How to Set Up Windows Server 2025 Hotpatch (Azure Edition) on Windows Server 2025

Rebooting servers to apply security patches has always been the most disruptive part of patch management. Every reboot means a maintenance window, application restart time, potential session disconnections, and the operational overhead of coordinating across teams. Windows Server 2025 Azure Edition introduces Hotpatch, a technology that injects patches directly into running processes in memory — no reboot required for the majority of monthly updates. This guide explains how Hotpatch works, how to enable it on Azure VMs and Arc-connected on-premises servers, how to verify successful application, and what its limitations are.

Prerequisites

  • Azure Virtual Machine running the Windows Server 2025 Azure Edition image (not Standard or Datacenter editions)
  • VM must use Trusted Launch or Confidential VM security type
  • Azure Update Manager or Azure Automanage enabled on the subscription
  • For on-premises or multi-cloud: Azure Arc agent installed and server enrolled in Azure
  • Contributor or higher role on the Azure resource group
  • PowerShell 7.4 or Azure PowerShell module (Az.Compute, Az.Automanage)

Step 1: Understand the Hotpatch Update Cycle

Hotpatch follows a quarterly cadence that combines traditional reboot-required updates with hotpatched updates:

  • Months 1 (January, April, July, October): Baseline update — requires reboot. Establishes the baseline for the following hotpatch months.
  • Months 2 and 3 of each quarter: Hotpatch updates — no reboot required. Applied directly to running processes in memory.

This means that in a typical year, only four reboots are required for cumulative updates instead of twelve or more. Security patches, bug fixes, and many servicing stack updates qualify for hotpatch delivery. Kernel-mode patches that fundamentally alter the kernel image still require a reboot and are delivered in the baseline months.

Step 2: Enable Hotpatch via Azure Update Manager

Azure Update Manager is the recommended path for enabling Hotpatch on Windows Server 2025 Azure Edition VMs. You can enable it from the Azure portal or with PowerShell.

# Connect to Azure
Connect-AzAccount
Set-AzContext -SubscriptionId 'your-subscription-id'

# Check current patch settings on the VM
$vm = Get-AzVM -ResourceGroupName 'rg-production' -Name 'WS2025-VM01'
$vm.OSProfile.WindowsConfiguration.PatchSettings

# Enable Hotpatch on a new or existing VM
# AssessmentMode: ImageDefault or AutomaticByPlatform
# PatchMode: AutomaticByPlatform enables Azure-orchestrated patching with hotpatch
Update-AzVM -ResourceGroupName 'rg-production' -VM $vm -OsProfile @{
    WindowsConfiguration = @{
        PatchSettings = @{
            PatchMode        = 'AutomaticByPlatform'
            EnableHotpatching = $true
            AssessmentMode   = 'AutomaticByPlatform'
        }
    }
}

Alternatively, configure at VM creation time:

$vmConfig = New-AzVMConfig -VMName 'WS2025-HOT01' -VMSize 'Standard_D4s_v5'

$vmConfig = Set-AzVMOperatingSystem -VM $vmConfig `
    -Windows `
    -ComputerName 'WS2025-HOT01' `
    -Credential (Get-Credential) `
    -EnableAutoUpdate `
    -PatchMode 'AutomaticByPlatform'

# Enable Hotpatch in the additional capabilities
$vmConfig.OSProfile.WindowsConfiguration.PatchSettings.EnableHotpatching = $true

# Use a supported Windows Server 2025 Azure Edition image
$vmConfig = Set-AzVMSourceImage -VM $vmConfig `
    -PublisherName 'MicrosoftWindowsServer' `
    -Offer 'WindowsServer' `
    -Skus '2025-datacenter-azure-edition' `
    -Version 'latest'

New-AzVM -ResourceGroupName 'rg-production' -Location 'eastus' -VM $vmConfig

Step 3: Enable Hotpatch via Azure Automanage

Automanage Machine Configuration provides a policy-based way to enforce Hotpatch across a fleet of VMs without configuring each one individually.

# Assign a built-in Automanage configuration profile
# The 'Azure virtual machine best practices' profiles include hotpatch settings

$assignment = New-AzAutomanageConfigurationProfileAssignment `
    -MachineName 'WS2025-VM01' `
    -ResourceGroupName 'rg-production' `
    -ConfigurationProfileAssignmentName 'default' `
    -ConfigurationProfile '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction'

# Verify assignment
Get-AzAutomanageConfigurationProfileAssignment `
    -MachineName 'WS2025-VM01' `
    -ResourceGroupName 'rg-production'

Step 4: Verify Hotpatch Application

After a hotpatch update cycle, verify that patches were applied correctly without a reboot.

# Check Windows version — build number should advance without a new LastBootTime
winver

# Check the system uptime — should remain unchanged after a hotpatch
$os = Get-CimInstance Win32_OperatingSystem
$uptime = (Get-Date) - $os.LastBootUpTime
Write-Host "System has been running for: $($uptime.Days) days, $($uptime.Hours) hours"

# View Windows Update history including hotpatch entries
$session = New-Object -ComObject Microsoft.Update.Session
$searcher = $session.CreateUpdateSearcher()
$historyCount = $searcher.GetTotalHistoryCount()
$history = $searcher.QueryHistory(0, [math]::Min($historyCount, 50))

$history | Where-Object { $_.Title -match 'Hotpatch' -or $_.Date -gt (Get-Date).AddDays(-30) } |
    Select-Object @{N='Date';E={$_.Date}}, @{N='Title';E={$_.Title}}, @{N='Result';E={$_.ResultCode}} |
    Sort-Object Date -Descending | Format-Table -AutoSize

# Parse the Windows Update log for hotpatch-specific entries
# On Windows Server 2025, Get-WindowsUpdateLog converts ETL files to readable format
Get-WindowsUpdateLog -LogPath 'C:LogsWindowsUpdate.log'

# Then search the log
Select-String -Path 'C:LogsWindowsUpdate.log' -Pattern 'hotpatch|HotPatch|HOTPATCH' |
    Select-Object -Last 50

In the Azure portal, navigate to the VM’s Updates blade and select Update history. Hotpatch updates appear with a Hotpatch classification and will show installation status without a reboot event in the activity log.

Step 5: Configure Maintenance Schedules for Baseline Months

Baseline months (the reboot-required quarter-start updates) still need scheduled maintenance windows. Use Azure Update Manager maintenance configurations to control timing.

# Create a maintenance configuration for quarterly baseline reboots
New-AzMaintenanceConfiguration `
    -ResourceGroupName 'rg-production' `
    -Name 'WS2025-QuarterlyBaseline' `
    -MaintenanceScope 'InGuestPatch' `
    -Location 'eastus' `
    -StartDateTime '2026-07-08 02:00' `
    -Duration '03:00' `
    -RecurEvery 'Quarter' `
    -TimeZone 'UTC' `
    -InstallPatchRebootSetting 'IfRequired' `
    -WindowsParameterClassificationToInclude @('Critical','Security','UpdateRollup')

# Assign the maintenance configuration to the VM
New-AzConfigurationAssignment `
    -ProviderName 'Microsoft.Compute' `
    -ResourceType 'virtualMachines' `
    -ResourceGroupName 'rg-production' `
    -ResourceName 'WS2025-VM01' `
    -MaintenanceConfigurationId (Get-AzMaintenanceConfiguration `
        -ResourceGroupName 'rg-production' `
        -Name 'WS2025-QuarterlyBaseline').Id `
    -ConfigurationAssignmentName 'quarterly-baseline-assignment'

Step 6: Enable Hotpatch for On-Premises Servers via Azure Arc

On-premises Windows Server 2025 machines enrolled in Azure Arc can also benefit from Hotpatch when managed through Azure Update Manager.

# On the on-premises server — install the Azure Arc agent
# Download the agent installer and run:
.AzureConnectedMachineAgent.msi /l*v ArcSetup.log

# Connect the server to Azure Arc
azcmagent connect `
    --subscription-id 'your-subscription-id' `
    --resource-group 'rg-arc-servers' `
    --tenant-id 'your-tenant-id' `
    --location 'eastus' `
    --cloud AzureCloud

# Verify Arc connectivity
azcmagent show

# Once connected, enable patch management via Azure Update Manager
# (same API as Azure VMs, scoped to Arc machine resource type)
$arcMachine = Get-AzConnectedMachine -ResourceGroupName 'rg-arc-servers' -Name 'ONPREM-WS2025-01'

Step 7: Understand Hotpatch Limitations

  • Kernel patches still require reboot. Any update that modifies kernel-mode code (HAL, ntoskrnl, drivers) cannot be hotpatched and is deferred to the next baseline month reboot.
  • Azure Edition only. Hotpatch is not available on Windows Server 2025 Standard or Datacenter (non-Azure Edition) images installed on physical hardware without Arc.
  • Not all patches qualify. Microsoft determines patch eligibility. In any given non-baseline month, some patches may still require reboot if their scope exceeds what hotpatch can handle.
  • Application restarts are not prevented. Hotpatch avoids OS reboots but does not prevent individual services or applications from needing restarts for their own updates.
  • Feature updates require reboot. Any Windows feature update (annual channel) still requires a full reboot cycle.

Conclusion

Windows Server 2025 Hotpatch fundamentally changes the patch management calculus for Azure-hosted workloads. Reducing OS reboots from twelve per year to four cuts maintenance windows by two-thirds, reduces application restart events, and shortens the period during which patched-but-not-rebooted systems are at risk. Enabling it via Azure Update Manager or Automanage takes minutes and applies uniformly across a fleet. Azure Arc extends the same capability to on-premises Windows Server 2025 machines, making Hotpatch a viable strategy even in hybrid environments. Combined with maintenance configurations for the quarterly baseline reboots, organizations can achieve a patch posture that is both current and minimally disruptive.