Windows IT Pro Blog:
Hotpatching is now generally available for your Windows 11, version 24H2 ARM64 devices. More client devices can now experience the power of security updates that don't require a restart!
Since general availability on x64 (AMD/Intel) CPU devices in April 2025, hotpatch adoption continues to grow rapidly. Millions of devices and thousands of customers have been receiving updates during hotpatch release months. Thanks to those of you who have already tried hotpatching and are now enabling it across the majority of your fleets. Your overwhelmingly positive feedback highlights the strong confidence in the value it delivers:
Now, your devices with 64-bit ARM architecture can get the same benefits of faster rollouts and less disruptive updates.
Secure smarter. Patch faster. Restart less.
With hotpatching now generally available for 64-bit ARM architecture, there's never been a better time to modernize your update strategy. Your organization will benefit from:- Faster compliance: Security updates are applied immediately, reducing the window of vulnerability.
- No downtime: Users stay productive—no forced restarts or interruptions.
- Smaller update payloads: Faster installs and easier update orchestration.
- Enterprise-grade control: Integrated with Microsoft Intune and Windows Autopatch for streamlined management.
All you need to do is check your prerequisites, disable Compiled Hybrid PE (CHPE), and enroll these devices into a quality update policy with hotpatching enabled. See below for technical details.
Technical guide: Get your ARM64 devices hotpatch ready
Hotpatching is a Windows update technology that allows you to apply security updates without requiring a restart. It works by updating in-memory code while the system is running, ensuring that devices stay secure and productive with minimal disruption.Make sure you check off the prerequisites below to enable hotpatching on ARM64 devices.
For prerequisites, you will need:
- Devices running Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later) with the current baseline update installed
- Microsoft Intune for managing the deployment of hotpatch updates with a hotpatch-enabled Windows quality update policy (see “How to enroll devices in hotpatching” below)
- One of the eligible licenses: Windows 11 Enterprise E3 or E5, Microsoft 365 F3, Windows 11 Education A3 or A5, Microsoft 365 Business Premium, or Windows 365 Enterprise
- Virtualization-based security (VBS) enabled
- Disabled Compiled Hybrid PE (CHPE)—a unique prerequisite for ARM64 devices
One-time setup: Disable CHPE to enable hotpatch on ARM64
To enable hotpatching on ARM64 devices, you must also disable CHPE. CHPE is a compatibility layer that's not compatible with hotpatch updates. The good news? It's easy to disable with a CSP setting or a registry key.- Use the DisableCHPE policy. Apply the following configuration service provider (CSP) setting via Microsoft Intune or Group Policy, then restart the device once. Learn more at System Policy CSP.
./Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1
Select the “CHPE Binaries Disabled” option from the “Disabled CHPE” CSP in the Settings catalog.
- Use registry keys. You can also set the following registry key value to 1 and then restart the device once:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1
What will disabling CHPE do?
CHPE was originally used to support x86 emulation, but you must turn it off so that hotpatch updates apply correctly.Here's what happens when you disable CHPE:
- You will be offered hotpatch updates on your eligible and enrolled ARM64 machines.
- You can still run x86 applications in emulation mode on ARM64. Note: This doesn't mean that every application needs to be compiled for ARM64.
- There might be performance differences depending on your workload and environment.
How to enroll your ARM64 devices in hotpatching
Please enroll devices into hotpatching now to benefit from it as soon as the next hotpatch release month.- Go to the Microsoft Intune admin center.
- Navigate to Devices > Windows updates > Quality updates.
- If you're creating a new policy, select Create Windows quality update policy. To edit an existing policy, select it from the list under Name. On the following screen, select Edit next to Settings.
- Next to Automatic update deployment settings, ensure that the option “When available, apply without restarting the device” is set to Allow.
- Assign the policy to your ARM64 device group.
Create a new policy to enroll in hotpatch.
Edit an existing quality policy to enable hotpatch updates:
Edit an existing policy to enroll in hotpatch.
See the full guide at Enroll devices to receive hotpatch updates.
Additional resources to help your organization make the most of hotpatch updates:
- Hotpatch for client: Frequently asked questions
- Official announcement: Hotpatch for Windows client now available
- Technical documentation, including prerequisites, enrollment instructions, and troubleshooting: Hotpatch updates
- Windows 11, version 24H2 Enterprise hotpatch calendar: Windows 11 hotpatch calendar
- Monthly update contents: Release notes for hotpatch public preview on Windows 11, version 24H2 Enterprise clients
- User readiness information to share with people at your organization: Understanding security updates that get installed without a restart
- Per-policy level view of the current update statuses: Hotpatch quality update report
- Technical demo: The hottest way to update Windows 11 and Windows Server 2025
Source:
Hotpatching now available for 64-bit ARM architecture - Windows IT Pro Blog
Hotpatch updates are here for 64-bit ARM architecture! Get secure faster, with minimal downtime.
techcommunity.microsoft.com
