Hotpatch FAQ and updates

windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml

@@ -4,7 +4,7 @@ metadata:
   description: Answers to frequently asked questions about Windows Autopatch.
   ms.service: windows-client
   ms.topic: faq
-  ms.date: 03/31/2025
+  ms.date: 04/10/2025
   audience: itpro
   ms.localizationpriority: medium
   manager: aaroncz
@@ -97,6 +97,59 @@ sections:
       - question: Can I configure when to move to the next ring or is it controlled by Windows Autopatch?
         answer: |
           You're in full control over when updates are deployed to their devices. Autopatch groups will recommend a set of intelligent defaults but those are fully customizable so that you can achieve your desired rollout.
+  - name: Hotpatch updates
+    questions:
+      - question: What are the licensing requirements for hotpatch updates?
+        answer: |
+          Windows 11 Enterprise E3 or E5, Windows 11 Enterprise F3 or F5, Windows 11 Education A3 or A5, or a Windows 365 Enterprise license. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md).
+      - question: Can I still restart devices as often as I want?
+        answer: |
+          Yes, devices that install hotpatch updates are protected the moment the update is installed. However, if a user or your IT Admin wishes to restart the PC you can do it anytime. The device restarts and runs the hotpatch updates.
+      - question: Can I use hotpatch updates on Arm64 devices?
+        answer: |
+          Yes, hotpatch updates are available for Arm64 devices. For more information, see [Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)](../manage/windows-autopatch-hotpatch-updates.md#arm-64-devices-must-disable-compiled-hybrid-pe-usage-chpe-arm-64-cpu-only)).
+      - question: What is the default hotpatch behavior on Windows Home or Pro devices?
+        answer: |
+          Hotpatch updates aren't available to Home or Pro devices. Hotpatching requires domain admin or group policy. It's available only via Windows Autopatch update policy, which includes Windows 365 Enterprise, E3/E5, F3 and A3/A5 licenses. 
+      - question: How do I enroll devices to receive hotpatch updates?
+        answer: |
+          For more information, see [Enroll devices to receive hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md#enroll-devices-to-receive-hotpatch-updates).
+      - question: What if some devices in my hotpatch policy aren't eligible for hotpatch updates?
+        answer: |
+          For more information on eligibility, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [ineligible devices](../manage/windows-autopatch-hotpatch-updates.md#ineligible-devices).
+      - question: How is hotpatching different for Windows 11 Enterprise and Windows Server 2025?
+        answer: |
+          For more information, see [Hotpatch on Windows 11 Enterprise or Windows Server 2025](../manage/windows-autopatch-hotpatch-updates.md#hotpatch-on-windows-11-enterprise-or-windows-server-2025).
+      - question: How can I tell which of my devices installed a hotpatch update?
+        answer: |
+          Devices receiving the hotpatch update have a different KB number tracking the release and a different OS version than devices receiving the standard update that requires a restart. The monthly KB release articles indicate if the KB installed is hotpatch capable and the corresponding OS version. The following Windows Update message appears “Great news! The latest security update was installed without a restart.”
+      - question: What if I restart a device after receiving a hotpatch update?
+        answer: |
+          The device stays on the hotpatch update KB/OS version after a restart. It won't receive any new features as part of the regular servicing track until the next quarterly cumulative baseline update. 
+      - question: Do hotpatch updates only update common system binaries loaded in third-party processes or only Microsoft processes?
+        answer: |
+          Hotpatch updates aren't limited to Microsoft processes. Hotpatch updates are only created for OS binaries. Any process loading OS binaries that have hotpatch updates installed are updated before the application or operating system uses the binaries. This includes common system dynamic link libraries (DLLs) like ntdll.dll. 
+      - question: How can I find out if a hotpatch update was applied to the specific DLL?
+        answer: | 
+          You can see the hotpatch modules in the memory dump. Symbols for hotpatched DLLs depend on the function that receives the update. Some code that is hotpatch-updated could be public (symbols), while other functions could be private (no symbols).  
+      - question: Are there kernel-mode hotpatch updates?
+        answer: |
+          Yes, there are kernel-mode hotpatch updates.
+      - question: What does a failure to apply a hotpatch update look like?
+        answer: |
+          Hotpatch failures are the same as CBS failures when installing other KBs (not enough disk space or download errors for example). In addition, hotpatch update errors are recorded in the event logs. Search the system log for the keyword “hotpatch” to see if your system encountered any errors.
+      - question: Can you switch from hotpatch update to the Standard Windows monthly updates?
+        answer: |
+          Yes, you can. You can manually download the standard Windows monthly update from the Microsoft Update Catalog. In this case, the device stops receiving hotpatch updates and receives standard Windows updates until the month after the next baseline update. Since the device is still enrolled in hotpatching, the device automatically rejoins the hotpatch cadence of updates after the update is released on the baseline month.
+      - question: How do hotpatch update events show up in audit logs?
+        answer: |
+          Process explorer shows it loaded in memory OS ``<binary name>_hotpatch`` loaded in memory. The hotpatch update KB includes a link to the CSV file listing the update payload. 
+      - question: Can I get security alerts through Event Tracing for Windows (ETW) about hotpatch updates?
+        answer: |
+          Hotpatch events are captured in the audit log. Search for “hotpatch” in the audit log to find related errors if any were captured.
+      - question: Do I need to test hotpatch updates if I already test monthly updates?
+        answer: |
+          You should test hotpatch updates when released 8 times a year (according to plan) and the regular monthly updates 12 times a year. There are no hotpatch updates for you to test in January (1B), April (4B), July (7B), or October (10B).
   - name: Support
     questions:
       - question: Does Windows Autopatch Support Dual Scan for Windows Update?