Windows security updates could come with fewer reboots beginning later this year

A laptop PC running Windows 11 sitting next to a coffee mug.
Enlarge / A PC running Windows 11.

Microsoft is already testing Windows 11 24H2, this fall’s big new Windows release. The company has already demonstrated a few new features, like 80Gbps USB4 support and Sudo for Windows, and the new version could also give a significant refresh to the Windows installer for the first time since the Windows Vista days.

But there’s one big update you might not notice at all. Late last week, Microsoft released “servicing updates” with no new features to Windows Insiders in the Dev and Canary channels. The updates were “designed to test [Microsoft’s] servicing pipeline for Windows 11.” It’s pretty common for Insiders to get these kinds of updates-that-exist-only-to-test-the-update-process, but the twist here is that PCs with Virtualization Based Security (VBS) enabled could apply the update without rebooting.

Sources speaking to Windows Central say this isn’t a fluke—Microsoft reportedly intends to use a Windows Server feature called hotpatching to deliver more Windows 11 security updates without requiring a reboot, making it easier to stay up to date without disrupting whatever you’re doing. You’ll still need to reboot “every few months”—Microsoft’s documentation says a reboot is needed roughly once every three months, though it can happen more often than that for unanticipated zero-day patches and others that can’t be fixed via hotpatching. The Arm versions of Windows 11 also won’t get the feature for another year or so, according to Windows Central.

Still, that’s a big drop in the number of mandatory reboots you’ll experience, letting you avoid both disruption to your routine as you wait for updates to apply and the annoyance of sitting down at your PC in the morning only to discover that all of your apps closed overnight.

Currently, hotpatching is mainly a feature for virtual machines. Microsoft says it works by “patching the in-memory code of running processes without the need to restart the process” and without touching any of your running applications. Even though your Windows PC is running on physical hardware, having VBS enabled still isolates the OS from the rest of the hardware in a similar way, ensuring that hotpatching can still work.

Any Windows 11 PC that meets the operating system’s install requirements should automatically have VBS enabled. You can check in the System Information app or by opening Windows Security, then Device Security, then selecting Core Isolation and checking whether the Memory Integrity toggle is on.

Most of the time, there’s no downside to leaving this feature enabled, though testing from Tom’s Hardware and others has shown that it can have a minor impact on gaming performance. The drop is usually in the low- to mid-single-digits range, depending on the game and settings, though this is enough that the conventional wisdom among PC gamers usually says to turn VBS off. If you disable VBS, you’ll still get all of Microsoft’s security updates; you’ll just have to keep rebooting at least once a month to install them.

https://arstechnica.com/?p=2005857