBS) |
| 44 | + |
| 45 | +VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). |
| 46 | + |
| 47 | +> [!NOTE] |
| 48 | +> Devices might be temporarily ineligible because they don't have VBS enabled or aren't currently on the latest baseline release. To ensure that all your Windows devices are configured properly to be eligible for hotpatch updates, see [Troubleshoot hotpatch updates](/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates). |
| 49 | +
|
| 50 | +### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) |
| 51 | + |
| 52 | +> [!IMPORTANT] |
| 53 | +> **Arm 64 device support is in public preview**. |
| 54 | +
|
| 55 | +To ensure all the Hotpatch updates are applied, you must set the **Compiled Hybrid Portable Executable** (CHPE) disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. |
| 56 | + |
| 57 | +This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries. |
| 58 | + |
| 59 | +To disable CHPE, create and/or set the following DWORD registry key: |
| 60 | + |
| 61 | +Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management DWORD key value: HotPatchRestrictions=1` |
| 62 | + |
| 63 | +To learn more about CHPE, see [here](/windows/win32/winprog64/wow64-implementation-details) |
| 64 | + |
| 65 | +> [!NOTE] |
| 66 | +> There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is required only for Arm64 devices. AMD and Intel CPUs don't have CHPE. |
| 67 | +
|
| 68 | +If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. |
| 69 | + |
| 70 | +## Ineligible devices |
| 71 | + |
| 72 | +Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. |
| 73 | + |
| 74 | +LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant. |
| 75 | + |
| 76 | +> [!NOTE] |
| 77 | +> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings. |
| 78 | +
|
| 79 | +## Release cycles |
| 80 | + |
| 81 | +For more information about the release calendar for hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1). |
| 82 | + |
| 83 | +- Baseline: Includes the latest security fixes, cumulative new features, and enhancements. Restart required. |
| 84 | +- Hotpatch: Includes security updates. No restarted required. |
| 85 | + |
| 86 | +| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) | |
| 87 | +| ----- | ----- | ----- | |
| 88 | +| 1 | January | February and March | |
| 89 | +| 2 | April | May and June | |
| 90 | +| 3 | July | August and September | |
| 91 | +| 4 | October | November and December | |
| 92 | + |
| 93 | +## Hotpatch on Windows 11 Enterprise or Windows Server 2025 |
| 94 | + |
| 95 | +> [!NOTE] |
| 96 | +> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). |
| 97 | +
|
| 98 | +Hotpatch updates are similar between Windows 11 and Windows Server 2025. |
| 99 | + |
| 100 | +- Windows Autopatch manages Windows 11 updates |
| 101 | +- Azure Update Manager and optional Azure Arc subscription for Windows 2025 Datacenter/Standard Editions (on-premises) manages Windows Server 2025 Datacenter Azure Edition. For more information, on Windows Server and Windows 365, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). |
| 102 | + |
| 103 | +The calendar dates, eight hotpatch months, and four baseline months, planned each year are the same for all the hotpatch-supported operating systems (OS). It's possible for additional baseline months for one OS (for example, Windows Server 2022), while there are hotpatch months for another OS, such as Server 2025 or Windows 11, version 24H2. Review the release notes from [Windows release health](/windows/release-health/) to keep up to date. |
| 104 | + |
| 105 | +## Enroll devices to receive Hotpatch updates |
| 106 | + |
| 107 | +> [!NOTE] |
| 108 | +> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group. |
| 109 | +
|
| 110 | +**To enroll devices to receive Hotpatch updates:** |
| 111 | + |
| 112 | +1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). |
| 113 | +1. Select **Devices** from the left navigation menu. |
| 114 | +1. Under the **Manage updates** section, select **Windows updates**. |
| 115 | +1. Go to the **Quality updates** tab. |
| 116 | +1. Select **Create**, and select **Windows quality update policy**. |
| 117 | +1. Under the **Basics** section, enter a name for your new policy and select Next. |
| 118 | +1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**. |
| 119 | +1. Select the appropriate Scope tags or leave as Default. Then, select **Next**. |
| 120 | +1. Assign the devices to the policy and select **Next**. |
| 121 | +1. Review the policy and select **Create**. |
| 122 | + |
| 123 | +These steps ensure that targeted devices, which are [eligible](#prerequisites) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU). |
| 124 | + |
| 125 | +> [!NOTE] |
| 126 | +> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply. |
| 127 | +
|
| 128 | +## Roll back a hotpatch update |
| 129 | + |
| 130 | +Automatic rollback of a Hotpatch update isn't supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart. |
| 131 | + |
| 132 | +## Monitoring and reporting |
| 133 | + |
| 134 | +After a Windows quality updates policy has been created with Hotpatch updates enabled, you can monitor results, hotpatch deployment status, and errors from the reports. |
| 135 | + |
| 136 | +### Hotpatch quality updates |
| 137 | + |
| 138 | +This report shows the total targeted devices and current update states of all Hotpatch update enabled devices. |
| 139 | + |
| 140 | +1. Sign in to the Microsoft [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). |
| 141 | + |
| 142 | +2. Select **Reports > Windows quality updates** under **Windows Autopatch** section. |
| 143 | + |
| 144 | +3. On the **Reports** tab, select **Hotpatch quality updates report**. |
| 145 | + |
| 146 | +## Windows quality update distribution |
| 147 | + |
| 148 | +This report shows the device distribution for different quality update releases. For Hotpatch applicable **Updates**, you can see both Hotpatch and standard quality update build numbers are displayed. Note that Hotpatch builds are lower numbered due to the inclusion of subset of fixes compared to standard builds. You can select **Devices on this update** column for each release to see a detailed list of devices and their corresponding updates. |
| 149 | + |
| 150 | +To go to the device, |
| 151 | + |
| 152 | +1. Sign in to the Microsoft [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). |
| 153 | + |
| 154 | +2. Select Reports > Windows updates. |
| 155 | + |
| 156 | +3. On the Reports tab, click on Windows quality update distribution report. |
| 157 | + |
| 158 | +Select **Update type** to select the quality update release. The **Build number** column on the Windows quality update distribution per feature version report shows you the Hotpatch and Standard builds. |
| 159 | + |
0 commit comments