Hey Checkyourlogs Fans,

Hot patching is a powerful feature that allows Windows Server 2022 Datacenter: Azure Edition virtual machines (VMs) to install security updates without requiring a reboot after installation. This blog post focuses on enabling Hot patches for ISO-deployed machines on Azure Stack HCI.

Why Hot patching?

Hot patching minimizes downtime and disruption by applying critical updates to the system without rebooting. While Azure Marketplace provides pre-configured images with Hot patching enabled, this guide is specifically for ISO-deployed environments on Azure Stack HCI.

Critical Differences for ISO-Configured Machines

  1. Hotpatch Configuration:
    • Not available via Azure Update Manager.
    • It cannot be disabled once enabled.
  2. Patching Orchestration:
    • Automatic orchestration is unavailable.
    • Manual orchestration is required (e.g., using SConfig or PowerShell).

Prerequisites

Before proceeding, ensure the following prerequisites are met:

  1. Operating System and Platform:
    • Windows Server 2022 Datacenter: Azure Edition (upgraded via ISO).
    • Hosted on Azure Stack HCI (version 21H2 or later) with Azure benefits enabled.
  2. Outbound Network Access:
    • Ensure HTTPS (TCP/443) traffic is allowed to:
      • go.microsoft.com
      • software-static.download.prss.microsoft.com
  3. Familiarize with Hot patching:
    • Review the Hot patch functionality for new virtual machines.

Step 1: Prepare Your Computer

  1. Sign In:
    • Server Core: Use SConfig option 15 to open a PowerShell session.
    • Desktop Experience: RDP into the VM and launch PowerShell.
  2. Enable Virtualization-Based Security:

$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"

$parameters = @{

Path = $registryPath

Name = "EnableVirtualizationBasedSecurity"

Value = 0x1

Force = $True

PropertyType = "DWORD"

}

New-ItemProperty @parameters

Restart-Computer
  1. Configure Hotpatch Table Size:

$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"

$parameters = @{

Path = $registryPath

Name = "HotPatchTableSize"

Value = 0x1000

Force = $True

PropertyType = "DWORD"

}

New-ItemProperty @parameters
  1. Set Windows Update Endpoint for Hotpatching:

$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\DynamicInstalled\Hotpatch.amd64"

New-Item $registryPath -Force

$nameParameters = @{

Path = $registryPath

Name = "Name"

Value = "Hotpatch Enrollment Package"

Force = $True

}

$versionParameters = @{

Path = $registryPath

Name = "Version"

Value = "10.0.20348.1129"

Force = $True

}

New-ItemProperty @nameParameters

New-ItemProperty @versionParameters

Step 2: Install the Hotpatch Servicing Package

  1. Download the KB5003508 Standalone Package:

$parameters = @{

Source = "https://go.microsoft.com/fwlink/?linkid=2211714"

Destination = ".\KB5003508.msu"

}

Start-BitsTransfer @parameters
  1. Install the Package:

wusa.exe .\KB5003508.msu

Follow the on-screen prompts to complete the installation.

  1. Verify Installation:

Get-HotFix | Where-Object {$_.HotFixID -eq "KB5003508"}

A screenshot of a computer Description automatically generated

Final Steps

Once the steps are completed, your system will be configured to support Hotpatch updates. Remember, for ISO-deployed environments:

  • Patching is Manual: Use tools like Windows Update or SConfig.
  • Monitor Updates: Regularly verify updates using Get-HotFix.

I just rolled the updates manually for this VM and guess what no reboot required on the CU.

A screenshot of a computer error Description automatically generated

Thanks,

Dave