How to preview: Azure Arc-connected Hotpatching for Windows Server 2025

  • Thread starter Thread starter VishalBajaj
  • Start date Start date
V

VishalBajaj

As you may recall we had recently announced a public preview of Hotpatching on Windows Server 2025 VMs in Azure. With this latest preview we are moving towards fulfilling a top request by customers who want this capability for their on-premise machines. You will be able to benefit from the reduced reboots of your Windows Server 2025 machines with this optional Hotpatching capability. This capability was earlier limited to Windows Server 2022 Azure Edition VMs in Azure. The preview provides an opportunity for you to try this new capability to see how it will work in the upcoming Windows Server 2025 and provide feedback.



What is Hotpatching?

Hotpatching is a way to install OS security updates on machines without the need of a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process. We first shipped this feature in Windows Server 2022 Azure Edition.

  • Better protection, as the Hotpatch update packages are scoped to Windows security updates that install faster without rebooting.
  • Reduces the time exposed to security risks and change windows, and easier patch orchestration with Azure Update Manager.
  • Fewer binaries mean updates download and install faster, consume fewer disk and CPU resources.
  • Lower workload impact with fewer reboots.



What is part of the preview?

With this preview you can connect your Windows Server 2025 Datacenter Evaluation edition machines to Azure Arc and subscribe to Hotpatching. [See steps below].

  • Connect to Azure Arc your Windows Server 2025 Datacenter Evaluation machines
  • Subscribe/ unsubscribe Hotpatching service via the Azure Arc portal
  • Manage deployment of Hotpatch updates natively on Azure via Azure Update Manager.



Getting Started

To get started follow the steps below. For any feedback or questions contact us on hotpatchfeedback@microsoft.com




Step
Instructions

Create VM using WS 2025 Datacenter from Evaluation center
Set up the VM using Windows Server 2025 Preview

Download the ISO image from the Evaluation center. You may have to fill in a form and provide your email address.



VishalBajaj_0-1726523759707.png


On Hyper-V or other platform create a Gen 2 VM and use the option to create the VM using ISO.



VishalBajaj_14-1726523201623.png


For installation media point to the ISO downloaded from Evaluation center.



VishalBajaj_15-1726523201631.png


For detailed steps read the articles below:

Create a virtual machine in Hyper-V | Microsoft Learn

Create a virtual machine with Hyper-V on Windows 11 | Microsoft Learn



If you are using VMware as your virtualization platform then on the Select a guest OS page, select Enable Windows Virtualization Based Security. More details here.

Enable Virtualization Based Security
Run below command in elevated command prompt. Reboot needed post registry setting

Reg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f



To check if VBS is running post reboot, open “System Information” on your machine.



VishalBajaj_16-1726523201632.png


****If you are using VMware and VBS is still not running, follow the documentation here: Enable Virtualization-based Security on a Virtual Machine (vmware.com)

Install KB5040435 (7B Security update)
Download and install July security update or use Azure Update Manager. This is needed for you to observe that September Security update will not need a reboot.
Connect the VM to Azure Arc
Connect the VM to Azure Arc: Quickstart - Connect hybrid machine with Azure Arc-enabled servers - Azure Arc | Microsoft Learn

You will need to run the script from the Azure Arc portal on your machine (Powershell)



Admin Opt In +Hotpatch Subscription
Now go to and enable Hotpatching.

On the top of the page click on Azure Arc



VishalBajaj_17-1726523201635.png


Click on Machines on the left panel



VishalBajaj_18-1726523201636.png


You will now see the Azure Arc connected machine you set up in the list. Click on that.



VishalBajaj_19-1726523201639.png


This will take you to the server management page where you will see Hotpatch card towards the bottom.

VishalBajaj_20-1726523201640.png


Clicking on that tile will have a fly-in page on the side that will allow you to select Hotpatching. Check the box and click the Confirm button at the bottom. Behind the scenes the Azure Arc connected server will be configured to receive Hotpatches.



VishalBajaj_0-1726612909178.png
It will take about 10 minutes for the operation to complete. If you refresh the page while the operation is going on the Hotpatch tile will show “Pending” Status. After the operation for enrollment is confirmed the Hotpatch tile shows that the service is Enabled.

Note: if the Status is stuck on Pending then the chances are that the Azure Arc agent has not been updated. To update Arc Agent run the below command in PowerShell on the machine:

Code: 
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor 3072;
Invoke-WebRequest -UseBasicParsing -Uri "https://aka.ms/azcmagent-windows" -TimeoutSec 30 -OutFile "$env:TEMP\install_windows_azcmagent.ps1";
& "$env:TEMP\install_windows_azcmagent.ps1";



VishalBajaj_22-1726523201643.png

The Azure Arc attached machine is now ready to receive Hotpatches.

Scan and install 9B Hotpatch
Now, when you perform a Windows Update Scan you are offered a Hotpatch [see image below]. If you notice that you are not offered a Hotpatch then Pause the update and send us the Update logs. To get update logs run the command in PowerShell Get-WindowsUpdateLog

Below is a screenshot where Windows Hotpatch update for September is completed and does not need a reboot.

HP 9B on 7B rebootless.jpg



You can also use SConfig to download and install the Hotpatch update, if you are offered other updates that you are not interested in installing.

Scan and install 9B Hotpatch using Azure Update Manager
Using Azure Update Manager, you can identify all machines that are eligible for Hotpatches, and plan installation of Hotpatches on a schedule.

For Hotpatches being non-intrusive on availability, you can create faster schedules and update your services immediately after release, with less planning to maintain reliability of your machines at-scale.



Here’s how to manage Hotpatches using Azure Update Manager:



1. Verify that the Hotpatch subscription is available or has already been enabled from the Updates tab of your Arc Server:



VishalBajaj_1-1726612978447.png


The change option above allows you to enable or cancel the Hotpatch subscription on-demand.

2. You can scan and view the 9B update offered to this machine by performing an assessment.

VishalBajaj_2-1726613040582.png


3. You can choose to include the specific 9B update and when to install it on your Arc server by creating a user-defined schedule or one-time update. You can install it immediately after it is available, allowing your machine to get secure faster.

4. Verify whether the 9B update has been installed and the reboot status of the machine by viewing history.

VishalBajaj_3-1726613080122.png
These steps provide a streamlined way to plan installation of Hotpatches on your Arc machine.



Hotpatch Preview FAQ:



Are there any prerequisites for subscribing to Hotpatching?

There are some prerequisites:

  1. Windows Server 2025 Datacenter evaluation
  2. Virtualization Based Security should be enabled and running on your machine
  3. July Security update installed
  4. Machines should be Azure Arc connected

Continue reading...
 
Back
Top