Enable Hotpatch for Azure Arc-enabled servers

Applies to: ✅ Windows Server 2025

Important

Azure Arc-enabled Hotpatch for Windows Server 2025 is now available at no extra cost. To learn more, see Simplified access to Hotpatching enabled by Azure Arc for Windows Server 2025.

Hotpatch allows you to update your Windows Server installation without requiring your users to restart after installation. This feature minimizes downtime spent on updates and keeps your users running their workloads uninterrupted. For more information about how Hotpatch works, see Hotpatch for Windows Server.

Windows Server 2025 features the ability to enable Hotpatch for Azure Arc-enabled servers. In order to use Hotpatch on Azure Arc-enabled servers, all you have to do is deploy the Connected Machine agent and enable Windows Server Hotpatch. This article describes how to enable Hotpatch.

Prerequisites

Before you can enable Hotpatch on Arc-enabled servers for Windows Server 2025, you need to satisfy the following requirements.

A server must be running Windows Server 2025 (build 26100.1742 or later). Preview versions or Windows Server Insiders builds aren't supported because hotpatches aren't created for prerelease operating systems.
The machine should be running one of the following editions of Windows Server.
- Windows Server 2025 Standard
- Windows Server 2025 Datacenter
- Windows Server 2025 Datacenter: Azure Edition. This edition does not need to be Azure Arc-enabled, Hotpatch is already enabled by default. The remaining technical prerequisites still apply.
Both Server with Desktop Experience and Server Core installation options are supported.
The physical or virtual machine you intend to enable Hotpatch on needs to satisfy the requirements for Virtualization-based security (VBS), also known as Virtual Secure Mode (VSM). At bare minimum, the machine has to use Unified extensible firmware interface (UEFI) with Secure boot enabled. Therefore, for a virtual machine (VM) on Hyper-V, it needs to be a Generation 2 virtual machine.
An Azure subscription. If you don't already have one, create a free account before you begin.
Your server and infrastructure should satisfy the Connected Machine agent prerequisites for enabling Azure Arc on a server.
The machine should be connected to Azure Arc (Arc-enabled). To learn more about onboarding your machine to Azure Arc, see Azure Connected Machine agent deployment options.

Check and enable Virtual Secure Mode if necessary

When you enable Hotpatch using the Azure portal, it checks whether Virtual Secure Mode (VSM) is running on the machine. If VSM isn't running, enabling hotpatch fails, and you'll have to enable VSM.

Alternatively, you can check the VSM status manually before enabling Hotpatch. VSM might be already enabled if you previously configured other features that (like Hotpatch) depend on VSM. Common examples of such features include Credential guard or Virtualization-based protection of code integrity, also known as Hypervisor-protected code integrity (HVCI).

Tip

You can use Group policy or another centralized management tool to enable one or more of the following features.

Configuring any of these features also enables VSM.

To verify VSM is configured and running, select your preferred method and examine the output.

Get-CimInstance -Namespace 'root/Microsoft/Windows/DeviceGuard' -ClassName 'win32_deviceGuard' | Select-Object -ExpandProperty 'VirtualizationBasedSecurityStatus'

for /f "tokens=2 delims==" %a in ('wmic.exe /namespace:\\root\Microsoft\Windows\DeviceGuard path win32_deviceGuard GET VirtualizationBasedSecurityStatus /value ^| find "="') do @echo %a

If the command output is 2, VSM is configured and running. In this case, proceed directly to Enable Hotpatch on Windows Server 2025.

If the output isn't 2, you need to enable VSM.

Enable Hotpatch on Windows Server 2025

Connect the machine to Azure Arc, if it wasn't Arc-enabled previously.
After you connected the machine to Azure Arc, sign in to the Azure Arc portal and go to Azure Arc → Machines.
Select the name of your machine.
Select Hotpatch, then select Confirm.
Wait about 10 minutes for the changes to apply. If the update stays stuck on the Pending status, proceed to troubleshooting Azure Arc agent.

Using Hotpatch on Windows Server 2025

Whenever a Hotpatch is available from Windows Update, you should receive a prompt to install it. Since these updates aren't released every month, you might need to wait until the next Hotpatch is published.

You can optionally automate hotpatch installation using update management tools such as Azure Update Manager (AUM).

Known issues

There are no known issues at this time. All past issues are mitigated.

Next steps

Now that Hotpatch is enabled, here are some articles that might help you with updating your computer.

Feedback

Was this page helpful?

Additional resources

Last updated on

URL: https://learn.microsoft.com/en-us/windows-server/get-started/enable-hotpatch-azure-arc-enabled-servers