- Split-brain DNS deployment using Windows Server DNS policy - Wed, Nov 30 2022
- Veeam Backup for Microsoft 365—Why you need to back up your M365 data - Tue, Nov 15 2022
- Cloud-based patch management with Action1 - Tue, Nov 8 2022
Windows patching has historically been a pain for Windows and IT administrators. It involves maintenance periods and even the possibility that the server won't come back up after a reboot. Windows Server is not necessarily known for gracefully accepting changes to the OS. Even outside of patching, reboots have long been standard operating procedure for Windows administration. Recently, at Microsoft Ignite 2021, Microsoft announced a new solution that will thrill Windows IT admins everywhere—rebootless patching, or "hot patching."
The new rebootless hot patching of Windows currently only exists in Microsoft Azure and is now in Preview status. Let's look at the hotpatching feature, how it works, and how admins can make use of the new functionality to keep Windows servers up-to-date.
Microsoft's new Windows rebootless patches in Azure ^
The new hotpatching feature in Microsoft Azure for Windows Server allows you to install updates that do not require a reboot after installation. The new feature is currently in Preview form, so this is not yet a GA feature. There is also a caveat—it is available only for Windows Server 2019 Datacenter: Azure Edition virtual machines, which is also in Preview release. So, you can't use the regular Windows Server 2019 Datacenter edition if you already have this provisioned.
The new hotpatching feature will provide tremendous new lifecycle management capabilities since Windows Server 2019 Datacenter Azure Edition can now be patched without the need for a reboot after patch installation. It helps to benefit environments with the following capabilities:
- Higher availability—Patches without reboots require less downtime.
- Better security—Rebootless patches mean servers can be kept more current with security patches without maintenance periods.
- Critical or security-related patches are automatically downloaded and installed.
- Microsoft applies the patches in off-peak hours in the virtual machine's local time zone.
- Microsoft follows the availability-first patching methodology. You can read more about how this works here.
- Microsoft monitors several metrics with the virtual machine to determine patching failures.
You may be wondering how rebootless patching of virtual machine guests works.
Rebootless automatic VM guest patching ^
The new rebootless automatic VM guest patching works using what Microsoft refers to as a planned baseline. With the planned baseline, the latest Cumulative Updates are installed on the Windows Server with a reboot. According to Microsoft's documentation on hotpatching, the current cycle for a Cumulative Update is every three months, with hotpatches released in between, such as the second Tuesday of every month. The Cumulative Update creates the baseline (with a reboot), which is then used to apply the new rebootless hotpatches in between. These build on the latest cumulative updates applied to the server. Microsoft mentions that there may be updates classified as critical, or even security patches that also require a reboot of the virtual machine.
However, most security patches can be delivered as a hotpatch that does not require a reboot. With hotpatching, the process works by patching the in-memory code of running processes without a reboot of the server. Since only the server's memory footprint changes during the hotpatch process, it does not require a reboot of the server.
How are out-of-band and zero-day patches handled? ^
You may wonder about out-of-band or zero-day critical patches and how these are handled in context with the Cumulative Updates and hotpatching functionality. With zero-day patching, Microsoft refers to the baseline that is created at that time as an unplanned baseline. When a zero-day fix is released out-of-band, it is not delivered as a hotpatch. Instead, an unplanned baseline is created containing the zero-day hotfix along with the latest comparable Cumulative Update. These do require a reboot.
How often are VMs assessed? ^
Microsoft uses a process called assessment to discover patches needed by the virtual machine. It mentions that VMs are assessed every few days and multiple times in a 30-day window. This automatic assessment process ensures that missing patches are discovered quickly and applied to the VM as soon as possible.
Configuring hotpatch functionality ^
How do you configure the rebootless hotpatch feature? Since it is a Preview-only feature, for now, you have to register your Azure account for the new preview features. The easiest way is to use Azure CLI or Azure PowerShell to register for the features.
I used the Azure PowerShell cmdlets for registering:
- Register-AzProviderFeature -FeatureName InGuestHotPatchVMPreview -ProviderNamespace Microsoft.Compute
- Register-AzProviderFeature -FeatureName InGuestAutoPatchVMPreview -ProviderNamespace Microsoft.Compute
- Register-AzProviderFeature -FeatureName InGuestPatchVMPreview -ProviderNamespace Microsoft.Compute
After running the cmdlets, you will want to wait for a few minutes for the new services to register. You can also use the Get-AzProviderFeature cmdlet to check the status.
Once you have enabled the hotpatching feature for your Azure account, you need to activate the Windows Server 2019 Datacenter: Azure Edition operating system, which is Preview as well. To do that, follow the link here.
Click the Get It Now button.
Click Continue to create a new virtual machine based on the Windows Server 2019 Datacenter: Azure Edition.
Once you click Continue, the Azure portal will allow you to create a new Windows Server 2019 Datacenter: Azure Edition virtual machine.
Once you choose to create a virtual machine based on the new Windows Server 2019 Datacenter: Azure Edition image, the Create a virtual machine wizard displays the familiar configuration options for provisioning a new Azure virtual machine. Make sure the Windows Server 2019 Datacenter: Azure Edition image is still selected.
Pay attention to the management configuration step. In the Guest OS updates area of the Management screen, you can select the Enable hotpatch (Preview) checkbox and also make sure you have the Azure-orchestrated (Preview) option selected in the Patch orchestration options.
Once the virtual machine is provisioned, select the Guest + host updates blade.
Under Guest OS updates, click the Got to Hotpatch (Preview) button.
Subscribe to 4sysops newsletter!
Wrapping up ^
The new hotpatch, rebootless Windows Server patching with the new Windows Server 2019 Datacenter: Azure Edition operating system, is a significant step forward for applying Windows Server patches. It provides businesses with the opportunity to ensure they are running the latest security patches without the maintenance period required for reboots. The feature is only in Preview currently. However, it shows the direction Microsoft is headed in with lifecycle management for Windows Server VMs in Azure. Will the new feature extend to on-premises Windows Server? Time will tell on that front, but the possibility is certainly there.