As Windows 11 25H2 is now GA released, most of the enterprise organizations would be on their way to rolling out Windows 11 24H2 to their managed fleet of Windows devices following the (n-1) trend for evergreen Windows servicing practice.
And with this rollout of Windows 11 24H2, many organizations would be embracing Windows 11 hotpatching to reduce reboots and improve patching efficiency.
But this brings up a new challenge for the IT admins managing Intune compliance policy, especially when enforcing the minimum OS version requirement for Windows 11 24H2 devices.
Table of Contents
The Problem: Same Month, Different Builds leading to Diverging OS Build version
Hotpatching introduces a new update mechanism that applies security patches without requiring a full cumulative update or reboot. Though this duly improves uptime and user experience, because of it, in an enterprise environment of managed Windows devices running Windows 11 24H2, you may notice something peculiar:
Devices patched in the same month may report different OS build numbers.
For example, for Hotpatch eligible months like September,
- a Windows 11 24H2 hotpatch ineligible device will receive the traditional cumulative B update of the month, and thus post-patching will run build version 26100.6584, while
- a Windows 11 24H2 hotpatch eligible device will receive the month’s hotpatch update, and post-patching will run build version 26100.6508
Notice that the hotpatched device is running a lower OS build version than the traditionally patched device.
This is because hotpatch updates apply only security fixes in-memory without a reboot, incrementing the OS build number differently than traditional cumulative updates, which contain a broader set of fixes and apply them differently.
Such a discrepancy can result in devices being incorrectly flagged as non-compliant even though they are fully patched.
Not all 24H2 devices in the environment can be expected to be eligible to receive the hotpatch update for the same month, instead receiving the month’s traditional cumulative B update. You may ask why?
Well, one of the criteria for a device running Windows 11 24H2 to receive a hotpatch update is that it needs to be on the latest baseline update. Now in case where a device is being re-imaged, say with an older ISO of Windows 11 24H2, or for a fresh device being provisioned out-of-box, post provisioning the device, even if it is in scope of hotpatch update, it will not be eligible to receive hotpatch capable update as it may not be on the latest baseline build, and thus will instead be offered the latest cumulative update.
Why It Matters
Intune evaluates compliance based on the reported OS build number. If your policy expects a specific build (e.g., 26100.6584), a hotpatch device with a different—but equally secure—build (e.g., 26100.6508) may be:
- Blocked by Conditional Access
- Reported as non-compliant
- Subjected to unnecessary remediation
This leads to confusion, false alerts, and potential disruption for users and IT teams alike.
How to Handle Intune Compliance Going Forward
Ensure your compliance and security teams understand that build number divergence is expected in hotpatch environments and does not indicate a security gap.
Going forward, for the monthly update of the Intune compliance enforcing minimum OS version check, it is to be ensured that
- for the baseline months (e.g., January, April, July, and October) all devices are expected to receive the same traditional cumulative update and thus can be updated for the same. However,
- for the rest of the months, hotpatch eligible devices will be receiving a hotpatch update, resulting in a lower OS build version than non-hotpatch eligible devices, which will receive the traditional B update, thus resulting in a higher OS build version. In such a case, the Intune compliance policy must be configured for the lower hotpatch update OS build version than the traditional B update OS build version. If not, your hotpatched devices will get flagged as non-compliant even though they are patched for the month.
Important considerations
If you choose not to use Autopatch, you will need to manually check Microsoft’s release notes monthly to update your compliance policies with the appropriate minimum OS build number for both the hotpatch and standard paths.
- Baseline updates: The hotpatching cycle includes quarterly baseline updates, which behave like standard cumulative updates and do require a reboot. For these baseline months (e.g., January, April, July, and October), all devices will have the same, higher build number.
- Release notes: Always check the official Windows release notes. Microsoft publishes separate build numbers for the hotpatch and standard cumulative updates each month.
Final Thoughts
Hotpatching is a leap forward in Windows update management, but it requires careful consideration in how we approach compliance. By staying informed, IT admins can ensure accurate compliance enforcement while embracing modern update mechanisms.
