Blog Post

Windows Server News and Best Practices
5 MIN READ

How to preview: Azure Arc-connected Hotpatching for Windows Server 2025

VishalBajaj's avatar
VishalBajaj
Icon for Microsoft rankMicrosoft
Sep 20, 2024

As you may recall we had recently announced a public preview of Hotpatching on Windows Server 2025 VMs in Azure.  With this latest preview we are moving towards fulfilling a top request by customers who want this capability for their on-premise machines. You will be able to benefit from the reduced reboots of your Windows Server 2025 machines with this optional Hotpatching capability. This capability was earlier limited to Windows Server 2022 Azure Edition VMs in Azure. The preview provides an opportunity for you to try this new capability to see how it will work in the upcoming Windows Server 2025 and provide feedback.

What is Hotpatching?

Hotpatching is a way to install OS security updates on machines without the need of a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process. We first shipped this feature in Windows Server 2022 Azure Edition.

  • Better protection, as the Hotpatch update packages are scoped to Windows security updates that install faster without rebooting.
  • Reduces the time exposed to security risks and change windows, and easier patch orchestration with Azure Update Manager.
  • Fewer binaries mean updates download and install faster, consume fewer disk and CPU resources.
  • Lower workload impact with fewer reboots.

What is part of the preview?

With this preview you can connect your Windows Server 2025 Datacenter Evaluation edition machines to Azure Arc and subscribe to Hotpatching. See the steps below.

  • Connect to Azure Arc your Windows Server 2025 Datacenter Evaluation machines
  • Subscribe/ unsubscribe Hotpatching service via the Azure Arc portal
  • Manage deployment of Hotpatch updates natively on Azure via Azure Update Manager.

Getting Started

To get started follow the steps below. For any feedback or questions contact us on hotpatchfeedback@microsoft.com

Create a VM using Windows Server 2025 Datacenter from the Microsoft Evaluation Center

  1. Download the Windows Server 2025 ISO image from the Microsoft Evaluation Center. Note: You may have to fill in a form and provide your email address.

     

  2. On Hyper-V, or other platform, create a Gen 2 VM and use the option to create the VM using the ISO.

     

  3. For installation media, point to the ISO downloaded from Evaluation Center.

For detailed steps, see Create a virtual machine in Hyper-V and Create a virtual machine with Hyper-V on Windows 11

If you are using Omnissa as your virtualization platform, on the Select a guest OS page, select Enable Windows Virtualization-Based Security.  For more details, click here.

Enable Virtualization-based security (VBS)

Run the command below in an elevated command prompt. You will need to restart after modifying the registry setting.

Reg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

To check if VBS is running post reboot, open System Information on your machine.You should see this:

If you are using Omnissa and VBS is still not running, follow the steps outlined in this documentation.

Install the July 2024 monthly security update(KB5040435)

Download and install the July 2024 security update or use Azure Update Manager. This is needed for you to observe that September 2024 security update will not require a restart.

Connect the VM to Azure Arc

For step-by-step instructions on how connect your virtual machine to Azure Arc, see Quickstart - Connect hybrid machine with Azure Arc-enabled servers. You will need to run the PowerShell script from the Azure Arc portal on your machine.

Enabling hotpatching

To enable Hotpatching, in the Azure Portal, select Azure Arc from the Azure services tiles, then select Machines.


You will see the Azure Arc connected machine you set up earlier displayed in the list:

Selecting that machine will take you to the server management page. You will see Hotpatch (preview) card towards the bottom.

Select the tile to activate a pop-out that will allow you to select Hotpatching. Tick the box and select Confirm. Behind the scenes the Azure Arc connected server will be configured to receive Hotpatches.

 

It takes about 10 minutes for the operation to complete. If you refresh the page while the operation is going,the Hotpatch tile will show a status of Pending. After enrollment is complete, the Hotpatch tile will show that the service is Enabled.

Note: If the Status is stuck on Pending, the Azure Arc agent has likely not yet been updated. To update Arc Agent, run the below command in PowerShell on the machine:

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor 3072;
Invoke-WebRequest -UseBasicParsing -Uri "https://aka.ms/azcmagent-windows" -TimeoutSec 30 -OutFile "$env:TEMP\install_windows_azcmagent.ps1";
& "$env:TEMP\install_windows_azcmagent.ps1";


The Azure Arc attached machine is now ready to receive Hotpatches!

Scan and install the September 2024 Hotpatch

After completing the steps above, when you perform a Windows Update Scan, you will be offered a Hotpatch [see image below]. If you notice that you are not offered a Hotpatch, please pause the update and send us the update logs. To get update logs, run this command in PowerShell:

Get-WindowsUpdateLog


When the Hotpatch update for September has successfully completed, without requiring the machine to restart, you will see this in the Windows Update history 

You can also use the Server Configuration tool (SConfig) to download and install the Hotpatch update if you are offered other updates that you are not interested in installing.

Scan and install the September 2024 Hotpatch using Azure Update Manager

Using Azure Update Manager, you can identify all machines that are eligible for hotpatch updates, and plan installation of those updates on a schedule. For hotpatch updates being non-intrusive on availability, you can create faster schedules and update your services immediately after release, with less planning to maintain reliability of your machines at scale.

Here’s how to manage hotpatch updates using Azure Update Manager:

  1. Verify that the Hotpatch subscription is available or has already been enabled from the Updates tab of your Arc Server:

    Select change next to Hotpatch to cancel or enable the Hotpatch subscription on demand.

     

  2. Scan and view the September 2024 security update offered to the machine by performing an assessment:


  3. Choose to include the September 2024 security update and when to install it on your
    Arc server by creating a user-defined schedule or a one-time update. You can install it immediately after it is available, allowing your machine to get secure faster.

  4. Verify whether the 9B update has been installed and the reboot status of the
    machine by viewing history


By following the steps in this post, you have a streamlined way to plan for the installation of Hotpatches on your Arc machines.

Hotpatch preview: frequently asked questions

Are there any prerequisites for subscribing to Hotpatching?
There are some prerequisites:

  1. Windows Server 2025 Datacenter evaluation
  2. Virtualization Based Security should be enabled and running on your machine
  3. July Security update installed
  4. Machines should be Azure Arc connected
Updated Nov 19, 2024
Version 4.0
No CommentsBe the first to comment