Microsoft has unveiled a significant enhancement in Windows Server 2025: the introduction of hotpatching, a feature designed to apply security updates without necessitating system reboots. This advancement aims to reduce downtime and streamline server maintenance processes.
Understanding Hotpatching
Hotpatching enables the application of operating system security updates by modifying the in-memory code of active processes. This method eliminates the need to restart these processes or the entire server, thereby maintaining continuous system availability. The primary advantages of hotpatching include:
– Reduced Downtime: Traditionally, servers require monthly reboots for updates, leading to operational disruptions. With hotpatching, the frequency of mandatory reboots is significantly decreased. Microsoft’s Windows Server Director of Product, Hari Pulapaka, noted, Instead of 12 mandatory reboots a year on ‘Patch Tuesday,’ you’ll now only have quarterly scheduled reboots. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/microsoft/windows-server-2025-hotpatching-in-public-preview-installs-security-updates-without-restarts/?utm_source=openai))
– Efficient Resource Utilization: Hotpatching involves fewer binaries, resulting in faster download and installation times while consuming less disk space and CPU resources.
– Enhanced Security: By reducing the time systems are exposed to vulnerabilities, hotpatching improves overall security posture.
Implementation and Availability
Initially, hotpatching was exclusive to Windows Server 2022 Datacenter: Azure Edition, requiring deployment within Azure environments. With Windows Server 2025, Microsoft has expanded this capability to include on-premises and non-Azure servers through integration with Azure Arc. This expansion allows organizations to implement hotpatching across various infrastructures, including physical servers and virtual machines running on platforms like Hyper-V and VMware. ([helpnetsecurity.com](https://www.helpnetsecurity.com/2024/09/23/windows-server-2025-hotpatching/?utm_source=openai))
Subscription Model and Requirements
Starting July 1, 2025, the hotpatching service will transition to a subscription-based model. Organizations wishing to utilize this feature will need to pay $1.50 USD per CPU core per month. This pricing remains consistent throughout the year, regardless of whether a particular month features hotpatches or baseline updates. To implement hotpatching outside of Azure environments, users must:
– Run Windows Server 2025 Standard or Datacenter edition.
– Connect their server to Azure Arc.
– Subscribe to the Hotpatch service.
Organizations currently enrolled in the preview program will need to disenroll before June 30 to avoid automatic subscription enrollment.
Implementation Process
To implement hotpatching, administrators should:
1. Connect the machine to Azure Arc, if not already Arc-enabled.
2. Sign into the Azure Arc portal.
3. Navigate to Azure Arc → Machines.
4. Select the machine name.
5. Select Hotpatch (preview), then select Confirm.
The service follows a three-month cycle with one baseline month (requiring a reboot) followed by two months of hotpatches (no reboot required). The four planned baseline months are January, April, July, and October, with the goal of providing up to eight hotpatches annually.
Benefits and Future Outlook
Microsoft highlights several benefits of the hotpatching system:
– Higher Availability: Fewer reboots lead to increased system uptime.
– Faster Deployment: Smaller update packages result in quicker installations.
– Enhanced Security: Quicker patch implementation reduces vulnerability windows.
– Lower Resource Consumption: Fewer binaries to process decrease resource usage.
As Microsoft’s Xbox team discovered, hotpatching can reduce processes that used to take weeks down to just a couple of days.
Windows Server 2025 Datacenter: Azure Edition users on Azure IaaS, Azure Local, or Azure Stack can continue using hotpatching at no additional cost. These users don’t need to Arc-enable their machines or pay the subscription fee.
The hotpatching feature supports both Server with Desktop Experience and Server Core installation options, though all systems must satisfy the requirements for Virtualization-based security (VBS) and use Unified Extensible Firmware Interface (UEFI) with Secure Boot enabled.
Microsoft encourages organizations to try hotpatching during the preview period before the subscription model takes effect, allowing them to experience the benefits firsthand.
