AzureFeeds

Effective July 16, 2025, Hotpatching for Windows Server 2025 on Azure Arc–connected machines will be generally available (GA) and transition to a paid subscription model. This post provides technical details on the service, the value of hotpatching for on-premises servers, and important enrollment information for customers.

What Is hotpatching?

Hotpatching enables you to install OS security updates on Windows Server without requiring a reboot. This technology, previously exclusive to Windows Server Datacenter: Azure Edition, is now available for on-premises and hybrid environments through Azure Arc. Hotpatching has been in public preview at no cost, but as of July 16, 2025, a monthly subscription fee of $1.50 USD per CPU core will apply.

Why hotpatching for on-premises servers?

• Minimize downtime: Apply critical security updates without interrupting workloads or requiring planned maintenance windows.


• Improve security posture: Reduce the window of vulnerability by deploying patches as soon as they are available.


• Operational efficiency: Eliminate the need for frequent reboots, simplifying patch management for IT teams.


• Consistent experience: Use the same hotpatching process across Azure, on-premises, and hybrid environments with Azure Arc.

Enrollment and billing

To receive hotpatches on Windows Servers outside of Azure, customers must enroll their servers. The servers must be on the latest cumulative update released during a baseline month (January, April, July and October) by Microsoft on the second Tuesday of the month. Only enrolled servers will continue to receive hotpatches and be billed accordingly.

• Preview customers: If already enrolled during the preview period, then no action is needed to continue to receive hotpatches. If you enrolled in hotpatching during the Preview and do not wish to be billed after GA, you must disenroll your servers before July 16, 2025, to avoid charges.


• New customers: Enroll your eligible Windows Server 2025 machines via Azure Arc to activate hotpatching and start receiving updates.

How to enroll in hotpatching

To begin receiving hotpatches for your Azure Arc–connected Windows Server 2025 machines, follow these steps:

Prerequisites

• Ensure your machine is connected to Azure Arc.


• Ensure Virtualization Based Security (VBS) is enabled and running.


• Confirm that the latest cumulative update from a baseline month (January, April, July, or October) is installed. Hotpatching is only offered if this requirement is met.

Enrollment via Azure Portal

1. Connect your server to Azure Arc.


2. Navigate to the Windows Server resource in the Azure Arc portal.


3. Click on the Hotpatch blade


4. Check the box “I want to license this Windows Server to receive monthly hotpatches” and click on confirm under the hotpatch blade.

Note: Enrollment operation takes a few minutes, so you may need to manually refresh the Azure portal to see the updated status.

How to disenroll from hotpatching

If you no longer wish to receive hotpatches or want to avoid billing after the preview period ending on July 16, 2025, you must disenroll from hotpatching service on Azure Arc portal.

Disenrollment via Azure portal

1. Go to the Azure Arc–connected server in the Azure Arc portal.


2. Open the hotpatch blade.


3. Uncheck the box “I want to license this Windows Server to receive monthly hotpatches” and click on confirm.

Important: Disenroll before disconnecting the machine from Azure Arc. If you disconnect first, billing may continue for up to 30 days after the last connection. See this blog post for additional details.

Disenrollment via API

• Set subscriptionStatus  to “Disable” in the license profile payload.


• This action is synchronous and should reflect immediately, though portal refresh may still be required.

Learn more

If you’re interested in learning more, check out our April blog post and the on-demand session on Hotpatching and Update Management from our recent Windows Server Summit virtual event.