Hotpatch (Windows 11 Enterprise)

Hotpatch is a Microsoft Windows 11 Enterprise feature that installs monthly security updates without restarting the device. The reboot-required quarterly baseline updates still happen on schedule, but the months in between get their security fixes through hotpatches that apply live to running processes.

For a fleet where uptime matters, hotpatch cuts patch-related downtime by roughly two thirds. TridentStack Control surfaces hotpatch readiness on every Windows agent so you can see at a glance which endpoints can take advantage of it, and which ones still have a prerequisite to fix.

When to read this guide

You are reading this guide because TridentStack Control showed you a "Hotpatch Ready" status on one or more of your endpoints. This page explains how to:

1. Confirm the endpoint meets every Microsoft prerequisite (TridentStack Control checks this automatically).
2. Configure a hotpatch-enabled quality update policy in Microsoft Intune so Windows actually starts installing hotpatches.
3. Verify that hotpatches are being delivered.

If you are running Windows 11 Pro or Home, this guide does not apply. Microsoft ships hotpatch as an Enterprise / Education / IoT Enterprise feature only. The Hotpatch Ready badge on TridentStack Control will show "Not eligible (edition)" on those endpoints, and there is no third-party tool that can change that.

How Microsoft delivers hotpatches

Hotpatch is part of Microsoft's Windows Update for Business (WUfB) delivery channel. It is not available through the standard Microsoft Update Catalog, WSUS, or any offline download. Delivery requires:

• A Microsoft Entra ID tenant (the free tier is sufficient).
• The device joined to that Entra tenant (or Entra-hybrid-joined).
• The device enrolled in Microsoft Intune or co-managed via Configuration Manager.
• An eligible Windows 11 Enterprise license per endpoint.
• A WUfB quality update policy assigned to the device that has hotpatch enabled.

When all of the above are in place, Windows automatically downloads and installs each month's hotpatch in the background as soon as Microsoft publishes it. The device keeps running. There is no install action to schedule, no maintenance window to negotiate, no reboot to coordinate.

Prerequisites

TridentStack Control reads each of these signals from the agent's telemetry and shows the first failing check on the Hotpatch Ready row of the agent's System State tab. The five prerequisites in the order Microsoft enforces them are:

1. Edition

The device must be running one of the following Windows 11 editions:

• Enterprise
• Enterprise N
• Enterprise S (LTSC)
• Enterprise SN (LTSC N)
• Education
• Education N
• IoT Enterprise
• IoT Enterprise S (LTSC)

Pro, Home, and Server editions are not eligible. This is a Microsoft licensing constraint enforced by Windows itself at install time; no patch management tool can bypass it.

To check the edition on a single device locally, open Settings → System → About and look at the "Edition" line. The TridentStack Control System State tab also shows the edition.

2. Build

The device must be running Windows 11, version 24H2 or 25H2, at or above the current hotpatch baseline build:

• 24H2: OS build 26100.4929 or later
• 25H2: OS build 26200.4929 or later

Older feature versions (23H2 and earlier) do not support hotpatch, and devices below the baseline build need the latest quarterly cumulative update installed before hotpatches will apply.

If the device is below the baseline, install the latest standard cumulative update through your existing TridentStack Control patch policy first. Once the device reports a build at or above the baseline, hotpatch becomes available.

3. Virtualization-Based Security (VBS)

VBS must be enabled. Hotpatching modifies running kernel code, and Microsoft requires the kernel to be running in a VBS-protected environment so the patched code can be verified.

To enable VBS:

1. Open Windows Security on the device.
2. Go to Device security → Core isolation.
3. Turn Memory integrity on.
4. Restart the device.

After the restart, VBS will be running. TridentStack Control's Hotpatch Ready row will refresh on the next agent telemetry collection and show this prerequisite as passing.

If the toggle is greyed out, the device's CPU is missing virtualization features in BIOS/UEFI. Enable Intel VT-x / AMD-V and SLAT in firmware, then try again.

4. Microsoft Entra join

The device must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-only and on-premises Active-Directory-only devices cannot receive hotpatches because WUfB delivery requires an Entra identity.

To check the join state, run on the device:

dsregcmd /status

Look for AzureAdJoined : YES or both AzureAdJoined : YES and DomainJoined : YES (hybrid).

To Entra-join a device:

1. On the device, open Settings → Accounts → Access work or school.
2. Click Connect and sign in with an Entra account that has device-join rights.
3. Choose Join this device to Microsoft Entra ID.

For hybrid join at scale, configure Microsoft Entra Connect on your on-premises Active Directory.

5. Intune enrollment with a hotpatch-enabled policy

The device must be enrolled in Microsoft Intune (or co-managed via Configuration Manager) with a Windows quality update policy that has hotpatch enabled and is targeted at this device.

Enrollment alone is not enough. The policy must exist, have hotpatch turned on, and have this device's Entra group as a target. The next section walks through creating that policy.

Step-by-step: enabling hotpatch in Microsoft Intune

These steps assume you already have an Intune tenant and the devices you want hotpatched are enrolled. If you are still rolling Intune out, complete enrollment first.

Step 1: Create an Entra group for hotpatch-eligible devices

A dedicated group makes targeting and rollout control simpler than scattering device IDs across multiple policies.

1. Sign in to the Microsoft Intune admin center with an account that has at least the Intune Administrator role.

2. Go to Groups → All groups → New group.

3. Choose Group type: Security.

4. Name the group something like Hotpatch Eligible Devices.

5. Set Membership type to Dynamic Device (recommended) or Assigned if you want manual control.

6. For dynamic membership, use a rule that selects only eligible devices, for example:

   (device.deviceOSType -eq "Windows") -and (device.deviceOSVersion -startsWith "10.0.26100") -and (device.deviceManagementAppId -ne $null)

   Adjust the build prefix for your target version (10.0.26100 for 24H2, 10.0.26200 for 25H2).

7. Click Create. Allow a few minutes for the dynamic rule to populate membership.

Step 2: Create the quality update policy

1. In the Intune admin center, go to Devices → Manage updates → Windows updates.

2. Open the Quality updates tab.

3. Click Create profile → Windows quality update policy.

4. Give it a name like Hotpatch Enabled - Win 11 Enterprise and a description noting it is the hotpatch-enabled policy.

5. Continue to the Update settings page.

6. Under Update approach, set:

   • Update approach: Hotpatch
   • Quality update deferral period (days): 0 for fastest delivery, or higher if you want a deferred window for testing.
   note

   The "Hotpatch" option appears only when Microsoft has detected your tenant is eligible. If you do not see it, confirm your Intune licensing includes the Windows 11 Enterprise SKU and that your tenant region is supported.

7. Leave other settings at defaults unless you have a specific reason to change them.

8. Continue to Scope tags, Assignments, and Review + create.

Step 3: Assign the policy

1. On the Assignments page of the policy you just created, click Add groups.
2. Select the Hotpatch Eligible Devices group from Step 1.
3. Click Select, then Next, then Create.

Devices in the group will start receiving the policy on their next WUfB sync cycle (typically within an hour). On the next monthly hotpatch release from Microsoft, Windows will download and install the hotpatch automatically.

Step 4: Confirm in Intune

Back on the policy's overview page, the Device check-in status counters update as devices receive and acknowledge the policy. A successful assignment shows the count under Succeeded matching your group membership.

If you see devices stuck in Pending or Failed for more than a few hours, click into the row for per-device error detail. The most common causes are:

• Device hasn't synced with Intune recently. Force a sync via Settings → Accounts → Access work or school → Info → Sync on the device.
• Device hasn't yet rebooted after enabling VBS. Hotpatch requires VBS running, not just configured.
• Device hasn't yet installed the current baseline cumulative update. Install it through your existing patch policy first.

Step 5: Confirm in TridentStack Control

On the agent's detail page, open the System State tab and find the Hotpatch Ready row. A green Eligible badge means TridentStack Control sees the device meeting every prerequisite. The first hotpatch will install on the next monthly Microsoft release; you do not need to take any further action.

For deeper verification on the device itself, open Settings → Windows Update → Update history. Hotpatches appear with titles like "May 12, 2026—Hotpatch KB5089466 (OS Build 26100.8390)" and do not include the "Restart now" prompt that standard cumulative updates do.

What you'll see on each agent

The Hotpatch Ready row on the System State tab summarizes the state for each Windows agent:

Badge	What it means	Action
Eligible (green)	All five Microsoft prerequisites pass. If you have configured the Intune policy in Step 2, this device is receiving hotpatches.	None needed once Intune policy is configured.
Not eligible (edition)	Device is running Pro, Home, or another non-Enterprise SKU.	Upgrade the device's Windows license to Enterprise / Education / E3 / E5 / F3.
Not eligible (build)	Device is on an unsupported feature version or below the hotpatch baseline build.	Install the current quarterly cumulative update through TridentStack Control.
Not eligible (vbs)	Virtualization-Based Security is not enabled.	Enable Memory integrity in Windows Security as described in Prerequisite 3.
Not eligible (entra_join)	Device is not Microsoft Entra joined.	Entra-join the device as described in Prerequisite 4.
Not eligible (mdm)	Device is not enrolled in Microsoft Intune (or its MDM provider is not Intune).	Enroll the device in Intune.

Click the (i) info icon next to the row label for a quick recap of the prerequisites without leaving the page.

Troubleshooting

The "Hotpatch" option doesn't appear in Intune

The hotpatch update approach only appears for tenants Microsoft has flagged as eligible. Check:

• Tenant licensing includes Windows 11 Enterprise E3 / E5 (or one of the eligible Microsoft 365 / Microsoft 365 Education plans).
• Tenant region is one of the regions where hotpatch is generally available.
• You are creating a Windows quality update policy, not a feature update policy or an expedited update.

If all three are true and the option is still missing, contact Microsoft support; the issue is on the Intune side and TridentStack Control cannot affect it.

A device shows Eligible but isn't receiving hotpatches

Eligible means every prerequisite passes. It does not guarantee the Intune policy is assigned to the device. Check:

1. On the policy's Assignments page in Intune, confirm the device's group is listed and the device is a member.
2. On the device, run gpupdate /force to refresh policy.
3. In TridentStack Control's agent history view, check whether any hotpatches have been recorded under "Installed Updates" in the System State tab.

If the agent has been online for over 24 hours after policy assignment and no hotpatches have appeared, the issue is almost always a stale Intune sync. Open Settings → Accounts → Access work or school → Info → Sync on the device to force a refresh.

A hotpatch failed to install

Hotpatch install failures appear in the device's Windows Update history with an error code. Common ones:

• 0x80070003 — required baseline cumulative update is missing. Install the current quarterly cumulative.
• 0x800f0922 — pre-flight check failure (this is what Servicing Health catches in advance). Fix the underlying servicing issue.
• 0x80240438 — VBS was not running at install time. Confirm Memory integrity is on and the device has rebooted since enabling it.

Related pages

• System State for the full agent telemetry view that includes the Hotpatch Ready row.
• System Updates for the broader cumulative update flow that delivers the quarterly baselines hotpatches build on.
• Deployment Rings for phasing baseline updates across your fleet.

External references

• Microsoft: Hotpatch updates with Windows Autopatch — Microsoft's authoritative documentation for hotpatch, including the current baseline build numbers and a list of supported product SKUs.
• Microsoft: KB5089466 (May 2026 hotpatch example) — sample of what a monthly hotpatch KB article looks like, listing CVEs addressed.