Azure VMs Previews Features to Enhance Security and Uptime

• New features in preview for Azure VMs could reduce downtime from updates and improve VM security.
• Hotpatching allows Azure VMs running a preview version of Windows Server to install security updates without rebooting.
• Trusted launch enables Secure Boot and vTPM support for Azure Gen 2 VMs, which could protect VMs from rootkit attacks.
• However, these capabilities are available only for newly deployed VMs, and there is no upgrade path for existing VMs.

New capabilities in preview for Azure VMs could help improve VM uptime and security and allow migration of previously unsupported VMs from on-premises to Azure.

Windows Server 2019: Azure Edition Supports Hotpatching

Hotpatching, a feature of the Windows Server 2019: Azure Edition preview, allows security updates to be applied to in-memory processes on Azure VMs without requiring a reboot. This capability can speed security update installation and allows updates to be applied without interrupting running workloads.

Hotpatching works by establishing a baseline with the latest cumulative update for the OS; subsequent hotpatches are security updates that build on that baseline. Hotpatch update packages are limited to Windows security updates and do not include feature or quality updates. New planned baseline updates, which require reboots, are released on a scheduled interval (initially every three months). They include feature and quality updates and establish a new baseline for following hotpatches. An unplanned baseline may be released when important updates, like a zero-day vulnerability, mean an package cannot be released as a hotpatch (see the illustration “Hotpatch and Baseline Updates”).