Microsoft explains how Windows Server Hotpatching works
Last year, Microsoft described its work on hotpatching Windows Updates to apply updates on the fly to Windows systems and remove the need to reboot the systems to install the updates. A new blog post on Microsoft's Tech Community website announces the introduction of Hotpatching support in Azure Automange for Windows Server. Microsoft released Windows Server 2022 recently.
Hotpatching offers several advantages over traditional means of installing updates on Windows machines. Microsoft highlights the three core benefits in the blog post:
- Fewer reboots, which improves availability.
- Faster deployment, as update packages "are smaller, install faster, and have easier patch orchestration".
- Improved protection, as security updates may be installed immediately instead of scheduling a reboot.
Hotpatching works by "establishing a baseline with a Windows Update Latest Cumulative update" according to Microsoft. The company plans to release hotpatches periodically that build on that baseline, and these updates won't require a reboot. The baseline is refreshed with new cumulative updates then periodically as well.
Hotpatches could be released on every Patch Tuesday (once a month), and new baselines could be released every three months. In the best case, servers would need to be rebooted four times per year, when new baselines are applied.
Microsoft distinguishes between planned and unplanned baselines Planned baselines are released on a regular cadence to move the system to a new baseline. Hotpatches may then be installed in between these planned baseline releases.
Unplanned baselines are needed to patch systems if hotpatching cannot be used for a particular patch. Microsoft mentions fixes for 0-day vulnerabilities in particular. These unplanned baseline releases do require a reboot and include all content of the latest cumulative update.
Updates may be installed outside of the Hotpatch program according to Microsoft, but it requires disabling and unenrolling hotpatching to return to the default updating behavior for Windows Server. Reenrolling is possible at any time.
The rest of the announcement offers implementation details for server administrators.
Closing Words
Hotpatching improves the availability of Windows Server by reducing the number of update-related reboots over time. Additionally, security updates that are deployed via hotpatching are applied immediately instead of requiring a restart (immediately or on schedule); this reduces the time the machine is vulnerable to potential attacks targeting the vulnerability.
Microsoft is working on bringing the hotpatching functionality to a "wider set of Windows customers". It is unclear if this will include consumer versions of Windows.
Now You: what is your take on hotpatching? Would you use it? (via Deskmodder)
Better testing >>> fewer bugs >>> less patches >>> drop in reboots. Debugging this system will be a b*$#^h and beyond the new hires M$ uses.
For sure this solution needs different filesystem than ancient NTFS, and the most likely such server will require to be installed on extfat.
The issue with NTFS is that this fs doesn’t release opened already file, so that’s why often needs to be restarted after update.