Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Azure Arc-enabled Hotpatch for Windows Server 2025 is now available for a monthly subscription fee. To learn more about pricing, see Tired of all the restarts? Get hotpatching for Windows Server.
Hotpatch allows you to update your Windows Server installation without requiring your users to restart after installation. This feature minimizes downtime spent on updates and keeps your users running their workloads uninterrupted. For more information about how Hotpatch works, see Hotpatch for Windows Server.
Windows Server 2025 features the ability to enable Hotpatch for Azure Arc-enabled servers. In order to use Hotpatch on Azure Arc-enabled servers, all you have to do is deploy the Connected Machine agent and enable Windows Server Hotpatch. This article describes how to enable Hotpatch.
Prerequisites
Before you can enable Hotpatch on Arc-enabled servers for Windows Server 2025, you need to satisfy the following requirements.
A server must be running Windows Server 2025 (build 26100.1742 or later). Preview versions or Windows Server Insiders builds aren't supported because hotpatches aren't created for prerelease operating systems.
The machine should be running one of the following editions of Windows Server.
- Windows Server 2025 Standard
- Windows Server 2025 Datacenter
- Windows Server 2025 Datacenter: Azure Edition. This edition does not need to be Azure Arc-enabled, Hotpatch is already enabled by default. The remaining technical prerequisites still apply.
Both Server with Desktop Experience and Server Core installation options are supported.
The physical or virtual machine you intend to enable Hotpatch on needs to satisfy the requirements for Virtualization-based security (VBS), also known as Virtual Secure Mode (VSM). At bare minimum, the machine has to use Unified extensible firmware interface (UEFI) with Secure boot enabled. Therefore, for a virtual machine (VM) on Hyper-V, it needs to be a Generation 2 virtual machine.
An Azure subscription. If you don't already have one, create a free account before you begin.
Your server and infrastructure should satisfy the Connected Machine agent prerequisites for enabling Azure Arc on a server.
The machine should be connected to Azure Arc (Arc-enabled). To learn more about onboarding your machine to Azure Arc, see Azure Connected Machine agent deployment options.
Check and enable Virtual Secure Mode if necessary
When you enable Hotpatch using the Azure portal, it checks whether Virtual Secure Mode (VSM) is running on the machine. If VSM isn't running, enabling hotpatch fails, and you'll have to enable VSM.
Alternatively, you can check the VSM status manually before enabling Hotpatch. VSM might be already enabled if you previously configured other features that (like Hotpatch) depend on VSM. Common examples of such features include Credential guard or Virtualization-based protection of code integrity, also known as Hypervisor-protected code integrity (HVCI).
Tip
You can use Group policy or another centralized management tool to enable one or more of the following features.
- Credential guard
- Credential Guard protected machine accounts
- Virtualization-based protection of code integrity
- System Guard Secure Launch and SMM protection
- Kernel Mode Hardware-enforced Stack Protection
- Secured-core server
Configuring any of these features also enables VSM.
To verify VSM is configured and running, select your preferred method and examine the output.
Get-CimInstance -Namespace 'root/Microsoft/Windows/DeviceGuard' -ClassName 'win32_deviceGuard' | Select-Object -ExpandProperty 'VirtualizationBasedSecurityStatus'
If the command output is 2, VSM is configured and running. In this case, proceed directly to Enable Hotpatch on Windows Server 2025.
If the output isn't 2, you need to enable VSM.
To enable VSM, expand this section.
Enable VSM using one of the following commands.
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\DeviceGuard' -Name 'EnableVirtualizationBasedSecurity' -PropertyType 'Dword' -Value 1 -Force
Tip
After you enable VSM, you need to restart your server.
After you reboot, run one the following commands again verify that the output is now 2 to make sure VSM is now running.
Get-CimInstance -Namespace 'root/Microsoft/Windows/DeviceGuard' -ClassName 'win32_deviceGuard' | Select-Object -ExpandProperty 'VirtualizationBasedSecurityStatus'
If the output still isn't 2, VSM on your machine needs troubleshooting. The most likely reason is that the physical or virtual hardware requirements aren't met. Refer to documentation from the vendor of your hardware or virtualization platform. For example, here's documentation for VMware vSphere, Activate Virtualization-based Security on an Existing Virtual Machine.
Once you successfully enabled VSM and made sure it's running, proceed to the next section.
Enable Hotpatch on Windows Server 2025
Connect the machine to Azure Arc, if it wasn't Arc-enabled previously.
After you connected the machine to Azure Arc, sign in to the Azure Arc portal and go to Azure Arc → Machines.
Select the name of your machine.
Select Hotpatch, then select Confirm.
Wait about 10 minutes for the changes to apply. If the update stays stuck on the Pending status, proceed to troubleshooting Azure Arc agent.
Using Hotpatch on Windows Server 2025
Whenever a Hotpatch is available from Windows Update, you should receive a prompt to install it. Since these updates aren't released every month, you might need to wait until the next Hotpatch is published.
You can optionally automate hotpatch installation using update management tools such as Azure Update Manager (AUM).
Next steps
Now that Hotpatch is enabled, here are some articles that might help you with updating your computer: