Apply security updates and patches without requiring a reboot
Published: Dec 11, 2024
Hotpatching is a powerful feature in Windows Server 2025 that allows administrators to apply security updates and patches without requiring a system reboot, minimizing downtime and ensuring continuous operation. This article provides an overview of how to enable Windows Server 2025 Hotpatching. We’ll cover prerequisites, step-by-step instructions, best practices, and troubleshooting tips.
As organizations increasingly rely on Windows Server to manage critical business operations, minimizing downtime becomes essential. One of the latest innovations to support this need is hotpatching.
Microsoft initially announced and released a hotpatching (hotpatch) preview for Windows Server 2022 virtual machines (VMs) in Microsoft Azure (requiring Windows Server 2022 Azure Edition ISOs). As it has matured, they’ve been rolling it out to more platforms and environments, including physical servers. Hotpatching, now in public preview, is a feature that allows administrators to apply security updates and patches with fewer reboots throughout the year. Microsoft will likely release this feature to general availability sometime in 2025.
In case it’s not clear, Windows Server 2025 Hotpatching can be run on other virtualization platforms besides Hyper-V, like VMWare, and any other platforms that support Microsoft’s protection-focused virtualization feature called Virtualization-Based Security (VBS). (More on this below)
Instead of planning around twelve mandatory monthly reboots per year, Hotpatching offers just four planned reboots per year. For Patch Tuesday in January, April, July, and October, IT Pros can expect the monthly cumulative update to require a reboot. But for the other months in the year, the in-memory processes are updated via special Hotpatch Windows security updates – faster installs and no reboot required!
Hotpatch patches come with reduced resource usage including less CPU resources while installing, and smaller binaries, making them smaller and quicker to install. Easier patch orchestration for IT Pros is always welcomed.
There are some things to keep in mind before planning on using Hotpatching. Let’s go through the main prerequisites for enabling Hotpatching:
For hotpatching to work, the system must support VBS because hotpatching updates the in-memory code of running processes without requiring a restart. To ensure that these updates are applied securely and safely, the secure kernel provided by VBS must be operational.
This setting should be on by default, but to verify VBS is enabled:
Looks like I need to enable it. I run this command to update the Registry and then reboot.
Reg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
I checked msinfo32 again and the item now shows ‘Running’. Ready to proceed.
The process of enrollment now commences.
After this is complete, we should be good to go. The server is expected to install the normal patches (in December) and January, then offer Hotpatches in February and March, until another normal reboot patch cycle in April, and so on.
Because we are in the early stages of this new feature in public preview, we don’t have any direct history to prove hotpatching is running. After the quarterly updates rollout in January, we can come back to this in February – the first hotpatches should be released at that time.
There are only a few methods to determine if a server is enabled for hotpatching.
Thank you for reading my post on Windows Server Hotpatching. Feel free to leave a comment or question below.