Hotpatching Now Available for 64-bit Arm Devices, Microsoft Brings Rebootless Security Updates to Windows 11 24H2

Microsoft has officially announced the general availability of hotpatching for Windows 11, version 24H2 Arm64 devices, marking a significant milestone in Windows update management. This improvement allows IT administrators to deliver critical security updates to Arm-based endpoints without requiring users to restart their devices—a feature previously limited to x64 (AMD/Intel) platforms.

What Is Hotpatching?

Hotpatching is a Windows update technology that applies security patches directly to the in-memory code of running processes. This means devices remain secure and productive, with minimal user disruption and no forced reboots for most updates. The technology has already demonstrated its value in the enterprise world, with millions of x64 devices benefiting from streamlined patch management and reduced downtime since its broader rollout in April 2025.

“With Hotpatch and the Autopatch feature updates, we have seen a more enhanced system with minimized downtime and streamlined patch management.”
— Pat Macfarlane, Senior Workstation Engineer, TriNet USA, Inc.

Why This Matters for Organizations Using Arm64 Devices

The expansion of hotpatching to Arm64 devices is a game-changer for organizations adopting the latest Windows on Arm hardware, including Surface and other OEM devices. Previously, Arm64 support was only available in public preview, but now, all eligible Windows 11 24H2 Arm64 devices can benefit from:

• Immediate Security Compliance: Security updates are applied as soon as they’re released, drastically reducing the window of vulnerability.

• No Downtime: Users stay productive—no more forced restarts or lost work due to update cycles.

• Smaller Update Payloads: Updates are more efficient, with smaller downloads and faster installation.

• Enterprise-Grade Control: Seamless integration with Microsoft Intune and Windows Autopatch for centralized management and reporting.

Prerequisites for Enabling Hotpatching on Arm64

To take advantage of hotpatching on Arm64 devices, organizations must ensure the following requirements are met:

• Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later) with the current baseline update installed.

• Eligible License: Windows 11 Enterprise E3/E5, Microsoft 365 F3, Windows 11 Education A3/A5, Microsoft 365 Business Premium, or Windows 365 Enterprise.

• Virtualization-Based Security (VBS) Enabled: VBS must be turned on for a device to receive hotpatch updates.

• Disable Compiled Hybrid PE (CHPE): Arm64 devices must have CHPE disabled, as it is not compatible with hotpatching.

• Device Management: Use Microsoft Intune to deploy and manage hotpatch policies.

How to Enable Hotpatching on Arm64 Devices

1. Disable CHPE

CHPE (Compiled Hybrid PE) is a compatibility layer used for x86 emulation on Arm64 devices. Hotpatching requires CHPE to be disabled. This can be done in two ways:

• Via Microsoft Intune or Group Policy:
  Set the following CSP (Configuration Service Provider) policy:
  ./Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1

• Via Registry Key:
  Set the following registry value and restart the device once:
  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1

Once CHPE is disabled and the device is rebooted, the system will be eligible for hotpatch updates.

2. Enroll Devices in a Hotpatch-Enabled Quality Update Policy

• Go to the Microsoft Intune admin center.

• Navigate to Devices > Windows updates > Quality updates.

• Create or edit a Windows quality update policy.

• Under Automatic update deployment settings, set “When available, apply without restarting the device” to Allow.

• Assign the policy to your Arm64 device group.

What Happens When CHPE Is Disabled?

• Hotpatch Updates Offered: Eligible Arm64 devices enrolled in the policy will now receive hotpatch updates.

• Continued x86 App Support: Devices can still run x86 applications in emulation mode, though performance may vary depending on workload.

• Performance Considerations: Disabling CHPE may impact performance for certain workloads. Microsoft recommends validating the change in your environment before broad deployment.

Best Practices

• Test Before Broad Deployment: Validate application compatibility and performance after disabling CHPE.

• Monitor Update Status: Use Microsoft Intune and Windows Autopatch reporting features to track device compliance and update status.

• Quarterly Baseline Updates: While hotpatching reduces the need for restarts, devices still require a full baseline update (with a restart) at the start of each quarter to remain eligible for hotpatching.

• Licensing and Hardware Eligibility: Ensure all endpoints meet the OS, hardware, and licensing requirements for hotpatching.

• Fallback to Standard Updates: Organizations can switch back to standard monthly updates at any time if needed.

How Hotpatching Compares to Traditional Updates