Clarification on Baseline Update Installation for Hotpatch-Enabled Azure VM

Question

Clarification on Baseline Update Installation for Hotpatch-Enabled Azure VM

ndsisg 20

Update 4/20/2025:

Azure auto-install job just ran on 4/19/2025, 09:21:43 PM CST and installed baseline update KB5055526 automatically. Please refer this below screenshot,

So, baseline updates are installed automatically too.

But please let me know why is the overall status of this job is Failed? safe to ignore?

Also, now I see MissingRequiredBaseline state for hotpatch status for this VM too after this job ran!

User's image

Is it safe to ignore this hotpatch status?

Subject: Clarification on Baseline Update Installation for Hotpatch-Enabled Azure VM

Description:

We are trying to understand the expected behavior for baseline update installation on a Hotpatch-enabled Azure VM (Azure-orchestrated patching).

Primary Question:

As per the doc here,

Hotpatch first establishes a baseline with the current Cumulative Update for Windows Server. Every three months, the baseline periodically refreshes with the latest Cumulative Update. You then receive Hotpatch releases for the next two months after the Cumulative Update.

Hotpatch critical updates are auto-installed successfully.

Now, how is the baseline update on a Hotpatch-enabled VM supposed to be installed in Azure?

• Is it installed automatically or does it require manual installation?

• If manual, what is the correct process to install it?

Following are the screenshots from my Hotpatch-enabled VM (Windows Server 2022 Datacenter Azure edition),

• The baseline update KB5055526 as per the screenshot below was published on April 7th at 11:00 PM CST User's image

• The last Azure auto update job ran on April 7th at 9:42 PM CST, just before the baseline was published.

User's image

• It has now been over 10 days, and the baseline still hasn’t been auto-installed.

We are assuming the next auto update cycle will address this, but we're unsure if that will happen within a specific SLA or timeline (e.g., 30 days?).

What We Have Observed:

In one of our VMs, we manually installed the required baseline update and rebooted it.
However, after doing this, the Azure Portal shows a MissingRequiredBaseline warning.

User's image

We are concerned that this might mean the VM is no longer eligible to receive future hotpatch updates. Is that correct?
In one of our other VMs, we manually installed all the pending updates including baseline and performed a reboot, but that VM also went into a MissingRequiredBaseline state.

We are waiting to see if the next auto patch job will clear this warning and restore normal hotpatch readiness?

Request:

Please confirm the following:

Whether baseline updates are expected to install automatically (and when)?
Whether manual installation impacts hotpatch readiness state (MissingRequiredBaseline)?
What we can or should do to ensure the VM is in a healthy state to receive future hotpatch updates?

Thanks for your help!

Akshay kumar Mandha 3,160 Reputation points Microsoft External Staff Moderator

2025-04-21T06:59:32.58+00:00

Hi ndsisg,
Based on your query,
I understand your concern, that you are facing the issue.
When it comes to baseline updates for Hotpatch-enabled Azure VMs, they are designed to install automatically as part of Azure’s patching process. However, in your case, it seems the timing might have caused a delay for example, the auto-update job might have run just before the baseline update was published. While this specific situation is not directly mentioned in the documentation, Azure generally addresses these kinds of delays in the next update cycle.

Now, about manually installing baseline updates and rebooting the VM doing this can sometimes trigger the MissingRequiredBaseline state. This happens because Azure’s system may not be able to validate the manual installation properly. This could temporarily affect the VM’s ability to get future Hot patch updates. Again, while this exact behavior isn’t explicitly mentioned in the documentation, it aligns with Azure’s recommendation to let its automated patching handle updates, as manual updates can disrupt the system’s workflow.
ndsisg 20 Reputation points

2025-04-21T09:57:06.02+00:00

Hi @Akshay kumar Mandha ,

MissingRequiredBaseline state occurs even with the Azure auto-update job as I mentioned in my update 4/20/2025. Confirmed this with multiple VMs. So, it doesn't matter if we install manually or let Azure install automatically, this warning state occurs!

I understand this is a temporary problem. Could you please let me know how this can be fixed?

Or will this warning be resolved automatically when the next Azure auto-update job runs to install hotpatch updates?

My preference is to let Azure install the updates automatically without fail even if there's a slight delay.
Arko 2,605 Reputation points Microsoft External Staff Moderator

2025-04-22T12:59:46.3+00:00

The baseline cumulative update (KB5055526) is successfully installed, but the hot patch system backend validation fails to detect it properly under certain conditions. This typically happens when the Azure Safe Deployment update job runs just before the CU was officially published. There is a lag between update installation and backend readiness validation, causing the system to temporarily show missing required baseline. Azure’s Hot patch system is designed to automatically reconcile the baseline state during the next scheduled safe deployment job or hot patch cycle. The missing required baseline warning will typically clear once the next Azure update orchestration job runs, and it revalidates the VM’s state with the correct patch metadata and yes, your preference to let Azure auto-install updates is the correct and recommended approach.
Reference- https://learn.microsoft.com/en-us/windows-server/get-started/hotpatch
Arko 2,605 Reputation points Microsoft External Staff Moderator

2025-04-23T11:40:09.9933333+00:00

Hello ndsisg, hope I was able to clear your query here.
ndsisg 20 Reputation points

2025-04-23T12:42:32.3966667+00:00

Hi Arko,

You said that the missing required baseline warning will typically clear once the next Azure update orchestration job runs.

The job just ran at yesterday 4/22/2025, 23:51CST. But it did not fix the warning yet?

(fyi, this job did not install any updates since there was no matching criteria)
Arko 2,605 Reputation points Microsoft External Staff Moderator

2025-04-24T08:20:37.37+00:00

Hope I was able to clear your follow up query here ndsisg. Thanks
ndsisg 20 Reputation points

2025-04-24T09:45:39.62+00:00

Okay. So, the MissingRequiredBaseline warning does not affect the installation of hotpatch applicable updates. It will eventually be cleared when the next job actually installs an update. I think I got my answer.

Thank you Arko
Arko 2,605 Reputation points Microsoft External Staff Moderator

2025-04-24T10:30:49.0666667+00:00

Glad I was able to clear your follow up query ndsisg, updating the same as answer for you to accept it so that anyone having similar query on QnA forum can refer to it. Thanks.

Accepted answer

0 additional answers

Your answer

Akshay kumar Mandha 3,160 Reputation points Microsoft External Staff Moderator

2025-04-21T06:59:32.58+00:00

Hi ndsisg,
Based on your query,
I understand your concern, that you are facing the issue.
When it comes to baseline updates for Hotpatch-enabled Azure VMs, they are designed to install automatically as part of Azure’s patching process. However, in your case, it seems the timing might have caused a delay for example, the auto-update job might have run just before the baseline update was published. While this specific situation is not directly mentioned in the documentation, Azure generally addresses these kinds of delays in the next update cycle.

Now, about manually installing baseline updates and rebooting the VM doing this can sometimes trigger the MissingRequiredBaseline state. This happens because Azure’s system may not be able to validate the manual installation properly. This could temporarily affect the VM’s ability to get future Hot patch updates. Again, while this exact behavior isn’t explicitly mentioned in the documentation, it aligns with Azure’s recommendation to let its automated patching handle updates, as manual updates can disrupt the system’s workflow.
ndsisg 20 Reputation points

2025-04-21T09:57:06.02+00:00

Hi @Akshay kumar Mandha ,

MissingRequiredBaseline state occurs even with the Azure auto-update job as I mentioned in my update 4/20/2025. Confirmed this with multiple VMs. So, it doesn't matter if we install manually or let Azure install automatically, this warning state occurs!

I understand this is a temporary problem. Could you please let me know how this can be fixed?

Or will this warning be resolved automatically when the next Azure auto-update job runs to install hotpatch updates?

My preference is to let Azure install the updates automatically without fail even if there's a slight delay.
Arko 2,605 Reputation points Microsoft External Staff Moderator

2025-04-22T12:59:46.3+00:00

The baseline cumulative update (KB5055526) is successfully installed, but the hot patch system backend validation fails to detect it properly under certain conditions. This typically happens when the Azure Safe Deployment update job runs just before the CU was officially published. There is a lag between update installation and backend readiness validation, causing the system to temporarily show missing required baseline. Azure’s Hot patch system is designed to automatically reconcile the baseline state during the next scheduled safe deployment job or hot patch cycle. The missing required baseline warning will typically clear once the next Azure update orchestration job runs, and it revalidates the VM’s state with the correct patch metadata and yes, your preference to let Azure auto-install updates is the correct and recommended approach.
Reference- https://learn.microsoft.com/en-us/windows-server/get-started/hotpatch
Arko 2,605 Reputation points Microsoft External Staff Moderator

2025-04-23T11:40:09.9933333+00:00

Hello ndsisg, hope I was able to clear your query here.
ndsisg 20 Reputation points

2025-04-23T12:42:32.3966667+00:00

Hi Arko,

You said that the missing required baseline warning will typically clear once the next Azure update orchestration job runs.

The job just ran at yesterday 4/22/2025, 23:51CST. But it did not fix the warning yet?

(fyi, this job did not install any updates since there was no matching criteria)
Arko 2,605 Reputation points Microsoft External Staff Moderator

2025-04-24T08:20:37.37+00:00

Hope I was able to clear your follow up query here ndsisg. Thanks
ndsisg 20 Reputation points

2025-04-24T09:45:39.62+00:00

Okay. So, the MissingRequiredBaseline warning does not affect the installation of hotpatch applicable updates. It will eventually be cleared when the next job actually installs an update. I think I got my answer.

Thank you Arko
Arko 2,605 Reputation points Microsoft External Staff Moderator

2025-04-24T10:30:49.0666667+00:00

Glad I was able to clear your follow up query ndsisg, updating the same as answer for you to accept it so that anyone having similar query on QnA forum can refer to it. Thanks.

Answer 1

Hello ndsisg,

The MissingRequiredBaseline does not clear just because an Azure Safe Deployment job ran.

It only clears when a new baseline Cumulative Update is actually installed by Azure during that orchestration cycle.

In your case, the Safe Deployment job ran at 4/22/2025, 23:51 CST but it did not install any updates (0 out of 2 updates installed). Therefore, no change was made to the Hotpatch baseline state. Hence, the MissingRequiredBaseline persists.

enter image description here

Why this happens?
Ans- Azure Hot patch depends on recognized metadata from the Azure Update Manager flow to validate that the baseline CU was applied during orchestration. Even if the CU (KB5055526) is technically present on the system, azure may not update readiness if the CU was installed before the orchestration window, or the CU was manually installed or the CU was not applied during the specific Safe Deployment job.

What to do?
Ans- There is no manual fix required. The warning will typically clear during the next orchestration cycle that installs a new applicable baseline CU. Until then, the VM remains eligible for updates, but hot patching is deferred due to missing baseline validation.

Microsoft Documentation References

Hotpatch for Windows Server – Microsoft Docs

"Hotpatch first establishes a baseline with the current Cumulative Update for Windows Server. Every three months, the baseline periodically refreshes with the latest Cumulative Update."

Patch orchestration process – Microsoft Docs

"VMs you create in Azure using a supported Windows Server image have Automatic VM Guest Patching enabled by default. Hotpatch automatically downloads and applies patches classified as Critical or Security to your VM."

Share via

Clarification on Baseline Update Installation for Hotpatch-Enabled Azure VM

0 additional answers

Your answer