Merge branch 'main' into ADO-9517656-Update-for-Business

windows/deployment/update/waas-wu-settings.md

@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 12/14/2024
+ms.date: 12/27/2024
 ---
 
 # Manage additional Windows Update settings
@@ -300,7 +300,7 @@ On new devices, Windows Update doesn't begin installing background updates until
 
 In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in:
 
-- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
+- **Registry key**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator`
 - **DWORD value name**: ScanBeforeInitialLogonAllowed
 - **Value data**: 1
 

windows/deployment/update/windows-update-error-reference.md

@@ -257,6 +257,7 @@ The PnP enumerated device is removed from the System Spec because one of the har
 
 | Error code |  Message                          | Description                                                  |
 |------------|-----------------------------------|--------------------------------------------------------------|
+| `0x80070020` | `InstallFileLocked`| Couldn't access the file because it is already in use. This can occur when the installer tries to replace a file that an antivirus, antimalware or backup program is currently scanning. |
 | `0x80240001` | `WU_E_NO_SERVICE`                 | Windows Update Agent was unable to provide the service.
 | `0x80240002` | `WU_E_MAX_CAPACITY_REACHED`       | The maximum capacity of the service was exceeded.
 | `0x80240003` | `WU_E_UNKNOWN_ID`                 | An ID can't be found.

windows/deployment/update/wufb-reports-workbook.md

@@ -159,7 +159,8 @@ Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates
 
 The **Update status** group for driver updates contains the following items:
 
-- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates.
+- **Update states for all driver updates**: Chart containing the number of driver updates in a specific state, such as installing.
+
 - **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class.
 - **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates.
 

windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md

@@ -30,6 +30,25 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up
 - No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
 - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
 
+## Operating system configuration prerequisites 
+
+To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates.
+
+### Virtualization based security (VBS)
+
+VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security).
+
+### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
+
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key:
+Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**`
+Key value: `**HotPatchRestrictions=1**`
+
+> [!IMPORTANT:]
+> This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
+
+If you choose to no longer use Hotpatch updates, clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage.  
+
 ## Eligible devices
 
 To benefit from Hotpatch updates, devices must meet the following prerequisites:
@@ -67,7 +86,7 @@ For more information about the release calendar for Hotpatch updates, see [Relea
 1. Go to the **Quality updates** tab.
 1. Select **Create**, and select **Windows quality update policy (preview)**.
 1. Under the **Basics** section, enter a name for your new policy and select Next.
-1. Under the **Settings** section, set **"When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**.
+1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**.
 1. Select the appropriate Scope tags or leave as Default and select **Next**.
 1. Assign the devices to the policy and select **Next**.
 1. Review the policy and select **Create**.