VMware introduced Live Patch as part of vSphere 8 Update 3, enabling ESXi hosts to receive critical fixes without requiring maintenance mode or host reboots. Live Patch is designed to dramatically reduce the operational disruption associated with traditional ESXi patching. Instead of taking hosts offline or performing rolling maintenance across clusters, administrators can now apply selected security and reliability patches directly to a running ESXi kernel.

This capability is built on a new in-place kernel patching mechanism that updates only the affected components of the ESXi runtime. Because the hypervisor continues running, virtual machines remain online throughout the patching process. Live Patch specifically targets critical and high-priority fixes such as security vulnerabilities and stability issues allowing organizations to react quickly without compromising availability.

Live Patch is fully integrated with vSphere Lifecycle Manager (vLCM). Compatible patches appear as “Live Patch-capable,” and applying them requires no changes to existing cluster workflows. When Live Patch is used, ESXi hosts maintain workload availability, avoid VM evacuation, and eliminate host reboots, which significantly increases operational uptime and simplifies patch maintenance planning.

By removing the need for disruptive reboots, VMware Live Patch enhances security responsiveness and helps organizations maintain consistent uptime across their vSphere and VMware Cloud Foundation environments.

Key Pointers:

1. Eligible patches/updates can be applied immediately, lesser maintenance window, eliminates need of VMs & vSAN data migration, integrated with vLCM (must be enabled via vLCM).
2. vCenter and eSX must be 8.0 U3 or later.
3. DRS (fully automated) must be enabled.
4. This feature is not compatible with hosts using TPM or DPUs.
5. Workflow: Download/Sync live patchable image to depot -> Enable “Enforce Live Patch Policy” -> Set Live Patch image in the cluster desired spec -> Perform Compliance Scan -> Peform Pre-Check -> Remediate Cluster.
6. Backend process: A new mount version is created and the new patch/updates will be installed to the new mount version and there will be a switch over from original to new updated mount version.
7. Virtual Machines are Fast-Suspend-Resumed (FSR) as part of the host remediation process (nondisruptive process – reload of the vmx).
   Note: Not all VMs are compatible with FSR – these VMs will have to be migrated / powered off like VMs using Direct Path I/O.
8. As of now Live Patch is applicable for VMKernel & NSX components of ESX image.
9. We can roll back Live Patch update by following manually switching to alt boot bank (ctrl+r during boot)

Reference links:
https://blogs.vmware.com/cloud-foundation/2024/06/25/vmware-vsphere-8-u3-initial-availability-announcement/?utm_source=chatgpt.com

https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/9-0/managing-host-and-cluster-lifecycle/configuring-vlcm-remediation-settings-1/how-to-apply-live-patches-to-the-hosts-in-a-cluster-managed-with-images.html