Microsoft explains how Windows Server Hotpatching works

Last year, Microsoft described its job as patching Windows Updates to apply updates on the fly to Windows systems and eliminate the need to reboot systems to install updates. A new blog post on the Microsoft Tech Community website announces the introduction of Hotpatching support in Azure Automange for Windows Server. Microsoft recently released Windows Server 2022.

Hotpatching offers several advantages over traditional means of installing updates on Windows machines. Microsoft highlights the top three benefits in the blog post:

• Fewer restarts, which improves availability.
• Faster deployment, as update packages “are smaller, install faster, and have easier patch orchestration.”
• Enhanced protection as security updates can be installed immediately instead of a scheduled reboot.

Hotpatching works by “establishing a baseline with a latest cumulative update from Windows Update,” according to Microsoft. The company plans to periodically release patches that build on that baseline, and these updates won’t require a reboot. The baseline is updated with new Cumulative Updates, and also periodically.

Hotpatches could be released every Patch Tuesday (once a month) and new baselines could be released every three months. In the best case, the servers will need to be restarted four times a year, when new baselines are applied.

Microsoft distinguishes between planned and unplanned baselines. Planned baselines are released on a regular cadence to move the system to a new baseline. Hotpatches can be installed between these planned reference releases.

Unplanned baselines are needed to patch systems if hotpatching cannot be used for a particular patch. Microsoft mentions fixes for 0 day vulnerabilities in particular. These unplanned reference builds require a restart and include all content from the latest Cumulative Update.

Updates can be installed outside of the Hotpatch program according to Microsoft, but it is necessary to disable and unenroll hotpatches to return to the default update behavior for Windows Server. Re-registration is possible at any time.

The rest of the announcement provides implementation details for server administrators.

closing words

Hotpatching improves the availability of Windows Server by reducing the number of update-related restarts over time. Also, security updates that are deployed via hotpatches are applied immediately instead of requiring a reboot (immediately or on schedule); this reduces the time the machine is vulnerable to possible attacks targeting the vulnerability.

Microsoft is working to bring hotpatching functionality to a “broader set of Windows clients.” It’s unclear if this will include consumer versions of Windows.

Now you: What is your opinion on hotpatching? would you use it (via Desktop Modifier)

advertising