More enterprise environments can now experience the power of security updates that don’t require a restart. Hotpatching is now available for Windows 11, version 24H2 Arm64 devices. All you need to do is check your prerequisites, disable Compiled Hybrid PE (CHPE), and enroll these devices into a quality update policy with hotpatching enabled.
When will this happen:
Hotpatching for 64-bit Arm architecture is now generally available.
How this will affect your organization:
With hotpatching, your organization can benefit from:
- Faster compliance: Security updates are applied immediately, reducing the window of vulnerability.
- No downtime: Users stay productive—no forced restarts or interruptions.
- Smaller update payloads: Faster installs and easier update orchestration.
- Enterprise-grade control: Integrated with Microsoft Intune and Windows Autopatch for streamlined management.
What you need to do to prepare:
Read Hotpatching now available for 64-bit Arm architecture to check if you meet the prerequisites and additional guidance to get started.
A unique prerequisite for Arm64 devices is disabling Compiled Hybrid PE (CHPE). Do this in one of the following ways:
- Use the DisableCHPE policy. Apply the following configuration service provider (CSP) setting via Microsoft Intune or Group Policy, then restart the device once: ./Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1
- Use registry keys. You can also set the following registry key value to 1 and then restart the device once: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1
Additional information:
- Read Hotpatching now available for 64-bit Arm architecture for the complete announcement and technical guide.
- Find the DisableCHPE policy at System Policy CSP.
- Learn how to Enroll devices to receive hotpatch updates.
- Consult our comprehensive documentation on Hotpatch updates.