MC1138549: Hotpatch readiness: Enable VBS at scale
Prepare for hotpatch in your environment by meeting a key requirement to enable virtualization-based security (VBS) on Windows client. With the hotpatching feature of Windows Autopatch, you can apply security updates to Windows without requiring a restart. VBS protects against kernel-level exploits and other advanced threats to help ensure your endpoints are secure and ready for patching. It’s straightforward to enable VBS, and here we’ll show you how—whether deploying at scale with Microsoft Intune or on a single device using PowerShell or Windows Command Prompt. How this will affect your organization: You’ll need to enable VBS as a requirement for hotpatch, which applies security updates to Windows without requiring a restart. Hotpatch minimizes downtime while improving patch compliance and reducing risk. What you need to do to prepare: You’ll need to ensure VBS is enabled for hotpatch. Learn the steps to take for three different methods of enabling VBS at your organization—whether at scale using Microsoft Intune or on single devices using PowerShell or Windows Command Prompt. Then learn how to validate and monitor VBS. To enable VBS using the Intune method, follow these steps:
- In the Intune admin center, go to Devices > Manage Devices > Configuration.
- Under the Policies tab, create a new profile by selecting Create > New policy.
- In the Create a profile flyout, select Windows 10 and later.
- For profile type, select Settings catalog.
- On the next screen, name your profile under Basics.
- Navigate to the Configuration settings tab and select Add settings.
- In the Settings picker flyout, start typing “Virtualization Based Technology” and select it from the search results.
- Locate and select the Hypervisor Enforced Code Integrity setting name among the results to enable memory integrity.
- Complete the wizard by setting scope, assignments, and reviewing your configuration.
Additional information:
- Find step-by-step instructions to enable VBS and to validate and monitor enablement at Hotpatch readiness: Enable VBS at scale
- Dive deeper into Hotpatch updates
- Review the release notes for hotpatch on Windows 11, version 24H2 Enterprise clients
- Learn more from Hotpatch for client: Frequently asked questions and Windows Autopatch: Frequently asked questions