Thursday, April 3rd 2025
Forget Reboots, Live Patches are Coming to Windows 11 Enterprise Clients
Microsoft is introducing live patch updates for Windows 11 Enterprise, version 24H2, that allow critical security fixes to be applied without interrupting users. These updates, known as hotpatches, are available for x64 devices running on AMD or Intel CPUs. Hotpatch updates are designed to install quickly and take effect immediately. Unlike standard monthly security updates that require a system restart, hotpatch updates provide instant protection against vulnerabilities while allowing users to continue working. This new process can reduce the number of restarts from twelve per year to just four. The update schedule follows a quarterly cycle. In January, April, July, and October, devices install a complete security update with new features and fixes that do require a restart. In the two months that follow each of these baseline updates, devices receive hotpatch updates that only include security fixes and do not need a reboot. This approach ensures that essential protections are applied quickly without impacting daily work.
To use hotpatch updates, organizations need a Microsoft subscription that includes Windows 11 Enterprise (or Windows 365 Enterprise) and devices running build 26100.2033 or later. These devices must also be managed using Microsoft Intune, where IT administrators can set up a hotpatch-enabled quality update policy. The Intune admin center automatically detects eligible devices and manages the update process. Hotpatch updates are currently available on Intel and AMD-powered devices. For Arm64 devices, hotpatch updates are still in public preview and require an extra configuration step: disabling CHPE support via a registry key or the upcoming DisableCHPE CSP. This update system represents a more efficient way to secure Windows client devices. By minimizing the need for restarts and delivering updates in a predictable, quarterly cycle, Microsoft aims to help organizations protect their systems with minimal disruption. We expect these live patches to trickle down to more Windows 11 versions, like Home and Pro editions.
Source:
Windows IT Pro Blog
To use hotpatch updates, organizations need a Microsoft subscription that includes Windows 11 Enterprise (or Windows 365 Enterprise) and devices running build 26100.2033 or later. These devices must also be managed using Microsoft Intune, where IT administrators can set up a hotpatch-enabled quality update policy. The Intune admin center automatically detects eligible devices and manages the update process. Hotpatch updates are currently available on Intel and AMD-powered devices. For Arm64 devices, hotpatch updates are still in public preview and require an extra configuration step: disabling CHPE support via a registry key or the upcoming DisableCHPE CSP. This update system represents a more efficient way to secure Windows client devices. By minimizing the need for restarts and delivering updates in a predictable, quarterly cycle, Microsoft aims to help organizations protect their systems with minimal disruption. We expect these live patches to trickle down to more Windows 11 versions, like Home and Pro editions.
24 Comments on Forget Reboots, Live Patches are Coming to Windows 11 Enterprise Clients
Please M$, don't take away my 12x mandatory reboots per year, I love them soooooooo much I can barely wait for the next one to come along.........
n.O.t......
/s
They system, and any running applications, would be using the "patched" binaries after a live patch, no differently than it would post restarting from a cold patch.
Not exactly the same thing (considering how differently they run), but you can check this: en.wikipedia.org/wiki/Kpatch#InternalsThis does imply that patches that require restart will be deferred up to 3 months, which goes against the whole "better security" thing.
Sure, they'd release critical patches immediately, but that still leave the less-than-critical ones. And if the latter were unimportant enough to wait months, why wouldn't they be unimportant enough to wait 24 hours (given how they force every computer to restart to finish updates these days)?
Yes. I'm just just trivialising this because it's Microsoft. Sue me. :cool:
Yesterday I initialised a refurbished notebook with a official microsoft refurbish windows 11 pro 24h2 license. Lot's of issues with 4.5 year old notebook.
Marketing news piece - vs real life scenario.
en.wikipedia.org/wiki/Delta_update
The article states that MS has used this since XP but considering every Win11 monthly roll-up is 700MB+ i doubt there are 700MB+ worth of changes every month.
This would save massive amount of resources if properly implemented in terms of bandwidth, disk space etc.
But since this is MS they'll problably just add more emoji's, becauyse who cares about how long it takes to do the updates.
Windows 11 is just shite though, basically a downgrade to 10 so far & not looking forward to their end of support.
Windows simply does not do "driver timeouts on background pics changes", it even sounds insane.
If you do a clean install without literally anything else but the latest official drivers and funky crap still happens then you either have a failing hardware or you have that one 0.01% specific combination of it which could not be tested (since no one tests for 0.01%).