Event banner
Event details
36 Comments
Looping back to my post from last months event: we have done further testing and can confirm that once a windows insider device which usually has 'Preview' patches ("D" Release) applied has Hotpatching enabled, they no longer receive "D" release patches and only receive "B" release patches. It's making me think that we enable Hotpatching for our estate and exclude a test group of IT staff who will remain on the insider preview and continue to receive "D" release patches.
Last month it was suggested that there was no direct link between the two configurations, but it seems there is. I submitted Feedback as suggested but as yet haven't heard anything back.
Also on the subject of Hotpatching I see that to get it working on ARM64 devices you need to disable compiled hybrid PE usage (CHPE) as it is enabled by default - Hotpatch for client: Frequently asked questions - Windows IT Pro Blog
This can be done by manually setting the reg key as documented on the above link. We have had some pushback from members of our IT dept who are rightly hesitant to disable this without being fully aware of any potential impacts, are you able to offer any more guidance or reassurance on this? I am keen to enable Hotpatching as I think it will bring real benefits in terms of bandwidth usage reductions and reduced user downtime without having to reboot 8 of the 12 months to be fully protected, however we are looking to shift more towards ARM64 devices and a reg tweak on these just doesn't feel right.
- EricMoe
Microsoft
Hi nlmitchell - thank you for the feedback on D/B policy behavior. In terms of CHPE, some better news that a reg key. We now have a preview CSP to DisableCHPE, System Policy CSP | Microsoft Learn so no need to manually adjust the registry. In terms of impacts, we just published a great Hotpatch FAQ this week. Check out Hotpatch for client: Frequently asked questions - Windows IT Pro Blog for full details, but we do answer the question on impact of disabilng CHPE, which I've copied into here:
What's the impact of disabling CHPE on end-user experience on Arm64 devices?
For Arm64 devices, we recommend testing hotpatch updates with CHPE disabled. The expectation is a fully working system with acceptable performance and application compatibility. As an IT admin, you have the choice to use hotpatch updates or standard updates. If you choose to disable CHPE, the device is eligible to receive hotpatch updates. If CHPE is enabled, the device is only eligible to receive standard updates.
Thanks for the response EricMoe​ , I had in fact read through that article that you mention above, very informative.
I guess the best way would be to apply the config to a few of our Arm devices to see what happens, the phrase "acceptable performance and application compatibility" does make me somewhat wary mind you. That seems to suggest that the performance of the device won't be as good as it would be if you were to leave CHPE enabled??
Enabling it for Intel based devices seems a no brainer for me at the moment. I can feel an EID group with dynamic membership based on architecture coming on here :-)
I am using Intune Feature updates to get our Windows 11 23H2 to Windows 11 24H2. I have had some cases where the update will fail but not sure why. Looking in the registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators I find both the GE24H2 and GE24H2Setup folders. Looking online it wasn't clear how to find the issue so I am hoping there is a log file or maybe a report in Intune that could shed some light on the issue.
- EricMoe
Hi reastman1966, great question, and here's where you can go for more information:
In the Intune portal, navigate to the Devices blade, then Manage Updates and Windows Updates. Select the Monitor tab. You will see the option for a monitoring report called "Feature update policies with alerts." If there is an error with the update (e.g. setup.exe ran but ended in error) it should include details on the error code and what action you should take as an administrator.
If there are no errors, that would mean that setup didn't get to the point of running. Check your device's registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\GE24H2 to see if there is a GatedBlockId. In that case, there isn't a failure, but rather a safeguard hold that is keeping the update from being offered (so setup never runs).
I am working on using Multi app Kiosk Mode on Windows 11. Found that the GUI in the Intune portal only works for Windows 10 so I have been forced to use an XML file to get it to work on Windows 11. The kiosk will autopatch fine but after the fact apps and Windows patches will not apply. The only thing that appears to work is the basic things like fresh start and update the start menu. Not able to add apps after it is in Kiosk mode.
- EricMoe
Hi reastman1996, check out Quickstart: Configure a Restricted User Experience With Assigned Access | Microsoft Learn for how to configure a multi-app kiosk. Yes, you need to use an XML file to get it to properly work on Win 11.
When you say it autopatches fine but afterwards Windows patches do not apply, did you mean to say it Autopilots fine? Just trying to understand the second issue you mention.
How do we configure New Teams to launch automatically at sign in for users signing in to a workstation for the first time?
I recognize there are a number of ways an admin could make this happen, but I want to know the method which is officially supported by Microsoft. In particular, it must respect the end user's selection if they later uncheck "Auto-start Teams" in the Teams settings, and it must not change this setting for any existing user.
(In the blog post announcing the release of the TeamsBootstrapper.exe utility for deploying the New Teams client for Windows, it says "Auto start" is an "upcoming feature", but that was over a year ago and there is no reference to this feature at the Microsoft Learn article.)
How to install patches on windows machines remotely using Powershell
- EricMoe
Hi Charanmahadevu12, have you looked at Searching, Downloading, and Installing Updates - Win32 apps | Microsoft Learn -- assuming you have no other options for installing updates, this could be a way to do it. Obviously we recommend using Autopatch to do the updates, so what is the scenario in which you would be left with only using Powershell?
