Let’s be real for a second, nobody enjoys weekend maintenance windows. Juggling host evacuations, watching progress bars, and holding your breath during host reboots is practically a rite of passage in IT. But lately, I’ve been diving into the newest ESXi live patching features, and I have to say, it’s an absolute game-changer for our uptime.
If you haven’t looked into how VMware is handling live patching these days, you are missing out. Here is a breakdown of what’s new and why it’s making my life a whole lot easier.
It’s On by Default
The first thing you’ll notice is that ESX live patch is now enabled by default across all clusters.
What I love about this is how smart it is out of the box. When you push a patch, the system automatically checks if it can be applied live. If it can, boom—patched with no reboot. If the patch requires a reboot, the system gracefully falls back to the traditional method: putting the host into maintenance mode and restarting it.
No Accidental Reboots Allowed
For those of you running mission-critical clusters where a reboot is a cardinal sin, there’s an Enforce setting. When you flip this on, you are strictly allowing live patch remediation only. If a patch tries to force a reboot, vSphere blocks the remediation on that host entirely. It’s a great safety net.
You can set this up globally at the vCenter level to cover everything, or you can get granular and override those settings at the cluster level.
TPM Support is Finally Here
If you’ve been holding off on live patching because of your security hardware, I have great news. Starting with ESX 9.1, we finally have full support for TPM-enabled servers!
In the past, deciding between advanced hardware security and live updates was incredibly frustrating. Now, we don’t have to disable TPM or sacrifice high availability just to keep our hosts compliant. It just works.
Way More Under the Hood
Live patching isn’t just a gimmick anymore; it covers a massive chunk of the infrastructure. They’ve expanded coverage deeper into the vmkernel, and honestly, you can really feel the performance improvements when the patches are applying.
But the biggest win for me? The expanded support for user space daemons, core storage, libraries, and firewall rules.
If you are a vSAN admin, you’re going to love this. You can now live-patch critical vSAN user world daemons, including vsantraced, swapobjd, vdfs-server and vdfs-proxy.
More coverage means more patches qualify for live updates, keeping us out of maintenance mode more often.
Final Thoughts
Overall, I am thrilled with where ESXi live patching is heading. Fewer reboots mean happier admins and happier users.
End of this post.
Disclaimer: Please note that the views expressed in this blog are solely my own and should be treated as personal opinions. This content does not hold any legal or authoritative standing.