What is Hotpatching in Windows Server via Azure Arc?

Hotpatching in Windows Server allows certain security updates to be installed without requiring a server reboot. When used with Azure Arc, on-premises or hybrid Windows Server 2025 machines can receive security hotpatches managed centrally without frequent restarts, reducing downtime.

Which Windows Server editions support Hotpatching with Azure Arc?

Windows Server 2025 Standard and Datacenter editions are supported. There are also Azure Edition images that support hotpatching. The machine must meet hardware/firmware prerequisites (such as UEFI with Secure Boot, VBS enabled) and be connected to Azure Arc for non-Azure environments.

Do I still need to reboot my server even with Hotpatching?

Yes. While many security updates via hotpatching can be applied without reboot, baseline cumulative updates (LCUs) are still released periodically (typically four times a year) and require a reboot. Occasionally a non-hotpatchable update may also force a reboot.

What are the prerequisites to enable Hotpatch for Azure Arc-connected servers?

Prerequisites include: running Windows Server 2025 (build 26100.1742 or newer), using a supported edition (Standard, Datacenter or Azure Edition), enabling Virtualization-Based Security (VBS) / Virtual Secure Mode (VSM) with UEFI + Secure Boot, having Azure Arc agent installed and connected, and subscribing to the Hotpatch service for non-Azure machines.

How much does the Hotpatch service cost for Azure Arc-connected Windows Server machines?

As of July 2025, for Windows Server 2025 Standard or Datacenter editions outside Azure, hotpatching via Azure Arc is available at approximately USD $1.50 per CPU core per month. For Azure Edition machines (on Azure or Azure stack/hybrid platforms), hotpatching is often included without extra charge. Prices and terms may vary by region and licensing.

How often are hotpatch-capable updates released, and when are reboots required?

Microsoft follows a schedule where baseline cumulative updates are released quarterly (typically January, April, July, and October) which require restarts. In the other months, hotpatch updates (security only) may be released that don’t require a reboot. There are up to eight hotpatches per year outside the baseline months. Occasionally out-of-cycle updates may force restarts if critical.

How do I enable Hotpatching for a server using Azure Arc?

To enable: ensure your server meets prerequisites (correct edition, VBS enabled, UEFI/Secure Boot, Azure Arc connected). In the Azure Portal, go to Azure Arc → Machines → select your server → Hotpatch or Updates settings → enable Hotpatch. Then configure update management through Azure Update Manager. Allow time for status to change (usually a few minutes to complete the enablement).

What kinds of updates are not included in Hotpatching?

Hotpatching is limited to security updates that can be applied without reboot. Nonsecurity updates, .NET updates, driver and firmware updates are typically excluded. Also, major feature updates and baseline cumulative updates still require reboots.

How can I verify that Hotpatching is working on my Windows Server?

You can monitor via the Azure Update Manager dashboard for Hotpatch status, check update history on the machine (look for hotpatch or security-only update labels), ensure VBS / VSM is running, and verify that scheduled reboots are only during baseline update periods. Also confirm that no unintended reboot occurs after a security hotpatch.

How to enable hotpatching in Windows Server 2025 via Azure Arc: Easy Steps

Table of Contents

Introduction

Keeping Windows Servers updated is a critical task for security and stability, but frequent reboots cause downtime and disrupt services. What if many of those updates could be applied without restarting the server? That’s exactly what hotpatching enables. In this article, we’ll explore how hotpatching in Windows Server 2025, combined with Azure Arc, lets you apply certain security updates without needing a reboot. We’ll walk you through the prerequisites, the setup steps, benefits, possible challenges (and how to solve them), plus FAQs to help you make informed decisions.

What is Hotpatching?

Hotpatching (currently in preview) refers to the ability to apply security updates (especially those affecting in-memory code of running processes) without requiring a reboot of the system. Unlike traditional updates or cumulative updates (LCUs) which often require a restart to replace files in use or update core kernel or OS components, hotpatches are designed to minimize system downtime.

What is Azure Arc?

Azure Arc is Microsoft’s service for connecting and managing physical machines, virtual machines (on-premises or in other clouds), Kubernetes clusters, and other resources from the Azure control plane. By onboarding servers via the Azure Connected Machine Agent, you can apply policies, deploy updates, monitor security, etc., all from Azure.

How Hotpatching and Azure Arc Work Together

Windows Server 2025 supports hotpatching for Standard and Datacenter editions, when the server is connected to Azure Arc. When enabled, hotpatching is managed via tools like Azure Update Manager or via the Azure Portal. It allows certain security updates to be applied without reboot, except for baseline or cumulative updates, which still require a restart.

Step-by-Step Guide: Enable and Use Hotpatching via Azure Arc

Ensure your server meets prerequisites
- Running Windows Server 2025 (build 26100.1742 or later).
- Edition: Standard or Datacenter (Windows Server 2025).
- Virtualization-Based Security (VBS) enabled. UEFI firmware with Secure Boot enabled. For VMs, make sure they are generation-2 or equivalent to support these features.
- Connected to Azure Arc via the Azure Connected Machine Agent.
- An Azure subscription and Hotpatch service subscription (for on-premises or non-Azure environments).
Enable VBS (if not already enabled)
- Check VBS status using PowerShell or WMIC, for example:
```
Get-CimInstance -Namespace 'root/Microsoft/Windows/DeviceGuard' -ClassName Win32_DeviceGuard | Select-Object -ExpandProperty VirtualizationBasedSecurityStatus
```
  Or via WMIC and checking the DeviceGuard status. If the value is “2”, VBS is up and running.
- If not enabled, you may need to enable relevant Device Guard/VBS policies via registry or group policy:
```
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\DeviceGuard' -Name 'EnableVirtualizationBasedSecurity' -PropertyType Dword -Value 1 -Force
```
- Ensure firmware settings: Secure Boot, UEFI, proper TPM, etc., based on your hardware or virtualization platform.
Onboard the server to Azure Arc (if not already)
- Install & configure the Azure Connected Machine Agent.
- Verify in the Azure Portal that the server appears under Azure Arc → Machines.
Enable Hotpatching in Azure Portal / Update Manager
- Go to Azure Portal → Azure Update Manager → Machines.
- Select the target Arc-enabled machine.
- Under the Recommended updates section, find the Hotpatch option (Hotpatch (preview) or Enabled status).
- Choose to license/enroll for Hotpatching (if required). Confirm enabling Hotpatching.
- Wait for the status to change to “Enabled” (this might take some minutes).
Configure Update Settings and Schedule
- Using Azure Update Manager, define maintenance windows if needed so that updates occur at off-peak hours.
- Select what types of updates to include (security updates, hotpatchable updates) and optionally exclude categories (e.g. nonsecurity, .NET, firmware, etc.)
- If managing many servers, use update settings at scale (grouping machines) to enable or disable Hotpatching or set schedules.
Monitor and Validate Hotpatching
- Check the “Hotpatch status” for Arc-enabled machines in the Azure Update Manager dashboard.
- Review update history / Windows Update → Update History on the server to see whether updates were installed via hotpatch (often labelled or categorized).
- Verify uptime, check that critical services are running, and ensure no unintended restart was forced.
Handle Baseline / Cumulative Updates
- Remember: some updates (like the quarterly baseline LCUs) still require a reboot. Plan for about four reboots per year.
- Schedule those reboots during low-impact windows. Communicate with stakeholders. Maintain backups.

Benefits

Reduced Downtime: Applying security hotpatches without reboot means servers stay up and running, improving availability for users, applications, services.
Faster Security Response: Smaller security-only hotpatches can be deployed sooner than waiting for full cumulative updates.
Operational Efficiency: Less time spent scheduling and executing reboots; simplifies patch management when you have many servers.
Reduced Maintenance Complexity: Azure Arc + Azure Update Manager centralizes patching and monitoring across hybrid and on-premises environments.
Security & Compliance: Faster closing of vulnerability windows; more consistent patch posture.
Predictable Reboot Cycle: Only about four required reboots per year (for baseline / cumulative updates), rather than monthly restarts.

Challenges and Solutions

Challenge	Potential Solution / Mitigation
Server hardware or VM not supporting VBS or Secure Boot	Ensure firmware settings are correct (UEFI, Secure Boot enabled), choose a VM generation that supports VBS (e.g. Gen-2 in Hyper-V or equivalent in VMware). If hardware is older, plan for upgrades or designate those servers as non-hotpatchable.
Some updates not included in hotpatch program	Understand the scope: non-security updates, .NET updates, driver/firmware patches are often excluded. Plan for baseline updates (cumulative updates) that require reboots. Monitor Microsoft documentation to know which patches need reboots.
Subscription cost for on-premises or non-Azure machines	Evaluate total cost per CPU core, compare with the cost of downtime. Consider enabling for critical servers first. Monitor for promotional periods or preview phases before full charges begin.
Compatibility issues with applications or services	Test hotpatching in staging/lab environments before rolling out to production. Monitor services after hotpatch deployment. Be ready to revert or schedule conventional patch if needed.
Unexpected reboots or failures	Monitor Hotpatch status, check update history. Ensure server meets all technical prerequisites. Maintain backups, use pre & post scripts to manage services before/after patches. Plan maintenance windows for baseline patches.

FAQs

1. What kinds of updates are eligible for hotpatching?: Primarily security updates that can patch in-memory code without requiring file locks to be replaced. Nonsecurity updates, .NET updates, drivers, firmware updates typically are not part of hotpatching.
2. Do I still need to reboot sometimes?: Yes. Every ~3 months a baseline cumulative update is released that requires a reboot. Also, some unplanned or non-hotpatchable fixes may require reboot. Hotpatching reduces restarts, but doesn’t eliminate them.
3. What are the OS and edition requirements?

Windows Server 2025 Standard Edition or Datacenter Edition (build 26100.1742 or newer). Physical or virtual machines as long as they meet hardware & firmware requirements (UEFI, Secure Boot, VBS).; Windows Server 2022 Datacenter Azure Edition Core
4. How do I know if hotpatching is working on my server?: Via Azure Update Manager dashboard you can check the hotpatch status, view update history on the server (look for tags or “Hotpatch / Hotpatch (preview)” labels), and monitor uptime and service continuity.
5. How much does it cost?: For on-premises or non-Azure machines, after the preview period hotpatching is a subscription service at ~USD 1.50 per CPU core per month. For Azure Edition machines (e.g. Windows Server Datacenter: Azure Edition) it is already included and no extra cost.
6. Is Azure Arc required?: Yes, for servers that are outside Azure or not using the Azure Edition OS, Azure Arc connection is required so that the Azure management/control plane can orchestrate hotpatching.
7. Can I automate hotpatching across many servers?: Yes. Azure Update Manager allows you to group machines, set maintenance windows, pre/post scripts, and manage hotpatch settings at scale.

Conclusion

Hotpatching in Windows Server 2025 via Azure Arc is a powerful method to apply security updates without frequent reboots, reducing downtime and improving server reliability. By meeting the prerequisites (proper OS edition, firmware & VBS enabled, Azure Arc connection), enabling the hotpatch service via Azure Update Manager, and planning for baseline cumulative updates, IT teams can strike a balance: strong security posture with less disruption. For many organizations, especially those with critical workloads, this means fewer maintenance windows, fewer surprises, and better uptime.