As you may recall we had recently announced a public preview of Hotpatching on Windows Server 2025 VMs in Azure. With this latest preview we are moving towards fulfilling a top request by customers who want this capability for their on-premise machines. You will be able to benefit from the reduced reboots of your Windows Server 2025 machines with this optional Hotpatching capability. This capability was earlier limited to Windows Server 2022 Azure Edition VMs in Azure. The preview provides an opportunity for you to try this new capability to see how it will work in the upcoming Windows Server 2025 and provide feedback.
What is Hotpatching?
Hotpatching is a way to install OS security updates on machines without the need of a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process. We first shipped this feature in Windows Server 2022 Azure Edition.
What is part of the preview?
With this preview you can connect your Windows Server 2025 Datacenter Evaluation edition machines to Azure Arc and subscribe to Hotpatching. [See steps below].
Getting Started
To get started follow the steps below. For any feedback or questions contact us on hotpatchfeedback@microsoft.com
Step |
Instructions |
Create VM using WS 2025 Datacenter from Evaluation center |
Set up the VM using Windows Server 2025 Preview Download the ISO image from the Evaluation center. You may have to fill in a form and provide your email address.
On Hyper-V or other platform create a Gen 2 VM and use the option to create the VM using ISO.
For installation media point to the ISO downloaded from Evaluation center.
For detailed steps read the articles below: Create a virtual machine in Hyper-V | Microsoft Learn Create a virtual machine with Hyper-V on Windows 11 | Microsoft Learn
If you are using VMware as your virtualization platform then on the Select a guest OS page, select Enable Windows Virtualization Based Security. More details here. |
Enable Virtualization Based Security |
Run below command in elevated command prompt. Reboot needed post registry setting
To check if VBS is running post reboot, open “System Information” on your machine.
****If you are using VMware and VBS is still not running, follow the documentation here: Enable Virtualization-based Security on a Virtual Machine (vmware.com) |
Install KB5040435 (7B Security update) |
Download and install July security update or use Azure Update Manager. This is needed for you to observe that September Security update will not need a reboot. |
Connect the VM to Azure Arc |
Connect the VM to Azure Arc: Quickstart - Connect hybrid machine with Azure Arc-enabled servers - Azure Arc | Microsoft Learn You will need to run the script from the Azure Arc portal on your machine (Powershell)
|
Admin Opt In +Hotpatch Subscription |
Now go to and enable Hotpatching. On the top of the page click on Azure Arc
Click on Machines on the left panel
You will now see the Azure Arc connected machine you set up in the list. Click on that.
This will take you to the server management page where you will see Hotpatch card towards the bottom.
Clicking on that tile will have a fly-in page on the side that will allow you to select Hotpatching. Check the box and click the Confirm button at the bottom. Behind the scenes the Azure Arc connected server will be configured to receive Hotpatches.
It will take about 10 minutes for the operation to complete. If you refresh the page while the operation is going on the Hotpatch tile will show “Pending” Status. After the operation for enrollment is confirmed the Hotpatch tile shows that the service is Enabled. Note: if the Status is stuck on Pending then the chances are that the Azure Arc agent has not been updated. To update Arc Agent run the below command in PowerShell on the machine:
The Azure Arc attached machine is now ready to receive Hotpatches. |
Scan and install 9B Hotpatch |
Now, when you perform a Windows Update Scan you are offered a Hotpatch [see image below]. If you notice that you are not offered a Hotpatch then Pause the update and send us the Update logs. To get update logs run the command in PowerShell Get-WindowsUpdateLog Below is a screenshot where Windows Hotpatch update for September is completed and does not need a reboot.
You can also use SConfig to download and install the Hotpatch update, if you are offered other updates that you are not interested in installing. |
Scan and install 9B Hotpatch using Azure Update Manager |
Using Azure Update Manager, you can identify all machines that are eligible for Hotpatches, and plan installation of Hotpatches on a schedule. For Hotpatches being non-intrusive on availability, you can create faster schedules and update your services immediately after release, with less planning to maintain reliability of your machines at-scale.
Here’s how to manage Hotpatches using Azure Update Manager:
1. Verify that the Hotpatch subscription is available or has already been enabled from the Updates tab of your Arc Server:
The change option above allows you to enable or cancel the Hotpatch subscription on-demand. 2. You can scan and view the 9B update offered to this machine by performing an assessment.
3. You can choose to include the specific 9B update and when to install it on your Arc server by creating a user-defined schedule or one-time update. You can install it immediately after it is available, allowing your machine to get secure faster. 4. Verify whether the 9B update has been installed and the reboot status of the machine by viewing history. These steps provide a streamlined way to plan installation of Hotpatches on your Arc machine. |
Hotpatch Preview FAQ:
Are there any prerequisites for subscribing to Hotpatching?
There are some prerequisites:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.