Windows Server Hotpatching is here!
Published Feb 16 2022 11:01 AM 16.2K Views
Microsoft

Heya folks, Ned Pyle & Nick Washburn here with a big announcement: Hotpatching is now generally available as part of Azure Automanage for Windows Server. This capability allows you to patch and install updates to their Windows Server 2022 Datacenter: Azure Edition (Core) virtual machines on Azure without requiring a reboot! Together with Azure Automanage and included Azure-orchestrated patching, keeping your VMs up to date is easier and faster than ever.  

 

How hotpatching works  

Hotpatching is a new way to install updates on a Windows Server 2022 Datacenter: Azure Edition (Core) VM that doesn’t require a reboot after installation, by patching the in-memory code of running processes without the need to restart the process. In the future, we wish to add Hotpatch support to Full Desktop machines and even more broadly outside the server ecosystem; Server Core is our starting point because of the large logistical and dev effort that hotpatching brings - it has the smallest patching footprint, which means it came to market first. 

 

Some of the benefits of running a Windows Server Azure Edition VM with hotpatching include:  

 

  • Higher availability with fewer reboots  
  • Faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager  
  • Better protection, as Hotpatch packages install faster without the need to schedule a reboot, decreasing the “window of vulnerability” after a Windows security update is released  

 

Hotpatching covers Windows security updates and maintains parity with the content of security updates issued in the regular (non-Hotpatch) Windows Update channel. Hotpatching works by first establishing a baseline with a Windows Update Latest Cumulative Update.  

 

01-hotpatch-sample-schedule.png
Image of the hotpatch release schedule 

 

We periodically release hotpatches (i.e., on the second Tuesday of the month) that build on that baseline, with updates that do not require a reboot. Periodically (starting at every three months), the baseline is refreshed with a new Latest Cumulative Update (LCU).

 

There are two types of baselines: Planned baselines and unplanned baselines.

 

  • Planned baselines are released on a regular cadence, with hotpatch releases in between. Planned baselines include all the updates in a comparable Latest Cumulative Update for that month and require a reboot.
    • The sample schedule above illustrates four planned baseline releases in a calendar year (five total in the diagram), and eight hotpatch releases.
  • Unplanned baselines are released when an important update (such as a zero-day fix) is released, and that particular update can't be released as a Hotpatch. When unplanned baselines are released, a hotpatch release will be replaced with an unplanned baseline in that month. Unplanned baselines also include all the updates in a comparable Latest Cumulative Update for that month, and also require a reboot.
    • The sample schedule above illustrates two unplanned baselines that would replace the hotpatch releases for those months (the actual number of unplanned baselines in a year isn't known in advance).

There are some important considerations to running an Azure Edition VM with hotpatching. Reboots are still required to install updates that are not included in the Hotpatch program, and reboots are required periodically after a new baseline has been installed to keep the VM in sync with patches included in the LCU.

 

Should you need to install an update outside the Hotpatch program, you can disable and unenroll hotpatching on a VM and revert the VM to typical update behavior for Windows Server. You can reenroll VM hotpatching at a later time.

 

Nick and Thomas Maurer, Cloud Advocate from the IT Ops talk team - who also has a great post on Hotpatching - have a demo and discussion of this feature.

 

 

Let's do a quick walkthrough:

 

How to create a new Virtual Machine with Hotpatch

  1. Create a VM from Azure Portal
    1. Select Virtual machines under Azure services
    2. Select Create > Virtual machine on the menu bar
  2. Supply basic VM details, with the following considerations:
    • Ensure that Windows Server 2022 Datacenter: Azure Edition (Core) is selected in the Image dropdown
    • On the Management tab, scroll down to the ‘Guest OS updates’ section. You should see Hotpatching set to On, and Patch installation defaulted to Azure-orchestrated patching.
02-vm-create-enable-hotpatch.png
Image of the Azure Portal hotpatch enable checkbox

 

TIP: If you create your VM starting from this link, you can preview Azure Automanage machine best practices together with Hotpatch on your Azure Edition VM.  Just enable Azure Automanage from the Management tab during VM creation to automate common VM operations and onboard select best practices Azure services.  Learn more about Azure Automanage best practices here.

 

Managing Hotpatch

After your VM has been created, you can view the status of Hotpatching on the Guest + host updates blade in the Azure Portal.

 

03-guest-host-updates.png
Image of the Azure Portal hotpatch button

 

3. Click on the Go to Hotpatch (Preview) button.

 

04-hotpatch-status.png
Image of the Azure Portal Updates preview for hotpatching

 

This screen shows the Hotpatch status of your VM.

Azure-orchestrated patching is enabled by default, so the status of hotpatching and any detected errors will be displayed automatically. As an example, a indicates that the hotpatching feature has been turned ‘On’ for your VM but a latest patch assessment has not been conducted for the VM.

 

More about Azure orchestrated patching

All new VMs created with the Windows Server 2022 Datacenter: Azure Edition (Core) image will have hotpatching turned on and Azure-orchestrated patching enabled.

 

For any Windows VM that has Azure orchestrated patching enabled:

 

  • Patches classified as Critical or Security are automatically downloaded and applied on the VM.
  • Patches are applied during off-peak hours in the VM's time zone.
  • Patch orchestration is managed by Azure and patches are applied following availability-first principles.
  • Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.

 

What to expect from a VM with Hotpatch enabled

You will be able to configure Hotpatch updates to install immediately, or as part of a schedule. We recommend using Azure Update Management to configure a separate, faster cadence schedule for the installation of Hotpatch updates, alongside other types of updates.

Because Hotpatch patches the in-memory code of running processes without the need to restart the process, your applications will be unaffected by the patching process. Please note this is separate from any potential performance and functionality implications of the patch itself.

 

Create a VM with Hotpatch today!

To wrap up, we are excited to bring Hotpatch and a way to install updates without rebooting your VM to the Azure public cloud:

 

 

Until next time,

 

- Ned & Nick

3 Comments
Co-Authors
Version history
Last update:
‎Mar 16 2022 01:04 PM
Updated by: