Microsoft announces hotpatching for Windows Server Azure VMs

Microsoft announced the general availability of hotpatching for Windows Server Azure Edition core virtual machines allowing admins to install Windows security updates on supported VMs without requiring server restarts.

The feature works with newly deployed Azure virtual machines running Windows Server 2022 Datacenter: Azure Edition Core Gen2 images and is available in all global Azure regions.

“Hotpatching is a new way to install updates on a Windows Server 2022 Datacenter: Azure Edition (Core) VM that doesn’t require a reboot after installation, by patching the in-memory code of running processes without the need to restart the process,” said Ned Pyle, Principal Program Manager in the Microsoft Windows Server engineering group.

“Hotpatching covers Windows security updates and maintains parity with the content of security updates issued in the regular (non-Hotpatch) Windows Update channel. Hotpatching works by first establishing a baseline with a Windows Update Latest Cumulative Update.”

Benefits of using hotpatching to keep your Windows Server 2022 Azure VMs up to date and secure include:

• Higher availability with fewer reboots
• Faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager
• Better protection, as Hotpatch packages install faster without the need to schedule a reboot, decreasing the “window of vulnerability” after a Windows security update is released  

It won’t be available in AWS for quite some time, sorry. This feature is currently limited to Windows Server Azure Edition only. It’s pretty desirable that hotpatching will eventually come to all Windows, even clients. But I don’t have a timeline for this yet

— Ned Pyle (@NerdPyle) February 16, 2022

It’s important to mention that servers will still require reboots after installing updates delivered through the regular (non-Hotpatch) Windows update channel that aren’t included in the Hotpatch program.

Examples of patches that can’t be installed without a reboot include non-Windows updates (such as .NET patches) and non-security updates released for Windows.

Reboots will also be required periodically after installing a new baseline to keep VMs in sync with non-security patches included with the latest Windows cumulative update.

“Baselines (which require a reboot) will start out on a three-month cadence and increase over time,” Microsoft explains.

“Should you need to install an update outside the Hotpatch program, you can disable and unenroll hotpatching on a VM and revert the VM to typical update behavior for Windows Server. You can reenroll VM hotpatching at a later time,” Pyle added.

You can find more details on how you can hotpatch your Windows Server Azure VMs in this blog post or on this Microsoft Docs page.