How Hot Patch for Windows Server Azure Edition helps secure Domain Controllers

Reading Time: 2 minutes

Windows Server

At Microsoft Ignite 2021 Spring Edition, Microsoft introduces the Public Preview of Hot Patching for Windows Server Azure Edition.

About hot patching for Windows Server Azure Edition

Microsoft announced new capabilities at Microsoft Ignite 2021 Spring edition for Azure Automanage to simplify operations for Windows Server-based virtual machines (VMs). Azure Automanage helps organizations to reduce day-to-day management tasks with automated operations across the entire lifecycle of VMs in Azure Infrastructure-as-a-Service.

One of these new capabilities, labeled Hot Patching helps organizations to enable rebootless security patching for new Windows Server VMs. These new enhancements allow for the deployment of security patches in seconds, helping protect servers against critical threats.

Hot Patching vs. Monthly Patching

Windows Server gets monthly cumulative updates. It’s our job as systems administrators to apply these updates as quickly as possible to prevent our systems from being compromised. At the same time we need to keep an ear to the ground to prevent installing rogue updates that negatively impact the availability of (the services on) our systems. This all stands in the way of predictable maintenance windows.

With hot patching, security updates are installed automatically to Windows Server 2019 Datacenter editions running as virtual machines in Azure Infrastructure-as-a-Service. The in-memory processes are patched. This is how the patches are installed without reboots. Updates are installed as soon as they arrive, to limit the time the system is exposed to the addressed vulnerabilities.

However, every three months, a hot-patched Windows Server installation needs to realign with the baseline. This is where a predictable quarterly maintenance window comes in.

Redundancy vs. downtime

Of course, when your organization has deployed an active-active multi-region service already, an admin can simply reboot systems without impacting the offered service.  However, building an infrastructure that allows for the capacity to patch adequately, requires a significant additional investment, adds complexity and thus costs.

To prevent rogue updates, patching half of the active-active capacity, then switching over the service to the other half of the capacity even further sinks costs into unneeded capacity and complexity.

Hot patching for Domain Controllers

Active Directory is a peculiar service from many points of views. Multiple Domain Controllers offer an active-active service, but some things fall outside the multi-master model that enables all Domain Controllers to offer all their services.

Functionality like the Flexible Single Master Operations (FSMO) roles, DNS server addresses configured through DHCP and long-lived LDAP connections make the case for Hot Patching of Windows Servers acting as Domain Controllers.

As Active Directory is at the heart of every Microsoft-oriented networking infrastructure, patching the Windows Server installations running as Domain Controllers gets the highest priority during maintenance windows.

I feel hot patching for Domain Controllers is a good way to get Domain Controllers patched fast and adequately. It may not be beneficial to all organizations, all scenarios and all environments.

Further reading

Patching alone is not enough: Investigate your exposure windows  
Hotpatch for Windows Server Azure Edition (preview) 
Azure Automanage

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.