Windows Release Notes

Windows hotpatch updates allow you to adopt a secure-by-design and secure-by-default approach to keeping Windows 11 protected and productive. The security architecture advantage behind hotpatch updates helps you support continuous protection, accelerate patch compliance, and reduce operational disruption. And since hotpatch updates will be enabled by default across Windows Autopatch for eligible devices in May 2026, you might wonder how this makes your environment even more secure by default.

How hotpatch updates reflect Windows security by design

In Microsoft overarching security-by-design philosophy, security comes first when designing any product or service. Embodying this philosophy are hotpatch updates.

These are the same security fixes that are part of monthly security updates (also known as “B” releases). The distinction is that they get installed without requiring a restart. Hotpatch updates help you:

• Reduce downtime for frontline devices, VDI sessions, IT-managed shared PCs, and high uptime systems.
• Shrink your vulnerability window (i.e., the time between patch availability and full deployment).
• Improve update compliance rates automatically.

Note: Hotpatch updates only apply to devices that meet the prerequisites and receive updates managed by Windows Autopatch. Otherwise, no action is needed. Ineligible devices continue to patch the same way they do today.

How hotpatch update prerequisites strengthen your security baseline

Hotpatch update readiness is built on Windows security capabilities that help ensure that devices are in a trusted state before updates are applied.

The key prerequisite is virtualization-based security (VBS) - a foundational Windows 11 security feature and the core requirement for hotpatch updates at scale. VBS (also known as core isolation) uses hardware virtualization to run a secure kernel alongside the OS in a hypervisor-isolated environment. This separation means that, even if the main OS is compromised, the secure kernel remains protected. For hotpatch updates, VBS provides the trusted environment needed to safely update running kernel code.

Hotpatch updates also require modern Windows 11 hardware that supports VBS. Protections like silicon-rooted security and firmware integrity further strengthen the trusted foundation, in which VBS operates. This way, hotpatch updates apply to devices with an already robust security baseline. In other words, devices that receive hotpatch updates are already trusted and well-protected - reducing risk and strengthening your security posture.

Operational governance through existing update frameworks.

Hotpatch updates are delivered using the same Windows Update and Windows Autopatch mechanisms you already manage today. Clean integration of hotpatch updates into existing update rings and policies helps ensure consistent rollout, predictable compliance, and centralized, cloud‑managed enforcement - without introducing a new update model to govern. This means you get the benefits of hotpatch updates with no disruption to your current update processes or compliance reporting.

How hotpatch updates fit into Windows chip-to-cloud security model

Security by design spans from chip to cloud. Hotpatch technology reflects this broader architectural framework in its prerequisites and functionality, designed to keep devices secure end-to-end. Let's take a look at the hardware (chip) layer, the operating system (OS) layer, and the cloud and identity layer of the same chip-to-cloud trust chain you already manage.

Hardware/chip layer.

Hotpatch updates are supported only on modern, secure silicon configurations (including Arm64), helping ensure that updates apply on hardware with:

• TPM 2.0
• UEFI Secure Boot
• Measured and trusted boot pathways

This way, the OS environment being patched is already hardware-rooted and trusted.

OS layer.

Hotpatch update readiness guidance links directly to VBS, which is core to Windows 11 OS-level protections. These OS-level safeguards help you:

• Protect sensitive processes from tampering.
• Enforce strong code integrity.
• Create a trusted foundation for in-memory patching.

Hotpatch updates use this secure architecture, updating protected code paths while keeping the OS running.

Cloud/identity layer.

Hotpatch updates use the same trusted channels as Windows Update. They're managed through:

• Windows Update client policies (formerly Windows Update for Business)
• Windows Autopatch quality update rings
• Microsoft Entra ID (formerly Azure AD)-based device identity

This helps ensure that your patches come from a secure, authenticated cloud source and adhere to your compliance and deployment policies.

Hotpatch updates use the full chip-to-cloud trust chain, so every update is delivered and applied with end-to-end security.

How hotpatch updates reflect Windows security by default

Microsoft Secure Future Initiative defines security as protections that are enforced by default and require no extra effort. Windows 11 security posture, rooted in stronger defaults and continuous innovation, reinforces the security-by-design principles.

Hotpatch updates have always been designed with security at the core, and until now have been an opt-in feature. With the May 2026 security update, Windows Autopatch will enable hotpatch updates by default at the tenant level to help organizations get secure quicker. This change in default behavior is designed to reduce patch friction while keeping your existing update governance intact. Importantly, it doesn't override the controls you already use and comes with new controls to opt out until you're ready.

• The default tenant setting is only applied to devices that aren't members of a quality update policy.
• Windows Autopatch continues to respect the preferences you've set for deferrals and update ring settings.
• Starting April 1, 2026, you can also opt out of this new default behavior at the tenant or device group level. Learn more at Securing devices faster with hotpatch updates on by default.

With hotpatch updates enabled by default, you're secured with Windows security updates during each hotpatch release month, with no additional steps. In addition, critical security out-of-band (OOB) updates can also be delivered as hotpatch updates. This automatically secures you against the threats addressed by the OOB update, and your organization is protected faster, with less effort and fewer manual steps.

Alignment with security best practices

Enrolling in hotpatch updates automatically aligns your devices with Microsoft security best practices. Enroll devices in Windows Autopatch before May, if you haven't yet, and you'll start getting these updates enabled by default! These latest innovations in monthly servicing help keep your environment on a higher-trust, chip-to-cloud–aligned security baseline.

Embrace security by default with hotpatch updates that reduce user downtime and restart-driven tickets, improve update compliance, and shorten vulnerability exposure.

• The latest in Windows 11 security
• Hotpatch for client: Frequently asked questions
• Hotpatch readiness: Enable VBS at scale
• Hotpatch efficiency unlocked: Smaller update size
• Best practices for securing Microsoft Intune
• Windows 11 security book

Securing the present, innovating for the future

Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design, by default and during runtime, from Windows to the cloud, enabling trust at every layer of the digital experience.

Learn how to stay secure with Windows. Check out the updated Windows 11 Security Book and Windows Server Security Book, more about Windows 11, Windows Server, Windows hotpatch updates and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.

Bookmark the Microsoft Security Blog to keep up with our expert coverage on security matters. You can also follow Microsoft Security on LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Original source Report a problem

This month, our Windows team shared a candid update on how we're thinking about Windows quality, what's changing behind the scenes, and how your real-world feedback is shaping the platform. It's all in a post entitled Our commitment to Windows quality. Windows + Devices EVP Pavan Davuluri walks through how we identify issues, prioritize fixes, and how the Windows Insider community helps make Windows more reliable before updates reach production environments. It's a helpful read if you're interested in learning more about how we build, measure, and strengthen Windows quality.

Now on to more highlights from March in this month's edition of Windows news you can use.

New in Windows update and device management

• [AUTOPATCH] – Windows Autopatch update readiness is now generally available. It includes new capabilities to help you proactively detect and remediate device update issues. Reduce downtime, improve update success, and lower the security risk that comes from devices that aren't up to date.
• [HOTPATCH] – Windows Autopatch is enabling hotpatch updates by default starting with the May 2026 security update. This change in default behavior will come to all eligible devices in Microsoft Intune and those accessing the service via Microsoft Graph API. New controls are available for those organizations that aren't ready to have hotpatch updates enabled by default.
• [RSAT] – Remote Server Administration Tools (RSAT) are now officially supported on Arm-based Windows 11 PCs. You can now remotely manage Windows server roles and features using Windows devices built on Arm processors, just as you would with traditional x64-based PCs.
• [SECURE BOOT] – The March 2026 security update introduces two new PowerShell features to help you manage the ongoing Secure Boot certificate rollout. The Get-SecureBootUEFI cmdlet now supports the -Decoded option, which displays Secure Boot certificates in a readable format. The Get-SecureBootSVN cmdlet lets you check the Secure Boot Security Version Number (SVN) of your device's UEFI firmware and bootloader. Use it to report whether the device follows the latest Secure Boot policy.
• [PRINT] – Instead of requiring device-specific drivers, Windows is now released with a single, universal, inbox-class driver based on the industry standard IPP protocol and Mopria certification. If you're using a traditional x64 PC, including the latest Copilot+ PC running on Arm-based silicon, the print experience is the same: plug in (or connect over the network) and print.
• [W365] – Windows 365 Frontline in shared mode is now available in Brazil South, Italy North, West Europe, New Zealand North, Mexico Central, Europe, Norway East, France Central, Spain Central, Germany West Central, and Switzerland North. Windows 365 is now available for Government Community Cloud (GCC & GCC-High) organizations in the US Gov Texas region. In addition, multi-region selection is now available for Windows 365 GCC & GCC-High.
• [RDP] – Microsoft recently released a sample repository demonstrating how to build Remote Desktop Protocol (RDP) plugins using modern tools and development patterns.

New in Windows security

• [DRIVERS] – Starting with the April 2026 security update, Microsoft is removing trust for all kernel drivers signed by the deprecated cross-signed root program. This update will help ensure that by default, you can only load kernel drivers the Windows Hardware Compatibility Program (WHCP) passes and signs. This new kernel trust policy applies to devices running Windows 11 and Windows Server 2025.
• [SECURE BOOT] – Catch up on the latest FAQs by watching the March edition of Secure Boot: Ask Microsoft Anything (AMA) on demand. The next AMA will be April 23, 2026. Save the date and post your questions in advance or during the live event. New guidance and resources are now available, including:
  • Video deep dive: Secure Boot certificate updates explained
  • Guide: Secure Boot troubleshooting
  • Reference: A closer look at the high confidence database
  • Documentation and sample PowerShell scripts: Sample Secure Boot E2E automation
  • Guide: Secure Boot certificate update status in the Windows Security app
• [SYSMON] – System Monitor (Sysmon) functionality is now natively available in Windows. Capture system events for threat detection and use custom configuration files to filter the events you want to monitor. Windows writes captured events to Windows Event Log, which allows security tools and other applications to use them.
• [WDS] As announced in January 2026, the Unattend.xml file used in hands‑free deployment with Windows Deployment Services (WDS) poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April 2026 security update, the second phase of hardening changes for CVE-2026-0386 begins. These changes will make hands‑free deployment disabled by default to enforce secure behavior. For detailed guidance, see Windows Deployment Services (WDS) Hands‑Free Deployment Hardening.

New in AI

• [W365] [AGENTS] – Curious about the difference between Windows 365 for Agents and Microsoft Agent 365? Explore the distinct role of each product and learn how to use them together to run agentic workloads securely, at scale, and under enterprise governance.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by "Copilot+ PC Exclusives."

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

• [EVENT] – Save the date for the Windows Server Summit, May 11-13. RSVP for three days of practical, engineering-led guidance on real-world operations, security, and hybrid scenarios supported by live Q&A.
• [NVMe] – A basic NVMe-over-Fabrics (NVMe-oF) initiator is available in the latest Windows Server Insiders build. This release introduces an in-box Windows initiator for NVMe/TCP and NVMe/RDMA, enabling early evaluation of networked NVMe storage using native Windows Server components.

New in productivity and collaboration

Install the March 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities, which will be rolling out gradually:

• [RECOVERY] – Quick Machine Recovery now turns on automatically for Windows Professional devices that are not domain‑joined and not enrolled in enterprise endpoint management. These devices receive the same recovery features available to Windows Home users. For domain‑joined or enterprise managed devices, Quick Machine Recovery stays off unless you enable it for your organization.
• [NETWORK] – A built‑in network speed test is now available from the taskbar. The speed test opens in the default browser and measures Ethernet, Wi‑Fi, and cellular connections.
• [CAMERA] – Control pan and tilt for supported cameras in the Settings app.
• [SEARCH] – Using search on the taskbar? Preview search results by hovering and quickly seeing when more results are available with group headers.

New features and improvements are coming in the April 2026 security update. You can preview them by installing the March 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

• [SECURITY] –You can turn Smart App Control on or off without needing a clean install.
• [SETTINGS] – The Settings > About page now provides a more structured and intuitive experience. Get clearer device specifications and easier navigation to related device components, including quick access to Storage settings.

Lifecycle reminders

• Windows 10 Enterprise 2016 LTSB and Windows 10 IoT Enterprise 2016 LTSB will reach end of support on October 13, 2026. Windows Server 2016 will reach end of support on January 12, 2027. If your organization cannot migrate to newer, supported releases in time, explore the options available to help you keep your devices protected with monthly security updates. Extended Security Updates (ESU) are now available for purchase for Windows 10 Enterprise 2016 LTSB.

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

• Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
• Microsoft 365 Copilot release notes for latest features and improvements
• Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels
• Windows Server Insider for feature preview opportunities
• Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

If you're an IT admin with questions about managing and updating Windows, add our monthly Windows Office Hours to your calendar. We assemble a crew of Windows, Windows 365, security, and Intune experts to help answer your questions and provide tips on tools, best practices, and troubleshooting.

Finally, we're always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Original source Report a problem

This out-of-band update for Windows 11, version 25H2 and 24H2 (KB5086672) is cumulative and includes updates from previous security and non-security releases.

This update includes the improvements and features that were introduced in the March 26, 2026 non-security preview update (KB5079391), along with a fix for an installation issue that affected some devices attempting to install that update.

Improvements

This out-of-band update contains quality improvements from KB5079473 (released March 10, 2026), KB5085516 (released March 21, 2026), and KB5079391 (released March 26, 2026 - no longer offered). The following summary outlines key issues addressed by this out-of-band update. The bold text within the brackets indicates the item or area of the change.

• [Setup] Fixed: While installing the March 2026 Windows preview update (KB5079391), some devices running Windows 11, version 25H2 or 24H2, might encounter the following error:

Some update files are missing or have problems. We'll try to download the update again later. Error code: (0x80073712)

This out-of-band update is offered through Windows Update for devices running Windows 11 that have already installed KB5079473 or a later update. It is also available for manual download from the Microsoft Update Catalog.

Devices that have Get the latest updates as soon as they’re available turned on may see this update offered automatically through Windows Update when it becomes available for their device. If this setting is turned off, you can install the update manually by going to Settings > Windows Update and selecting Download & install.

Note:

IT administrators using Microsoft Intune or Windows Autopatch should follow the guidance below for installing the out-of-band update via Windows Update.

• Expedite Windows quality updates in Microsoft Intune
• Deploy an expedited quality update using Windows Autopatch

AI Components

This release updates the following AI components:

AI Component Version Image Search 1.2603.377.0 Content Extraction 1.2603.377.0 Semantic Analysis 1.2603.377.0 Settings Model 1.2603.377.0

Windows 11 servicing stack update (KB5079387)- 26100.8112

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows Update

Open Start > Settings > Windows Update. > Advanced options > Optional updates. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates.

If you want to remove the LCU

Before you decide to remove the LCU, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for out-of-band update 5086672.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5079387) - version 26100.8112.

Original source Report a problem

This non-security update for Windows 11, version 25H2 and 24H2 (KB5079391), incudes production-quality improvements. To learn more about differences between security updates, optional non-security preview updates, Out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 24H2 and version 25H2.

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Highlights

This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device. A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

Gradual rollout

The following summary outlines features from AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.

AI Components

This release updates the following AI components:

AI Component Version Image Search 1.2603.377.0 Content Extraction 1.2603.377.0 Semantic Analysis 1.2603.377.0 Settings Model 1.2603.377.0

Windows 11 servicing stack update (KB5079387)- 26100.8112

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows Update

Open Start > Settings > Update & Security > Windows Update. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates.

If you want to remove the LCU

Before you decide to remove the LCU, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5079391.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5079387) - version 26100.8112.

Related topics

Microsoft Store for Business and Education with Configuration Manager

Get updates for apps and games in Microsoft Store

Original source Report a problem

This cumulative update for Windows 11, version 23H2 (KB5078883), includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 23H2.

Tip: This month’s video is available in the Windows 11, version 25H2 and 24H2 article.

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Microsoft Store apps updates

Change Log

Improvements

This update addresses security issues for your Windows operating system.

Important: Use EKB KB5027397 to update to Windows 11, version 23H2.

This security update contains fixes and quality improvements from KB5075941 (released February 10, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

• [Secure Boot]
  • With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
  • This update introduces two new PowerShell features to help you manage the ongoing Secure Boot key rollout. The Get-SecureBootUEFI cmdlet now supports the -Decoded option, which displays Secure Boot keys and certificates in a readable format. The Get-SecureBootSVN cmdlet lets you check the Secure Boot Security Version Number (SVN) of your device’s UEFI firmware and bootloader, and report whether the device follows the latest Secure Boot policy.
• [File History]
  Improved: This update improves the reliability of File History in Control Panel. Files with names that include Chinese characters and Private Use Area characters now back up successfully, helping keep your files protected and available when you need them.
• [Graphics]
  • Improved: This update improves stability affecting certain GPU configurations, helping devices shut down more reliably.
  • Improved: This update improves stability for certain GPU configurations. It helps games and 3D apps run more reliably during intensive graphics use.
• [Texts and Fonts]
  Improved: This update improves Windows fonts by adding the new Saudi Riyal currency symbol. This change helps keep text clear, accurate, and visually consistent across your Windows apps and experiences.
• [Windows System Image Manager]
  Improved: This update improves the reliability of choosing trusted catalog files. It adds a warning dialog that helps you confirm that the file you select comes from a trusted source.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide and the March 2026 Security Update.

Windows 11 servicing stack update (KB5079275) - 22621.6773

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows Update

Available

Next Step

Included

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

Before you decide to remove the LCU, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5078883.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5079275) - versions 22621.6773.

Original source Report a problem

RSAT tools now available for Windows on Arm

Remote Server Administration Tools (RSAT) are now officially supported on Arm-based Windows 11 PCs. You can now remotely manage Windows server roles and features using Windows devices built on Arm processors, just as you would with traditional x64-based PCs. Supporting RSAT on Windows 11 on Arm marks a significant milestone and addresses one of your top requests for enterprise management.

With the February 2026 Windows non-security preview update, five of the most widely used RSAT components are available on Arm-based devices:

• Active Directory Domain Services & AD LDS Tools – Remotely manage Active Directory domains, users, and Lightweight Directory Services (AD LDS) instances.
• Active Directory Certificate Services Tools – Administer and manage certificate services and Public Key Infrastructure (PKI) on Windows Servers.
• Group Policy Management Console (GPMC) – Create, edit, and manage Group Policy Objects to control settings in Active Directory environments.
• DNS Server Tools – Configure and monitor DNS servers via the DNS Manager snap-in and command-line DNS utilities.
• DHCP Server Tools – Manage DHCP servers and scopes to administer IP address allocation in your networks.

These familiar utilities have long been available on x64 Windows clients. They're now compiled natively for the 64-bit Arm architecture and supported on Windows 11 Pro and Enterprise editions. With these tools, you can accomplish everyday system administrator tasks directly from an Arm-based Windows 11 PC. Add users to Active Directory, edit GPOs, configure DNS and DHCP servers, and more.

Why RSAT on Arm64 matters

For the past several years, if you've used Windows on Arm, you had to rely on alternative management methods (such as Windows Admin Center) or switch to an x64 device for certain tasks. Similarly, testing newer Arm-powered laptops for your enterprise highlighted the pressing need for RSAT support on Arm64 devices.

With RSAT support, Windows 11 on Arm becomes a more viable platform for enterprise IT management. It boosts confidence in the Windows on Arm ecosystem for business use. Put simply, you can now manage Windows servers from an Arm-based client, using the same robust GUI and PowerShell tools you know.

RSAT on different Windows 11 versions

Depending on your Windows 11 version, RSAT are either available as optional components or Features on Demand (FODs).

• Windows 11, versions 25H2 and 24H2 on Arm: For today's broadly released and supported Windows 11 versions, RSAT support for Arm64 is available starting with the February 2026 Windows non-security preview update. The tools are enabled as optional components.
• Windows 11, version 26H1: New Arm-based devices with the targeted Windows 11, version 26H1 release have these RSAT capabilities integrated directly as FODs. This release brings the Arm64 edition closer to parity with x64 in terms of RSAT functionality.

How to enable RSAT on Arm-based Windows 11 PCs

Optional components for Windows 11, versions 25H2 and 24H2

Your devices with an Arm64 processor must be running Windows 11, version 25H2 or 24H2 and be updated with the February 2026 Windows non-security preview update or later.

To add RSAT as optional components via the Control Panel:

1. Open the Control Panel.
2. Select Programs > Turn Windows features on or off.
3. Check the boxes for the RSAT components you need.

The RSAT components will then be installed and available for use on your Arm-based Windows 11 PC.

When you install optional components through the Control Panel user interface, you'll see the DisplayName showing RSAT.

However, when using command‑line tools, you'll only see the FeatureName . Please use the FeatureName to install a specific optional component.

Examples:

dism /online /get-features /format:table | findstr /i "Enabled"

or

Get-WindowsOptionalFeature -Online | Where-Object State -eq "Enabled"

Output sample:

FeatureName         State
-----------         -----
CertificateServices-Tools        Enabled
ServerManager-Tools           Enabled
ActiveDirectory-DS-LDS-Tools  Enabled

Commands to install:

# Enable ADLDS
Enable-WindowsOptionalFeature -Online -FeatureName ActiveDirectory-DS-LDS-Tools -All -NoRestart

# Enable ADCS
Enable-WindowsOptionalFeature -Online -FeatureName CertificateServices-Tools -All -NoRestart

Additionally, for an individual feature:

Get-WindowsOptionalFeature -Online -FeatureName <FeatureName>

The output will include the DisplayName, which shows the corresponding RSAT label.

Features on Demand for Windows 11, version 26H1

The RSAT components are available to you as Windows features on devices with Windows 11, version 26H1.

To add RSAT tools as FODs via Windows Settings:

1. Navigate to Settings > System > Optional Features > Add an optional feature.
2. Find and select the desired "RSAT" components to install, such as RSAT: Active Directory Domain Services and LDS Tools, RSAT: DNS Server Tools, etc.

This is what RSAT as FODs look like on Windows 11, version 26H1:

Manage Windows infrastructure more efficiently

We hope you will take advantage of these newly available RSAT components on your Arm64 devices and let us know how this investment helps your team manage Windows infrastructure more efficiently.

By introducing RSAT for Windows 11 on Arm, the platform takes another step toward giving you a consistent management experience across more of your Windows devices. This removes a key barrier for your organization to adopt Arm-powered PCs for benefits like battery life and connectivity. Just use your preferred server management workflows on any Windows 11 PC.

This update underscores our commitment to support Windows on Arm for enterprise use cases. We'll continue welcoming feedback as we enhance Windows 11 for all platforms.

Happy server managing, now on Arm!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

[1] Non-Arm, x64 devices on Windows 11, versions 25H2 and 24H2 are Features on Demand.

[2] As a shortcut for installing optional components via the Control Panel, press Win + R, type optionalfeatures.exe, and press Enter.

Original source Report a problem

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Change log

Improvements and fixes

• This Hotpatch update includes security and quality improvements.

• The following summary outlines key issues addressed by this update. The bold text within the brackets indicates the item or area of the change.

• This update makes miscellaneous security improvements to internal OS functionality.

Note:
Secure Boot certificate updates will be delivered with the next baseline Windows update in April 2026.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the hotpatch update. For general information about SSUs, see

• Servicing stack updates and
• Servicing Stack Updates (SSU): Frequently Asked Questions.

If you are using Windows Update, the latest SSU installs with this update.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Release Channels Available Next step Windows Update Included This update downloads and installs automatically from Windows update and Microsoft Update Catalog Not included See the other options. Server Update Services Not included See the other options.

File information

For a list of the files provided in this update,
download the file information for cumulative update 5079420.

For a list of the files provided in the servicing stack update,
download the file information for the SSU (KB5083532) - version 26100.8035.

Original source Report a problem

Windows 11 March 10, 2026, KB5079473

This cumulative update for Windows 11, version 25H2 and 24H2 (KB5079473), includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see
Windows monthly updates explained
. For information on Windows update terminology, see the different types of
Windows software updates
.

To view the latest updates about this release, visit the
Windows release health dashboard
or the update history page for Windows 11, version
25H2
and
24H2
.

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Change log

Improvements

This security update contains fixes and quality improvements from
KB5077181
(released February 10, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

■
[Secure Boot]
With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

■
[File Explorer]
Improved: This update improves File Explorer search reliability when searching across multiple drives or "This PC".

■
[Windows Defender Application Control]
Improved: This update improves how Windows Defender Application Control (WDAC) handles COM objects allowlisting policies. COM objects were blocked when the endpoint security policy was set higher than the allowlisting policy. With this update, COM objects are allowed as expected.​

■
[Windows System Image Manager​​​​​​​]
Improved: This update improves the reliability of choosing trusted catalog files. It adds a warning dialog that helps you confirm that the file you select comes from a trusted source. ​​​​​​​

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the
Security Update Guide
and the
March 2026 Security Updates
.

AI Components

This release updates the following AI components:

AI Component | Version
Image Search | 1.2602.1451.0
Content Extraction | 1.2602.1451.0
Semantic Analysis | 1.2602.1451.0
Settings Model | 1.2602.1451.0

Windows 11 servicing stack update (KB5083532)- 26100.8035

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see
Simplifying on-premises deployment of servicing stack updates
.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see
Servicing stack updates
and
Servicing Stack Updates (SSU): Frequently Asked Questions
.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

• Windows Update

  Available | Next Step
  Included | This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

Before you decide to remove the LCU, see
Understanding the risks: Why you should not uninstall security updates
.

To remove the LCU after installing the combined SSU and LCU package, use the
DISM/Remove-Package
command line option with the LCU package name as the argument. You can find the package name by using this command:
DISM /online /get-packages
.

Running
Windows Update Standalone Installer
(wusa.exe) with the
/uninstall
switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update,
download the file information for cumulative update 5079473
.

For a list of the files provided in the servicing stack update,
download the file information for the SSU (KB5083532) - version 26100.8035
.

Related topics

• Microsoft Store for Business and Education with Configuration Manager

• Get updates for apps and games in Microsoft Store

Original source Report a problem

Windows Autopatch hotpatch by default

Windows Autopatch is enabling hotpatch security updates by default to help secure devices even faster. This change in default behavior comes to all eligible [i] devices in Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update. Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.

One month before this shift, starting on April 1, 2026, new controls become available if you're not ready for this change. Here's why and how you can decide on your next move.

The advantage of hotpatch updates

Every month, Windows publishes security updates to address common vulnerabilities and exposures (CVEs) to help keep users at your organization secure. When you roll out these updates as an IT admin, you may wait for days for devices to restart before they become compliant. Typically, you'd allow 3-5 days after installing those fixes before forcing a restart to apply them. When hotpatch updates launched about a year ago, we changed the game. Security updates take effect as soon as they are installed – no restart required.

This change in approach patches devices significantly faster since they aren't waiting for that restart. To see how this is working in the real world, we asked four different companies with 30-70K devices about their gains in the number of days to security compliance. They all reported achieving 90% patch compliance in half the previous time, without making any policy changes (see chart below).

Today, there are over 10 million production devices enrolled in hotpatch updates, showing the level of adoption and trust companies like yours have in this capability. Learn more about the efficiency of smaller hotpatch update sizes and how we implement hotpatch updates internally at Microsoft.

Hotpatch by default: How it works

Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch updates by default to help your organization get more secure, quicker. This change applies whether you use Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph.

What does it mean in practice? All update policies in Microsoft Intune depend on Windows Autopatch. The default tenant setting is only applied to devices that aren't members of a quality update policy. Windows Autopatch respects your configuration of quality update policies. If a device is assigned to one of those policies, the hotpatch setting from that policy is the one applied. Your preferences for update deferrals and update ring settings are also respected.

Note: Hotpatch updates only apply to devices that meet the hotpatch prerequisites. Devices that don't meet these prerequisites will continue to patch in the same way they do today.

When will my devices start receiving hotpatch updates?

If a device meets the prerequisites and has taken the April 2026 security update (a baseline update), it will start receiving hotpatch updates with the May 2026 security update. Double-check whether a device is enrolled in hotpatch updates with new Windows Autopatch update readiness tools.

Note: Hotpatch updates are applied from the latest baseline release. If a device is enrolled in hotpatch updates but isn't yet on the latest baseline, Windows Autopatch first installs the latest baseline update, which requires a restart. Once the device is on the latest baseline, it continues receiving hotpatch updates without requiring restarts going forward. For more information on the latest schedule for these releases, see Release notes for hotpatch.

How do I know if a device will receive a hotpatch update?

Before the May 2026 hotpatch update, review the Hotpatch quality updates report in Intune. It shows devices that have hotpatch updates enabled and meet the prerequisites. You can easily see which devices will receive a hotpatch update in the Hotpatch ready column. Devices successfully patched are in the Hotpatched column.

You can also look at the Quality update status report in Intune to check which devices are ready to receive a hotpatch update. In this report, the column labeled Hotpatch Readiness indicates if the device meets the prerequisites for hotpatch updates. A new column called Hotpatch enabled will be added showing the status of each device.

Embracing the change at your own pace

Windows Autopatch is enabling hotpatching by default because hotpatch updates are the quickest way to get secure. As such, we recommend keeping hotpatch updates enabled for your devices. If you're not ready for this change, you can opt out groups of devices or the whole tenant.

The tenant setting to opt out of hotpatch updates is scheduled to go live on April 1, 2026. And because April is a hotpatch baseline month, you have until May 11, 2026 before any hotpatch updates are deployed.

How to opt out of hotpatch updates across your tenant

Once the changes are live in April, configure the default hotpatch update behavior for your tenant as follows:

• Open Microsoft Intune.
• Navigate to Tenant administration > Windows Autopatch > Tenant management.
• Select the Tenant settings tab.
• Toggle the "When available, apply updates without restarting the device ("hotpatch")" setting to either Allow or Block.

How to opt out of hotpatch updates for groups of devices

Want to specify the desired behavior for a group of devices? Simply assign them to a quality update policy. Windows Autopatch respects your intention set at the policy level over the tenant-level default. To create a quality update policy, take the following steps:

• Open Microsoft Intune.
• Navigate to Devices > Manage updates > Windows updates.
• Select the Quality updates tab.
• Select Create.
• Select Windows quality update policy from the drop-down menu.
• Fill out the title and details on the Basics tab and select Next.
• In the Settings step, toggle the "When available, apply without restarting the device ("hotpatch")" setting to either Allow or Block, then select Next.
• Apply any scope tags, then select Next.
• Assign your desired Microsoft Entra groups, then select Next.
• Select Create.

You can disable hotpatch updates at the tenant level and enable them for specific devices and vice versa. When you're ready for hotpatch updates by default, just toggle "When available, apply without restarting the device ("hotpatch") back to Allow.

To start taking advantage of hotpatch updates enabled by default, check that your devices meet the prerequisites. To learn more and get started, see Hotpatch updates and the Windows Autopatch frequently asked questions (FAQ).

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

[i] See prerequisites for hotpatch updates in Hotpatch updates.

Original source Report a problem

Hotpatch updates overview

With hotpatch updates, you can quickly take measures to help protect your organization from the evolving landscape of cyberattacks, while minimizing user disruptions. Hotpatch updates are Monthly B release security updates that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.

Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy.

Key benefits

• Hotpatch updates streamline the installation process and enhance compliance efficiency.
• No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
• The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
• Hotpatch package size is significantly smaller than the standard cumulative updates. Therefore, hotpatch updates install faster and consumes less network bandwidth. Additional details are shared in the Hotpatch efficiency unlocked: Smaller update size blog.

Prerequisites

To benefit from Hotpatch updates, devices must meet the following prerequisites:

• One of the eligible licenses: Windows 11 Enterprise E3 or E5, Microsoft 365 F3, Windows 11 Education A3 or A5, Microsoft 365 Business Premium, or Windows 365 Enterprise
• Windows 11 version 24H2 or later
• Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see Release notes for Hotpatch .
• Microsoft Intune to manage hotpatch update deployment with the Windows quality update policy with hotpatch turned on .

Operating system configuration prerequisites

To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates.

Virtualization based security (VBS)

VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see Virtualization-based Security (VBS) .

VBS is required for the hotpatch update installer to function. To enable VBS, you can use the CSP VirtualizationBasedTechnology. For more information, see VirtualizationBasedTechnology .

Note

Devices might be temporarily ineligible because they don’t have VBS enabled or aren’t currently on the latest baseline release. To ensure that all your Windows devices are configured properly to be eligible for hotpatch updates, see Troubleshoot hotpatch updates . You can also find VBS status in Autopatch alerts and remediation with the alert 'Hotpatch – VBS not running.'

Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)

CHPE (Compiled Hybrid Portable Executable) is a type of binary that improves the performance of 32‑bit (x86) applications running on Arm64 devices. CHPE binaries include both native Arm64 and x86 code, allowing Windows to run x86 applications more efficiently on Arm‑based PCs.

This requirement only applies to Arm64 CPU devices when using hotpatch updates. Hotpatch updates are not compatible with servicing CHPE OS binaries located in the %SystemRoot%\SyChpe32 folder.

Note

CHPE is only relevant for environments where 32-bit x86 Microsoft Office or other legacy x86 applications are required on Arm64 devices.

If you're not sure what edition of applications you're running and whether they might fail when disabling CHPE, see Choose between the 64-bit or 32-bit version of Office - Microsoft Support .

Application failure or performance issues can arise from disabling CHPE binaries. This can happen if you run a 32-bit program, such as VBA code using Declare statements or 32-bit COM Add-ins with no 64-bit alternative. To avoid these issues, update the program to 64-bit or identify the devices that must run these programs and exclude them from your hotpatch quality update policies.

For guidance on how to update 32-bit applications to 64-bit, see Update app architecture from Arm32 to Arm64 .

To ensure that all the hotpatch updates are applied, you must disable CHPE usage. Set the CHPE disable flag and restart the device. You only need to set this flag one time. The registry setting remains applied through updates.

To disable CHPE binaries, you can use the DisableCHPE system policy CSP. For more information, see DisableCHPE .

You can also create and/or set the following DWORD registry key: Path:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
DWORD key value: HotPatchRestrictions=1

Important

Support for the 32-bit edition of Microsoft 365 Apps on Windows Arm-based devices is ending. New feature updates stopped in October 2025, and security updates end in December 2026. If your organization is still using 32‑bit Microsoft 365 Apps on Windows Arm‑based PCs, review End of Support for 32-bit Microsoft 365 Apps on Windows Arm-based PCs . There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is only applicable to Arm64 devices.

If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (HotPatchRestrictions=0) then restart the device to turn on CHPE usage.

Ineligible devices

Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.

LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.

Note

If devices aren't eligible for hotpatch updates, they're offered the LCU. The LCU keeps your configured Update ring settings; it doesn't change the settings.

Release cycles

For more information about the release calendar for hotpatch updates, see Release notes for Hotpatch .

• Baseline: Includes the latest security fixes, cumulative new features, and enhancements. Restart required.
• Hotpatch: Includes security updates. No restart required.

Table 1

Quarter | Baseline updates (requires restart) | Hotpatch (no restart required)
1 | January | February and March
2 | April | May and June
3 | July | August and September
4 | October | November and December

During a hotpatch month, if a device has hotpatch updates enabled but isn't on the latest baseline update, the device will receive both the latest baseline update (restart required) and the latest hotpatch update.

Note

Upgrading a hotpatch enrolled device to the latest Windows version (eg: upgrading from Windows 11 24H2 to Windows 11 25H2) during a baseline month keeps the device on the hotpatch cycle and the device keeps receiving the hotpatch updates seamlessly. However, upgrading a device to the latest Windows version in a hotpatch month switches the device to standard updates; you must restart the device to apply the update until the next baseline release.

Hotpatch on Windows 11 Enterprise or Windows Server 2025

Note

Hotpatch is also available on Windows Server and Windows 365. For more information, see Hotpatch for Windows Server Azure Edition .

Hotpatch updates are similar between Windows 11 and Windows Server 2025.

• Windows Autopatch manages Windows 11 updates
• Azure Update Manager and optional Azure Arc subscription for Windows 2025 Datacenter/Standard Editions (on-premises) manages Windows Server 2025 Datacenter Azure Edition. For more information, on Windows Server and Windows 365, see Hotpatch for Windows Server Azure Edition .

The calendar dates, eight hotpatch months, and four baseline months, planned each year are the same for all the hotpatch-supported operating systems (OS). It’s possible for additional baseline months for one OS (for example, Windows Server 2022), while there are hotpatch months for another OS, such as Server 2025 or Windows 11, version 24H2. Review the release notes from Windows release health to keep up to date.

Enroll devices to receive Hotpatch updates

Note

If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.

To enroll devices to receive Hotpatch updates:

• Go to the Intune admin center .
• Select Devices from the left navigation menu.
• Under the Manage updates section, select Windows updates .
• Go to the Quality updates tab.
• Select Create , and select Windows quality update policy .
• Under the Basics section, enter a name for your new policy and select Next.
• Under the Settings section, ensure that the option "When available, apply without restarting the device ("Hotpatch") is set to Allow . Then, select Next .
• Select the appropriate Scope tags or leave as Default. Then, select Next .
• Assign the devices to the policy and select Next .
• Review the policy and select Create .
• You can also Edit the existing Windows quality update policy and set the "When available, apply without restarting the device ("Hotpatch") to Allow .

These steps ensure that targeted devices, which are eligible to receive Hotpatch updates, are configured properly. Ineligible devices are offered the latest cumulative updates (LCU).

Note

Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.

Roll back a hotpatch update

Automatic rollback of a Hotpatch update isn’t supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart.

Troubleshoot hotpatch updates

Step 1: Verify the device is eligible for hotpatch updates and on a hotpatch baseline before the hotpatch update is installed

Hotpatching follows the hotpatch release cycle. Review the prerequisites to ensure the device is eligible for hotpatch updates. For information on devices that don’t meet the prerequisites, see Ineligible devices .

For the latest release schedule, see the hotpatch release notes . For information on Windows update history, see Windows 11, version 24H2 update history .

Step 2: Verify the device has Virtualization-based security (VBS) turned on

1. Select Start, and enter System information in the Search.
2. Select System information from the results.
3. Under System summary, under the Item column, find Virtualization-based security.
4. Under the Value column, ensure it states Running.

Step 3: Verify the device is properly configured to turn on hotpatch updates

1. In Intune, review your configured policies within Autopatch to see which groups of devices are targeted with a hotpatch policy by going to the Windows Update > Quality Updates page.
2. Ensure the hotpatch update policy is set to Allow.
3. On the device, select Start > Settings > Windows Update > Advanced options > Configured update policies > find Enable hotpatching when available. This setting indicates that the device is enrolled in hotpatch updates as configured by Autopatch.

Step 4: Disable compiled hybrid PE usage (CHPE) (Arm64 CPU only)

For more information, see Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) .

Step 5: Use Event viewer to verify the device has hotpatch updates turned on

1. Right-click on the Start menu, and select Event viewer.
2. Search for AllowRebootlessUpdates in the filter. If AllowRebootlessUpdates is set to 1, the device is enrolled in the Autopatch update policy and has hotpatch updates turned on:
   "data": { "payload": "{"Orchestrator":{"UpdatePolicy":{"Update/AllowRebootlessUpdates":true}}}", "isEnrolled": 1, "isCached": 1, "vbsState": 2,

Step 6: Check Windows Logs for any hotpatch errors

Hotpatch updates provide an inbox monitor service that checks for the health of the updates installed on the device. If the monitor service detects an error, the service logs an event in the Windows Application Logs. If there's a critical error, the device installs the standard (LCU) update to ensure the device is fully secure.

1. Right-click on the Start menu, and select Event viewer.
2. Search for hotpatch in the filter to view the logs.

Original source Report a problem