 Welcome to a new episode of Azure Unblock. Today, we're going to talk about hot patching in Windows Server. Stay tuned. Welcome back. I'm here with Nick and we're going to talk about a very new exciting feature in Windows Server called hot patching. Absolutely. Yeah. We've just announced general availability of hot patch in Windows Server 22 Azure Edition, and it's something we're super excited about. That's awesome. Thank you very much obviously for being here. You just mentioned Windows Server 22 Azure Edition. Before we talk about hot patching specifically, for those people who don't know, what is Windows Server 22 Azure Edition? Absolutely. Windows Server 22 Azure Edition is a version of Windows Server that contains the latest and greatest server innovations that we've made available first in Azure Edition. Windows Server Azure Edition is something that runs only on Azure. In this case, it's as a guest VM on Azure IaaS. Some of the features that we have in Azure Edition include hot patch, which we're going to talk about today. There's also some other features that are available first or only in Azure Edition, including SMB OverQuick. SMB OverQuick is a VPN less secure file sharing, something we're real excited about that we also want to share, and also extended network. Extended network is a way to stretch your on-premises network, to the Azure Public Cloud. You can keep those IPs the same between the two if you need to. Just to round out, those are some of the things that we're bringing to Azure Edition. We're also bringing it with both desktop experience and server core, but it's important to note that hot patches only available on server core. Okay. No, that is pretty cool. Again, basically, it's a new additional Windows Server 22, which unlocks a couple of new features together with Azure, which I'm also very excited. You mentioned hot patching and obviously that is why we are here. Is hot patching what I mean it is? Yeah. Hot patches, what it sounds like, and it's a term I think in industry term. Something that means it's going to be just like a regular update, but it's without the need to reboot. This is something the team here at Microsoft has been working on for a long time, and it's something we're excited to be able to bring to the public with this year release. We've been using the technology for hot patch internally for a while now. So it's something that's established and now we can start to roll it out to something that folks can use also on the outside. That is super cool. I mean, I know what people are now doing with traditional updates, right? So you have updates coming every month, where you then need to patch and you need to reboot your servers. And with hot patch, obviously we really reduce the amount of reboots your servers have to do, right? Absolutely. Yeah, it's updating those running processes in memory. So not only do you not have to reboot, you don't even need to stop your running process. So it's something that as your workloads are going, they're just going to pick up that updated code automatically. So yeah, it's a cool thing to conceptualize. And it's actually hard to see, it's an update not happening. And actually, as part of a way to just visualize it, we have created a little side-by-side demo, which I have shown before in some other venues. But I can actually show a little bit of that here today and then we can just talk through a little bit of what's happening. No, that's absolutely cool. Let's have a look. All right, so I'm going to, yeah, let's just roll the video here. And before I get started, I'll just subscribe my environment. So I've got on the left side here, I have a VM that's installing a traditional update. And then on the right, I have a VM that's installing a hot patch update, that equivalent update is a hot patch. And this is kind of a lab side-by-side. So it's just going to be we're installing these updates manually for this demo. And we're also running just a little sample workload just to help visualize and help conceptualize what's going on. Something running that we don't want to reboot and interrupt. So we're copying some files. I'll just start rolling here. OK, so on the left, we have the traditional update. We're installing that cumulative update. It's going to kick off. And then on the right, we're installing that hot patch update. You can see the update is already complete. And that's really the end of the update. So there is nothing else to do. There is no reboot or restart of processes. And the file copy continues. Yeah, so as we go here, as we are patching that in memory, there's really nothing else to do. And when you look on the left, not only is this much faster on the right here, you can see we can install another hot patch update. So I've actually simulated here I'm installing two months worth of hot patches. So you can really see if we were to take this to the real world, we can go month over month. And we have those updates being installed without any impact that workload. So not only can you see how much faster it is, right? So over on the left, we're still installing that first month's package. But we just keep rolling. There's no reboots, nothing to get in the way and interrupt our workload. Wow, that's impressive. The workload is still running. We installed two times the same amount. Yeah, so I'll just stop the video here. You can see, so now the reboots required. So this is something that we can all understand as professionals who install updates on machines of it. It's just really good to see kind of all in one view. Like the month over month, I'm going in. I'm installing my updates. I'm making sure that I've turned down my workloads in a safe manner. And I've queued all those updates to go out and reboot and come back. A lot of that is going to be reduced or go away. We won't even really have the need. Our vision is to have less of a need to even do those long all night or weekends to get those servers updated. No, it's impressive. So first of all, obviously one thing I did know was that it obviously needs less reboot. So like the hotbed is in, so you don't need to reboot, which is great, so you can keep on running. Your workload is still running. You don't need to plan anything for orchestration to reboot. But what I didn't know, what I was so surprised is how fast they actually installed. That was like something which comes in addition, which is pretty cool as well. Absolutely. Yeah, it's something that we, you know, there's really two stories to hot patch. One is how much less rebooting there is and what that means, but also the security implications of being able to go from a patch being made available to a patch being installed at much shorter time because there's less time to install, there's less time necessary to plan that reboot and then there's no reboot. So you can get those patches on faster and have your VM secure much quicker than maybe you otherwise would have. So this is cool. So you obviously, as you just mentioned, there's a lot of work going into Windows Server in this case to enable hot patching. And you mentioned earlier on like baselines. Can you tell me a little bit how this works and what that means? Yeah, absolutely, absolutely. Yeah, so as we start out, when you first start into the hot patch program or your VM is enrolled in hot patch, you're gonna have a baseline and what a baseline update looks like, it looks more like a traditional cumulative update. So you install your baseline, you do the reboot that you would normally do, something that looks like the usual reboot. And then after you've done that, the hot patches or the monthly updates that we send out as hot patches can be applied over the top of that baseline. And when that happens, then you don't need that reboot, right? So you're gonna have up to three months right now without needing to reboot. And the cool thing is these are all things that we control over on the servicing side. So as the program matures, you're gonna see more time, like a stretched out more time between reboots. And the program is gonna keep maturing and we're gonna be able to really give you those updates that you want without the need to reboot. Yeah, and I think, yeah, in a more, in a faster way. Yeah, no, that's absolutely great. I just wanna, because like, when I have conversations with a customer, one thing coming up when we talk about these baselines and hot patching, and I just wanna make sure that we talked about this, this doesn't mean, like hot patching doesn't mean I don't get all of the security updates, right? I still get all of them for my service. Absolutely, yeah, and that's a great point. So we have worked to create parity and as part of our general release, to create parity between the hot patches that you'll receive and what would be the cumulative up there, we call cold patches. What is the equivalency between a machine that's in hot patch and one that's not? You're gonna get those same updates on that B week or that second week, second patch Tuesday. And if for some reason we couldn't make an update hot patchable, you would see we would still send it out and it would create something called an unexpected baseline or something that would essentially mean that we would send an unexpected reboot out to those machines. So there's never gonna be a scenario where you don't get, you're not secure, you're not gonna get an update. And the better we get at the program, the more it's gonna be hot patching, you're not gonna get those reboots. But yeah, you're always gonna get those updates, absolutely. No, that's fantastic. So I'm totally sold on it. So what do I need to do if I actually wanna try out a hot patching or if I wanna deploy VMs in Azure with hot patching? Can you show me a little bit? Yeah, absolutely. So when you create a VM in Azure on Azure IS, you can create this Windows Server 22 Azure edition and I can actually show a little live demo here in the portal. So you can create your VM in any way that you prefer, whether it's through the portal or programmatically through another VM, like an ARM template. But I'll just show, just go through the portal here today. So I'm gonna go into Azure and I'm gonna just go to my virtual machines. I'm gonna create a machine like I normally would. And when I do that, you can see here one of the main differences is when I'm going in to select my image, I need to select Windows Server 2022 data center, Azure edition core. So this is gonna be the image that lights up that hot patch capability. So it's important. So folks may overlook like it needs to be Azure edition and needs to be core. Once you have all those components together, then you're gonna see hot patch capability. So when I continue on, actually I'm just gonna go over and show now that I've selected that image, go to my management tab. Now I can see that hot patches enabled here. And so I'm gonna create this with hot patch enabled, but you can actually go in, you can create a VM with hot patch disabled by default. You could also choose later to disable hot patch or enable hot patch at a later time. It's important to note there are some limitations to when you can actually enter into, and there's some more details that we can get into later and even in our documentation, but hot patch baselines are something that are scheduled periodically. So once you have that baseline, then you can build on top of it with hot patch, with hot patches and not reboot. But if you were to leave like disabled hot patch here, I'm still gonna receive updates on this machine. You know, this would be more of the traditional updates. Another call out is patch orchestration. So I'm using Azure orchestrated patching and important part of hot patches, how those hot patches are applied. So this technology is built into Azure orchestration. And so the benefits of that are you really don't, there isn't anything to worry about. This is gonna push those updates down periodically and you don't, there's nothing to kind of more to do once you've entered into that orchestration. Okay, so I've created my machine and now I can just connect to it. And I mean, that's all I need to do. As I was saying, my machine is not running. I'm receiving hot patches. I'm not gonna reboot, you know, until that next baseline. And if I did want to make any changes myself, I could scroll down here and I could see, actually sorry, I'm gonna scroll up. So under operations, I have guests and host all this updates. I'm gonna click on that. Let me try again, when I click on that, then I'm gonna see I have both the, I see two different things here. So this is the traditional update management that I've been going to. And I see right up above that a hot patch preview. And what this is gonna do is it's gonna take you to a new update management experience that you'll need to run in order to manage hot patch. And when I click through that, I'm actually gonna see a dashboard here which shows me, okay, for this VM, which updates have been installed, my hot patches enabled. I can see the history of the updates I've applied down here. And from here, I could actually apply an update now if I had one available, or like I said earlier, if I did nothing in the update would just install by itself through orchestration. And then I can also go in here and make any changes that need to do. So say I need to turn off hot patch, I can do that also. So all that available here through the management, through the management portal on Azure. No, this is fantastic and actually super simple. So let me summarize and let's see if I got this right. The only thing you actually need to do to enable hot patch for a new VM to deploy, you need to select the right VM image. So that needs to be Windows Server 2022 Azure Edition Core. So that needs to be just this image. And then this will automatically on the management select that hot patching is enabled. But I can also check that obviously also if I do it in an ARM template, I would obviously see if that feature flag is set. Absolutely. And then if I don't want it, I could disable it, but usually I think that's a great thing to do. And that is basically all I need to do. After that, I basically can just let it run and it will automatically make sure that I get all the patches and all the patches are installed. And if I want to do changes to that or review updates, I can just go to the update management there on the VM page and actually have a look if everything works and if all the patches are installed or if there is a pending patch available. Is that correct? Absolutely, yeah. And really, if you've got your fleet of VMs running, you're not gonna need to go in and do anything. As a course of business, they're just gonna install those patches as necessary. But if you do have a need to perhaps test with a subset of machines to make sure everything's working, then yeah, you can use both that portal that I showed the management plane or other methods to install those hot patches right after they're available. So there's gonna be a time between when the hot patches released and when Azure orchestration actually installs it. And you can learn more about that also by going to our docs. But it's gonna basically roll those patches out over time. And so you can go in there also at the beginning of that cycle and do that testing that you need to do to make sure everything's working. No, this is fantastic. So I wanna try this out. And I'm sure a lot of customers watching this video also wanna try it out. But first we're gonna probably read some more documentation on it. Where do we go? Absolutely, yeah. So the best place to start is at our docs page. I mean, we actually created an aka for that. So if you go to aka.ms slash hot patch on Azure, you can get started there and learn more. And yeah, just that's the beginning of the journey from there, yeah. Thank you very much, Nick. So this is absolutely fantastic. Thank you very much for being here and teaching me all about hot patch. And thank you everyone for watching and see you in another episode of Azure Unblocked.