Introduction

In today's rapidly evolving cybersecurity landscape, maintaining system security without disrupting operations is paramount. Microsoft addresses this challenge with the release of KB5061258 (Build 26100.3983) for Windows 11 LTSC 2024, introducing the Hotpatch feature to enhance security while minimizing downtime.

Understanding Hotpatching

Hotpatching is a technology that allows security updates to be applied to a running system without requiring a reboot. This method patches the in-memory code of running processes, ensuring immediate protection against vulnerabilities without interrupting user activities. Initially implemented in Windows Server environments, Microsoft has now extended this capability to Windows 11 Enterprise clients.

Benefits of Hotpatching

  • Immediate Protection: Security updates take effect immediately upon installation, reducing the window of exposure to potential threats.
  • Reduced Downtime: By eliminating the need for system reboots, user productivity remains uninterrupted.
  • Consistent Security: Devices receive the same level of security patching as traditional updates, ensuring comprehensive protection.

Implementation in Windows 11 LTSC 2024

With the release of KB5061258, Windows 11 LTSC 2024 users can now leverage Hotpatching. The update follows a structured quarterly cycle:

  1. Baseline Month (January, April, July, October): Devices install the standard cumulative security update, which includes the latest security fixes, features, and enhancements. A system restart is required.
  2. Subsequent Two Months: Devices receive Hotpatch updates containing only security fixes. These updates are applied without necessitating a restart.

This cycle reduces the number of required restarts from twelve to four per year, enhancing system availability and user experience.

Technical Requirements

To utilize Hotpatching, the following prerequisites must be met:

  • Operating System: Windows 11 Enterprise, version 24H2 (Build 26100.2033 or later).
  • Subscription: A Microsoft subscription that includes Windows 11 Enterprise E3, E5, or F3; Windows 11 Education A3 or A5; or a Windows 365 Enterprise subscription.
  • Management Tool: Microsoft Intune to manage deployment of Hotpatch updates.
  • Hardware: Devices with x64 CPUs (AMD64 or Intel). Arm64 devices are currently in public preview.
  • Security Features: Virtualization-based Security (VBS) enabled.

For Arm64 devices, an additional registry key must be set to disable CHPE support:

CODEBLOCK0

A system restart is required after setting this key.

Deployment Process

Administrators can enable Hotpatching through the Microsoft Intune admin center:

  1. Navigate to Devices > Windows updates > Create Windows quality update policy.
  2. Toggle the policy to Allow.

The Windows quality update policy can auto-detect if targeted devices are eligible for Hotpatch updates. Devices running Windows 10 and earlier versions of Windows 11 will continue to receive standard monthly security updates.

Implications for IT Management

The introduction of Hotpatching in Windows 11 LTSC 2024 offers several advantages for IT professionals:

  • Enhanced Security Posture: Immediate application of security patches reduces the risk of exploitation.
  • Operational Efficiency: Minimizing system reboots leads to higher uptime and productivity.
  • Simplified Compliance: Regular, non-disruptive updates assist in meeting regulatory requirements for system security.

Conclusion

The release of KB5061258 and the integration of Hotpatching into Windows 11 LTSC 2024 mark a significant advancement in balancing robust security with operational continuity. Organizations are encouraged to adopt this feature to maintain a strong security posture while ensuring minimal disruption to their operations.