Enable Windows Server 2025 Hotpatching: A Step-by-Step Guide

Apply security updates and patches without requiring a reboot

Published: Dec 11, 2024

Datacenter networking servers

SHARE ARTICLE

Hotpatching is a powerful feature in Windows Server 2025 that allows administrators to apply security updates and patches without requiring a system reboot, minimizing downtime and ensuring continuous operation. This article provides an overview of how to enable Windows Server 2025 Hotpatching. We’ll cover prerequisites, step-by-step instructions, best practices, and troubleshooting tips.

What is Windows Server hotpatching?

As organizations increasingly rely on Windows Server to manage critical business operations, minimizing downtime becomes essential. One of the latest innovations to support this need is hotpatching.

Microsoft initially announced and released a hotpatching (hotpatch) preview for Windows Server 2022 virtual machines (VMs) in Microsoft Azure (requiring Windows Server 2022 Azure Edition ISOs). As it has matured, they’ve been rolling it out to more platforms and environments, including physical servers. Hotpatching, now in public preview, is a feature that allows administrators to apply security updates and patches with fewer reboots throughout the year. Microsoft will likely release this feature to general availability sometime in 2025.

In case it’s not clear, Windows Server 2025 Hotpatching can be run on other virtualization platforms besides Hyper-V, like VMWare, and any other platforms that support Microsoft’s protection-focused virtualization feature called Virtualization-Based Security (VBS). (More on this below)

Annual hotpatching schedule

Instead of planning around twelve mandatory monthly reboots per year, Hotpatching offers just four planned reboots per year. For Patch Tuesday in January, April, July, and October, IT Pros can expect the monthly cumulative update to require a reboot. But for the other months in the year, the in-memory processes are updated via special Hotpatch Windows security updates – faster installs and no reboot required!

Hotpatch patches come with reduced resource usage including less CPU resources while installing, and smaller binaries, making them smaller and quicker to install. Easier patch orchestration for IT Pros is always welcomed.

Windows Server hotpatching prerequisites

There are some things to keep in mind before planning on using Hotpatching. Let’s go through the main prerequisites for enabling Hotpatching:

  • Windows Server versions

    First, and this one is rather stringent, you need to use Windows Server 2025 (Standard edition or Datacenter edition). This will be a blocker for many organizations, but as I said, this milestone is another of Microsoft’s overall plans to roll out this technology gradually.
  • Internet / Azure Arc

    A stable and reliable Internet connection is required to access the Microsoft Windows Update servers. Also, you’ll need to connect Windows Server to Azure Arc using the Azure Connected Machine Agent (CMA).
  • Virtualization-Based Security (VBS)

    Virtualization-Based Security (VBS) is critical for Hotpatching to work. VBS uses hardware virtualization to create an isolated environment, known as a “secure kernel” that protects system processes and sensitive data from unauthorized access.

For hotpatching to work, the system must support VBS because hotpatching updates the in-memory code of running processes without requiring a restart. To ensure that these updates are applied securely and safely, the secure kernel provided by VBS must be operational.

Enable VBS

This setting should be on by default, but to verify VBS is enabled:

  • run “msinfo32.exe” from the ‘Start Menu -> Run‘ or at a command prompt.
  • look for the ‘Virtualization-based Security‘ item on the System Summary page.
Check that VBS is turned on before you enable Windows Server 2025 hotpatching
Checking if VBS is Enabled or not… – (Image Credit: Michael Reinders/Petri.com)

Looks like I need to enable it. I run this command to update the Registry and then reboot.

Reg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

I checked msinfo32 again and the item now shows ‘Running’. Ready to proceed.

Enable Windows Server 2025 hotpatching

  • Open the server in the Azure Portal.
  • Then, under the Capabilities section, ‘Hotpatching (preview)‘ should be front and center. Click it.
  • Verify that Azure confirms VBS is ‘On‘.
  • Select the checkbox ‘I want to license this Windows Server to receive monthly hotpatches‘, and click Confirm.
Enabling Hotpatch (preview) in the Azure Portal
Enabling Hotpatch (preview) in the Azure Portal – (Image Credit: Michael Reinders/Petri.com)

The process of enrollment now commences.

Waiting for enrollment to complete
Waiting for enrollment to complete – (Image Credit: Michael Reinders/Petri.com)

After this is complete, we should be good to go. The server is expected to install the normal patches (in December) and January, then offer Hotpatches in February and March, until another normal reboot patch cycle in April, and so on.

Because we are in the early stages of this new feature in public preview, we don’t have any direct history to prove hotpatching is running. After the quarterly updates rollout in January, we can come back to this in February – the first hotpatches should be released at that time.

Check Windows Server enabled for hotpatching

There are only a few methods to determine if a server is enabled for hotpatching.

Method 1

  • In the Azure Portal for this server, you can navigate to Operations -> Updates, click the ‘Check for updates‘ button on the top, and get an assessment for pending updates.
  • On this same screen, the ‘Hotpatch‘ section shows ‘Enabled.’
Verifying that Windows Server Hotpatch enabled patches are ready to go!
Verifying that Windows Server Hotpatch enabled patches are ready to go! – (Image Credit: Michael Reinders/Petri.com)

Method 2

  • On the server itself, when you browse to Windows Updates and click Update History, you’ll see (Hotpatches) next to the specific patches used with this technology.
Hotpatch capable updates have been installed
Hotpatch capable updates have been installed – (Image Credit: Microsoft)

Thank you for reading my post on Windows Server Hotpatching. Feel free to leave a comment or question below.

SHARE ARTICLE