How to: Set up hotpatch on desktop versions of Windows Server 2022 running in Azure

A perennial challenge of server administration is the application of patches and software updates. Applying updates often means a disruption to a service. Hot patch for 2022 Datacenter: Azure Edition allows you to apply a special set of software updates that keep the server in a secure state but don't require the virtual machine to restart on average two months out of three.

Hotpatch works as follows. When you enable hotpatch, a baseline Cumulative Update is applied to the server. This update does require a reboot. Once the cumulative update is installed, the next two months or so of additional updates will build on that baseline but do not require the server to restart. I say “or so” because it might be that you enter the cycle midway through you might get the initial Cumulative Update and then next month the next one. After that though, the rhythm of updates will be baseline cumulative update month followed by two months of hotpatch updates.

Hotpatch requires that you have 2022 Datacenter Azure Edition. You can only run the this edition of in Azure or on Azure Stack . What's new with hotpatch now compared to the recent past is that you can use hotpatch with the Server with Desktop Experience version of Azure Edition. The initial version of hotpatch would only work if you deployed the operating system in the Server Core configuration. You can find a link to the Windows Server 2022 Datacenter: Azure Edition image that supports hotpatch in the Azure gallery at: https://aka.ms/hotpatchondesktopnewimage

Because hotpatch patches the in-memory code of running processes without the need to restart the process, your applications are unaffected by the patching process. This is separate from any potential performance and functionality implications of the patch itself.

To enable hotpatch you'll need to create a new using the Windows Server Azure Edition image or upgrade from a previous version of Windows Server to Windows Server 2022 Azure Edition. When deploying the VM, ensure that you select the option to enable hotpatch and that patch orchestration is configured as Azure-orchestrated as shown below in the image.

OrinThomas_0-1689642396867.png

When you configure this option, automatic guest patching will be enabled. This means that:

  • Patches classified as Critical or Security are automatically downloaded and applied on the VM.
  • Patches are applied during off-peak hours in the VM's time zone.
  • Azure manages the patch orchestration and patches are applied following availability-first principles.
  • Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.

The Azure Edition VM will be assessed automatically every few days to determine the applicable patches for that VM. You can also choose to trigger an on-demand patch assessment for your VM at any time using the ‘Assess now' option and review the results after assessment completes.

To do this, go to the deployed VM's properties, select Updates and then select Go to Hotpatch as shown in the image.

OrinThomas_1-1689642396874.png

You can trigger an evaluation by clicking Check for Updates or wait for the periodic evaluation to occur.

OrinThomas_2-1689642396877.png

The Update Settings section of the Azure portal allows you to enable or disable periodic assessments.  You need to have periodic assessments and hotpatch enabled to have the process function.

OrinThomas_3-1689642396879.png

Definition updates and other patches not classified as Critical or Security are not installed through Automatic VM Guest Patching.

You can find the hotpatch schedule at https://support.microsoft.com/en-us/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows… to determine the months where a hotpatch can be applied and the months where a baseline update requiring a reboot will be necessary. There may be some unforeseen security issues that arise that may require an out-of-band update, but these tend to only occur in exceptional circumstances.

You can find out more about hotpatch at the following page on learn.microsoft.com https://learn.microsoft.com/en-us/azure/automanage/automanage-hotpatch

The following video shows the process of deploying Windows Server 2022 Datacenter: Azure edition and configuring hotpatch.

 

This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.