Microsoft reveals slow, staccato, disruptive auto-patching service for some Windows VMs on Azure
Not for all patches, not ASAP, not all at once, not for production workloads and maybe not worth it yet?
Microsoft has started a preview of automatic guest VM patching on Azure.
Which sounds interesting, because while cloud operators take care of racking, stacking, power, cooling and other data centre drudgery, keeping the VMs you rent alive remains your problem.
While this new service is automatic, it is not magical: it works on Windows Server Datacenter, only applies rated “Critical” or “Security” and may reboot a VM after patching.
Even those patches will only be applied in the 30-day post-patch-Tuesday window during which Microsoft will do the update. But you don’t get to choose when the patches are applied, but Microsoft promises the updates will happen “during off-peak hours in the VM's time zone.” Which may ease the pain of those reboots but still leaves you with a 30-day period during which Microsoft will apply critical patches at a time of its choosing.
Patches will roll out around the world on different days, which has the upside of not breaking all your VMs at once and the downside of leaving your fleet in an inconsistent state.
You can override Microsoft and get it done faster if you want.
The service also won’t relieve you of manual patching chores, because enabling auto-patches disables native Automatic Updates on the Windows virtual machine to avoid duplication. So while you’ll get some patches, less-vital updates will need either manual intervention or the creation of a custom patching regime.
To use the automatic service you’ll also need to install the Azure VM Agent on your VMs.
Microsoft currently recommends not using the service for production workloads and given the above it’s not hard to see why.
Hopefully the final service irons out a few kinks, because comprehensive and timely auto-patching could be very handy indeed. ®