How does Hotpatch work?
Hotpatch works by first establishing a baseline with a Windows Update Latest Cumulative Update. Hotpatches are periodically released (for example, on the second Tuesday of the month) that build on that baseline. Hotpatches will contain updates that don’t require a reboot.
Planned baselines include all the updates in a comparable Latest Cumulative Update for that month, and require a reboot.
The sample schedule above illustrates four planned baseline releases in a calendar year (five total in the diagram), and eight hotpatch releases.
When unplanned baselines are released, a hotpatch release will be replaced with an unplanned baseline in that month. Unplanned baselines also include all the updates in a comparable Latest Cumulative Update for that month, and also require a reboot.
Why should I use Hotpatch?
When you use Hotpatch on Windows Server 2019 Datacenter: Azure Edition, your VM will have higher availability (fewer reboots), and faster updates (smaller packages that are installed faster without the need to restart processes). This process results in a VM that is always up to date and secure.
What types of updates are covered by Hotpatch?
Hotpatch currently covers Windows security updates.
What will the Hotpatch schedule look like?
Hotpatching works by establishing a baseline with a Windows Update Latest Cumulative Update, then builds upon that baseline with Hotpatch updates released monthly. During the preview, baselines will be released starting out every three months. See the image below for an example of an annual three-month schedule (including example unplanned baselines due to zero-day fixes).
Are reboots still needed for a VM enrolled in Hotpatch?
Reboots are still required to install updates not included in the Hotpatch program, and are required periodically after a baseline (Windows Update Latest Cumulative Update) has been installed. This reboot will keep your VM in sync with all the patches included in the cumulative update. Baselines (which require a reboot) will start out on a three-month cadence and increase over time.
Can I upgrade from my existing Windows Server OS?
Upgrading from existing versions of Windows Server (that is, Windows Server 2016 or 2019 non-Azure editions) isn’t supported currently. Upgrading to future releases of Windows Server Azure Edition will be supported.
To start using Hotpatch on a new VM, follow these steps:
Enable preview access
Create a VM from the Azure portal
Supply VM details
Enabling in Preview!
Steps to enable Hotpatch Preview
Register-AzProviderFeature cmdlet to enable the preview for your subscription.
Register-AzProviderFeature -FeatureName InGuestHotPatchVMPreview -ProviderNamespace Microsoft.Compute
Register-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
Register-AzProviderFeature -FeatureName InGuestPatchVMPreview -ProviderNamespace Microsoft.Compute
Feature registration can take up to 15 minutes. To check the registration status:
Get-AzProviderFeature -FeatureName InGuestHotPatchVMPreview -ProviderNamespace Microsoft.Compute
Get-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
Get-AzProviderFeature -FeatureName InGuestPatchVMPreview -ProviderNamespace Microsoft.Compute
Once the feature has been registered for your subscription, complete the opt-in process by propagating the change into the Compute resource provider.
Register-AzResourceProvider -ProviderNamespace Microsoft.Compute
During the preview
Automatic VM Guest Patching is enabled automatically for all
VMs created with Windows Server 2019 Datacenter Azure Edition.
Patches classified as Critical or Security are automatically downloaded and applied on the VM.
Patches are applied during off-peak hours in the VM’s time zone.
Patch orchestration is managed by Azure and patches are applied following availability-first principles.
Virtual machine health, as determined through platform health signals, is monitored to detect patching failures.