Microsoft announces hotpatching for Windows Server Azure virtual machines

Microsoft announced the general availability of hotpatching for Windows Server Azure Edition primary virtual machines, allowing administrators to install Windows security updates on supported virtual machines without requiring a server restart.

The feature works with newly deployed Azure VMs running Windows Server 2022 Datacenter: Azure Edition Core Gen2 images and is available in all Azure regions globally.

“Hotpatching is a new way to install updates on a Windows Server 2022 Datacenter: Azure Edition (Core) virtual machine that does not require a restart after installation, by patching the in-memory code of running processes. execution without having to restart the process,” said Ned Pyle, senior program manager in the Microsoft Windows Server engineering group.

“Hotpatching covers Windows security updates and maintains parity with the content of security updates released in the regular (non-Hotpatch) Windows Update channel. Hotpatching works by first establishing a baseline reference with a latest cumulative update from Windows Update.”

The benefits of using hotpatching to keep your Windows Server 2022 Azure VMs up to date and secure include:

  • Increased availability with fewer reboots
  • Faster deployment of updates as packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager
  • Better protection, as Hotpatch packages install faster without the need to schedule a reboot, reducing the “vulnerability window” after a Windows security update is released

It is important to mention that servers will still require reboots after installing updates provided through the regular (non-Hotpatch) Windows update channel that are not included in the Hotpatch program.

Examples of patches that cannot be installed without a restart include non-Windows updates (such as .NET patches) and non-security updates released for Windows.

Reboots will also be required periodically after installing a new baseline to synchronize VMs with non-security fixes included in the latest Windows Cumulative Update.

“Baselines (which require a restart) will start on a three-month cadence and increase over time,” Microsoft explains.

“If you need to install an update outside of the Hotpatch program, you can disable and unregister hotpatching on a VM and revert to typical VM update behavior for Windows Server. You can re-register hotpatching VM later,” Pyle added.

You can find more details on how you can patch your Windows Server Azure VMs in this blog post or on this Microsoft Docs page.

Comments are closed.