From 22aa9a423c388fc59375252158b8c510a6559188 Mon Sep 17 00:00:00 2001 From: David Callaghan Date: Tue, 17 Dec 2024 11:07:49 -0800 Subject: [PATCH 1/6] Update windows-autopatch-hotpatch-updates.md Adding important device OS prerequisites that prevent devices from installing updates and not being secure. --- .../windows-autopatch-hotpatch-updates.md | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index cd65318f7f..76c71d2c57 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -1,7 +1,7 @@ --- title: Hotpatch updates description: Use Hotpatch updates to receive security updates without restarting your device -ms.date: 12/17/2024 +ms.date: 11/19/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -30,17 +30,30 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up - No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies. - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. +## Operating system configuration prerequisites +To prepare a device to receive hotpatch updates, configure the following device-side operating system settings. Failure to configure these settings will result in the device not being offered the hotpatch update or being unable to apply all the hotpatch updates, leaving some vulnerabilities unmitigated. + +### Virtualization based security (VBS) +VBS must be enabled for a device to be offered hotpatch updates. For information on how to set and detect VBS enabled, see [Virtualization-based Security (VBS)](https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). + +### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) +The following requirement only appies to Arm 64 CPU devices when using hotpatch updates. Hotpatch updates are not compatible with servicing CHPE OS binaries located in the %SystemRoot%\SyChpe32 folder. In order to ensure all the hotpatch updates take effect, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting will persist through updates. To disable CHPE, set the following registry key: +Path: **HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management** +Key value: **HotPatchRestrictions=1** + +> [!IMPORTANT:] +> This setting is required becuase it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance so you excluding them may impact performance or compatibility. Be sure to > test application compatibility or performance impacts before rolling out hotpatch updates widely on Arm 64 CPU based devices. + +If you choose to no longer use Hotpatch updates you can clear the flag (HotPatchRestrictions=0) and restart the computer which will reenable CHPE usage. + ## Eligible devices To benefit from Hotpatch updates, devices must meet the following prerequisites: - Operating System: Devices must be running Windows 11 24H2 or later. -- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. For more information on how to set and detect if VBS is enabled, see [Virtualization-based Security](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). +- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. - Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). -> [!NOTE] -> Hotpatch is available on Windows Server. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). - ## Ineligible devices Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. @@ -48,7 +61,7 @@ Devices that don't meet one or more prerequisites automatically receive the Late LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant. > [!NOTE] -> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.

For **ARM64 devices**, Compiled Hybrid PE Usage (CHPE) is turned on by default. You must turn off CHPE to receive regular LCU to keep your ARM64 device compliant and secure.

+> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings. ## Release cycles From 6d0fa75a3079518865557312087d5ffc8e1c858a Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:51:04 -0800 Subject: [PATCH 2/6] Update windows-autopatch-hotpatch-updates.md Fixed broken links and a bunch of style/grammar. --- .../windows-autopatch-hotpatch-updates.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 76c71d2c57..5e16a7ada2 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -31,20 +31,23 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. ## Operating system configuration prerequisites -To prepare a device to receive hotpatch updates, configure the following device-side operating system settings. Failure to configure these settings will result in the device not being offered the hotpatch update or being unable to apply all the hotpatch updates, leaving some vulnerabilities unmitigated. + +To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates. ### Virtualization based security (VBS) -VBS must be enabled for a device to be offered hotpatch updates. For information on how to set and detect VBS enabled, see [Virtualization-based Security (VBS)](https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). + +VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect VBS enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) -The following requirement only appies to Arm 64 CPU devices when using hotpatch updates. Hotpatch updates are not compatible with servicing CHPE OS binaries located in the %SystemRoot%\SyChpe32 folder. In order to ensure all the hotpatch updates take effect, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting will persist through updates. To disable CHPE, set the following registry key: -Path: **HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management** -Key value: **HotPatchRestrictions=1** + +This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key: +Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**` +Key value: `**HotPatchRestrictions=1**` > [!IMPORTANT:] -> This setting is required becuase it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance so you excluding them may impact performance or compatibility. Be sure to > test application compatibility or performance impacts before rolling out hotpatch updates widely on Arm 64 CPU based devices. +> This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out hotpatch updates widely on Arm 64 CPU based devices. -If you choose to no longer use Hotpatch updates you can clear the flag (HotPatchRestrictions=0) and restart the computer which will reenable CHPE usage. +If you choose to no longer use hotpatch updates you can clear the flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. ## Eligible devices @@ -83,7 +86,7 @@ For more information about the release calendar for Hotpatch updates, see [Relea 1. Go to the **Quality updates** tab. 1. Select **Create**, and select **Windows quality update policy (preview)**. 1. Under the **Basics** section, enter a name for your new policy and select Next. -1. Under the **Settings** section, set **"When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**. +1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**. 1. Select the appropriate Scope tags or leave as Default and select **Next**. 1. Assign the devices to the policy and select **Next**. 1. Review the policy and select **Create**. From 2f52fff7844b4ea8643be4c5d5732c3645dd8000 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:55:22 -0800 Subject: [PATCH 3/6] Update windows-autopatch-hotpatch-updates.md Style/grammar/specificity tweak. --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 5e16a7ada2..bb9a220536 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -47,7 +47,7 @@ Key value: `**HotPatchRestrictions=1**` > [!IMPORTANT:] > This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out hotpatch updates widely on Arm 64 CPU based devices. -If you choose to no longer use hotpatch updates you can clear the flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. +If you choose to no longer use Hotpatch updates you can clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. ## Eligible devices From ee2c677fae74dc0aab1df1bc2839860d523ee848 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 13:33:43 -0800 Subject: [PATCH 4/6] Update windows-autopatch-hotpatch-updates.md Tweak --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index bb9a220536..6f86ba7eb0 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -47,7 +47,7 @@ Key value: `**HotPatchRestrictions=1**` > [!IMPORTANT:] > This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out hotpatch updates widely on Arm 64 CPU based devices. -If you choose to no longer use Hotpatch updates you can clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. +If you choose to no longer use Hotpatch updates, clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. ## Eligible devices From 14237d08e59d64e557e5290fd1980c4f7cb99261 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 13:36:50 -0800 Subject: [PATCH 5/6] Update windows-autopatch-hotpatch-updates.md More grammar and style tweaks. --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 6f86ba7eb0..28ff8a692c 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -36,7 +36,7 @@ To prepare a device to receive Hotpatch updates, configure the following operati ### Virtualization based security (VBS) -VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect VBS enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). +VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) From b2f300aac1748861ab7bc229947ba002e2c1d941 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 17 Dec 2024 13:43:51 -0800 Subject: [PATCH 6/6] Update windows-autopatch-hotpatch-updates.md Hopefully last one. --- .../manage/windows-autopatch-hotpatch-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 28ff8a692c..efb01d9aa2 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -45,7 +45,7 @@ Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management Key value: `**HotPatchRestrictions=1**` > [!IMPORTANT:] -> This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out hotpatch updates widely on Arm 64 CPU based devices. +> This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices. If you choose to no longer use Hotpatch updates, clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage.