As you may recall we had recently announced a public preview of Hotpatching on Windows Server 2025 VMs in Azure.  With this latest preview we are moving towards fulfilling a top request by customers who want this capability for their on-premise machines. You will be able to benefit from the reduced reboots of your Windows Server 2025 machines with this optional Hotpatching capability. This capability was earlier limited to Windows Server 2022 Azure Edition VMs in Azure. The preview provides an opportunity for you to try this new capability to see how it will work in the upcoming Windows Server 2025 and provide feedback.

What is Hotpatching?

 Hotpatching is a way to install OS security updates on machines without the need of a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process. We first shipped this feature in Windows Server 2022 Azure Edition.

Better protection, as the Hotpatch update packages are scoped to Windows security updates that install faster without rebooting.
Reduces the time exposed to security risks and change windows, and easier patch orchestration with Azure Update Manager.
Fewer binaries mean updates download and install faster, consume fewer disk and CPU resources.
Lower workload impact with fewer reboots.

What is part of the preview?

With this preview you can connect your Windows Server 2025 Datacenter Evaluation edition machines to Azure Arc and subscribe to Hotpatching. [See steps below].

Connect to Azure Arc your Windows Server 2025 Datacenter Evaluation machines
Subscribe/ unsubscribe Hotpatching service via the Azure Arc portal
Manage deployment of Hotpatch updates natively on Azure via Azure Update Manager.

Getting Started

To get started follow the steps below. For any feedback or questions contact us on hotpatchfeedback@microsoft.com

Step

Instructions

Create VM using WS 2025 Datacenter from Evaluation center

Set up the VM using Windows Server 2025 Preview

Download the ISO image from the Evaluation center. You may have to fill in a form and provide your email address.

On Hyper-V or other platform create a Gen 2 VM and use the option to create the VM using ISO.

For installation media point to the ISO downloaded from Evaluation center.

For detailed steps read the articles below:

Create a virtual machine in Hyper-V | Microsoft Learn

Create a virtual machine with Hyper-V on Windows 11 | Microsoft Learn

If you are using VMware as your virtualization platform then on the Select a guest OS page, select Enable Windows Virtualization Based Security.  More details here.

Enable Virtualization Based Security

Run below command in elevated command prompt. Reboot needed post registry setting

Reg add “HKLMSYSTEMControlSet001ControlDeviceGuard” /v “EnableVirtualizationBasedSecurity” /t REG_DWORD /d 1 /f

To check if VBS is running post reboot, open “System Information” on your machine.

****If you are using VMware and VBS is still not running, follow the documentation here: Enable Virtualization-based Security on a Virtual Machine (vmware.com)

Install KB5040435 (7B Security update)

Download and install July security update or use Azure Update Manager. This is needed for you to observe that September Security update will not need a reboot.

Connect the VM to Azure Arc

Connect the VM to Azure Arc: Quickstart – Connect hybrid machine with Azure Arc-enabled servers – Azure Arc | Microsoft Learn

You will need to run the script from the Azure Arc portal on your machine (Powershell)

Admin Opt In +Hotpatch Subscription

Now go to and enable Hotpatching.

On the top of the page click on Azure Arc

Click on Machines on the left panel

You will now see the Azure Arc connected machine you set up in the list. Click on that.

This will take you to the server management page where you will see Hotpatch card towards the bottom.

Clicking on that tile will have a fly-in page on the side that will allow you to select Hotpatching. Check the box and click the Confirm button at the bottom. Behind the scenes the Azure Arc connected server will be configured to receive Hotpatches.

It will take about 10 minutes for the operation to complete. If you refresh the page while the operation is going on the Hotpatch tile will show “Pending” Status. After the operation for enrollment is confirmed the Hotpatch tile shows that the service is Enabled.

Note: if the Status is stuck on Pending then the chances are that the Azure Arc agent has not been updated. To update Arc Agent run the below command in PowerShell on the machine:

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor 3072;
Invoke-WebRequest -UseBasicParsing -Uri “https://aka.ms/azcmagent-windows” -TimeoutSec 30 -OutFile “$env:TEMPinstall_windows_azcmagent.ps1”;
& “$env:TEMPinstall_windows_azcmagent.ps1”;

The Azure Arc attached machine is now ready to receive Hotpatches.

Scan and install 9B Hotpatch

Now, when you perform a Windows Update Scan you are offered a Hotpatch [see image below]. If you notice that you are not offered a Hotpatch then Pause the update and send us the Update logs. To get update logs run the command in PowerShell Get-WindowsUpdateLog

Below is a screenshot where Windows Hotpatch update for September is completed and does not need a reboot. 

You can also use SConfig to download and install the Hotpatch update, if you are offered other updates that you are not interested in installing.

Scan and install 9B Hotpatch using Azure Update Manager

Using Azure Update Manager, you can identify all machines that are eligible for Hotpatches, and plan installation of Hotpatches on a schedule.

For Hotpatches being non-intrusive on availability, you can create faster schedules and update your services immediately after release, with less planning to maintain reliability of your machines at-scale.

Here’s how to manage Hotpatches using Azure Update Manager:

1.       Verify that the Hotpatch subscription is available or has already been enabled from the Updates tab of your Arc Server:

The change option above allows you to enable or cancel the Hotpatch subscription on-demand.

2.       You can scan and view the 9B update offered to this machine by performing an assessment.

3.       You can choose to include the specific 9B update and when to install it on your Arc server by creating a user-defined schedule or one-time update. You can install it immediately after it is available, allowing your machine to get secure faster.

4.       Verify whether the 9B update has been installed and the reboot status of the machine by viewing history.

These steps provide a streamlined way to plan installation of Hotpatches on your Arc machine.

Hotpatch Preview FAQ:

Are there any prerequisites for subscribing to Hotpatching?

There are some prerequisites:

Windows Server 2025 Datacenter evaluation
Virtualization Based Security should be enabled and running on your machine
July Security update installed
Machines should be Azure Arc connected

​Microsoft Tech Community – Latest Blogs –Read More