What is Windows Server 2022 Hotpatch?

Hotpatch is a patching mechanism introduced in Windows Server 2022 Datacenter: Azure Edition that allows critical security patches to be applied to the operating system without requiring a server reboot. Traditional Windows patching requires the server to restart to replace in-use system binaries — Hotpatch sidesteps this by patching the in-memory code of running processes directly. The result is that many monthly security patches can be applied while the server is fully operational, significantly reducing planned maintenance windows and the operational disruption associated with monthly Patch Tuesday cycles.

Hotpatch was developed by Microsoft as part of its Azure infrastructure investments, originally used internally to patch Azure’s own server fleet, and is now available to customers running Windows Server 2022 Datacenter: Azure Edition on Azure virtual machines or Azure Stack HCI.

Requirements for Hotpatch

Hotpatch has specific prerequisites that must be met before it can be enabled. Not every Windows Server 2022 deployment qualifies:

Operating System Edition: The server must be running Windows Server 2022 Datacenter: Azure Edition. The standard Windows Server 2022 Datacenter and Standard editions do not support Hotpatch. The Azure Edition SKU is only available through Azure Marketplace or as part of an Azure Stack HCI deployment. You can verify the edition with:

(Get-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion').EditionID
# Should return: ServerDatacenterCoreAzure or ServerDatacenterAzure

Infrastructure: The VM must be running on one of the following platforms:

# Azure Virtual Machines (Generation 2 VMs are required for Hotpatch)
# Azure Stack HCI - Supported starting with Azure Stack HCI 22H2
# Azure Arc-enabled servers - Available in preview for on-premises servers connected to Arc

Azure Monitor Agent: Hotpatch delivery requires the Azure Monitor Agent (AMA) to be installed on the VM. The legacy Microsoft Monitoring Agent (MMA) is not supported. AMA is typically installed automatically when Hotpatch is enabled through Azure Update Manager.

Connectivity: The VM must be able to reach Azure Update Management endpoints. In private network configurations, ensure the necessary service tags (AzureUpdateDelivery, AzureMonitor) are allowed through network security groups and firewalls.

Baseline Months vs Hotpatch Months

Microsoft publishes patches on a quarterly baseline cycle for Hotpatch-enabled servers. Understanding this cycle is essential for planning maintenance windows:

Baseline Months (January, April, July, October): Every three months, Microsoft releases a new cumulative update baseline. These baseline patches include all security updates accumulated since the previous baseline and require a server reboot to install. After the reboot, the server is on the new baseline and can receive subsequent hotpatches without rebooting until the next baseline month.

Hotpatch Months (the two months between each baseline): In the months between baselines, security patches are delivered as hotpatches that do not require a reboot. For example, if January is a baseline month requiring a reboot, February and March patches will be hotpatches applied live without restart.

# Example quarterly calendar:
# Jan  - Baseline update (REBOOT REQUIRED)
# Feb  - Hotpatch (no reboot)
# Mar  - Hotpatch (no reboot)
# Apr  - Baseline update (REBOOT REQUIRED)
# May  - Hotpatch (no reboot)
# Jun  - Hotpatch (no reboot)
# ...

# Check current patch status and whether a reboot is pending
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

# Or via CIM
Get-CimInstance -ClassName Win32_QuickFixEngineering | 
    Sort-Object InstalledOn -Descending | 
    Select-Object HotFixID, Description, InstalledOn | 
    Select-Object -First 10

Enabling Hotpatch via Azure Portal

The primary way to enable Hotpatch on Azure VMs is through the Azure Portal. Navigate to your VM and follow these steps:

# Via Azure CLI (alternative to Portal)
az vm update 
    --resource-group myResourceGroup 
    --name myVM2022AzureEdition 
    --set osProfile.windowsConfiguration.enableHotpatching=true

# Verify Hotpatch status via Azure CLI
az vm show 
    --resource-group myResourceGroup 
    --name myVM2022AzureEdition 
    --query "osProfile.windowsConfiguration.enableHotpatching"

# Via Azure PowerShell
$vm = Get-AzVM -ResourceGroupName "myResourceGroup" -Name "myVM2022AzureEdition"
$vm.OSProfile.WindowsConfiguration.EnableHotpatching = $true
Update-AzVM -ResourceGroupName "myResourceGroup" -VM $vm

In the Portal, go to the VM > left menu under Operations > select Updates > click Hotpatch. The interface shows the current Hotpatch status (enabled/disabled) and the patch compliance state. Hotpatch can also be enabled during VM creation by selecting the Windows Server 2022 Datacenter Azure Edition image and checking the “Enable Hotpatch” option on the Management tab.

Azure Update Manager for Hotpatch

Azure Update Manager is the replacement for Azure Automation Update Management and is required for managing Hotpatch deployments at scale. It provides a centralized view of patch compliance across your entire Azure VM fleet:

# Azure PowerShell - Assess patch status for a VM
$patchAssessment = Invoke-AzVMPatchAssessment `
    -ResourceGroupName "myResourceGroup" `
    -VMName "myVM2022AzureEdition"

$patchAssessment | Select-Object AssessmentActivityId, Status, CriticalAndSecurityPatchCount

# List available patches including Hotpatch candidates
$patchAssessment.AvailablePatches | 
    Select-Object PatchName, KbId, Classifications, ActivityId |
    Format-Table -AutoSize

# Apply patches immediately (respects Hotpatch eligibility automatically)
Invoke-AzVMInstallPatch `
    -ResourceGroupName "myResourceGroup" `
    -VMName "myVM2022AzureEdition" `
    -MaximumDuration (New-TimeSpan -Hours 2) `
    -RebootSetting IfRequired `
    -WindowsParameter @{
        ClassificationsToInclude = @('Critical','Security')
        MaximumDuration = 'PT2H'
        RebootSetting   = 'IfRequired'
    }

Azure Update Manager automatically determines whether each patch is eligible for Hotpatch delivery. Critical and security patches that Microsoft has prepared as Hotpatches are applied without reboot; patches that require a reboot (such as baseline updates or patches outside the Hotpatch program) will schedule the reboot according to your maintenance window configuration.

Azure Policy for Hotpatch Compliance

Enforce Hotpatch enablement across all eligible VMs in a subscription or management group using Azure Policy:

# Using Azure CLI to assign the built-in Hotpatch policy
# Built-in policy ID for "Configure Windows Server Azure Edition VMs to use Hotpatch"
az policy assignment create 
    --name "enforce-hotpatch" 
    --display-name "Enforce Hotpatch on WS2022 Azure Edition VMs" 
    --policy "e7a3a3d7-9cc6-4b2d-a853-2ac20e75f26e" 
    --scope "/subscriptions/YOUR-SUBSCRIPTION-ID" 
    --identity-type SystemAssigned 
    --location eastus

# Create a remediation task to fix non-compliant VMs
az policy remediation create 
    --name "hotpatch-remediation" 
    --policy-assignment "enforce-hotpatch" 
    --resource-group myResourceGroup

The built-in Hotpatch Azure Policy definitions are available in the Azure Policy portal under Compute. The “Windows Server Azure Edition VMs should use Hotpatch” audit policy flags VMs that are eligible but do not have Hotpatch enabled. The corresponding “Configure” policy automatically enables it through remediation tasks, useful for bringing existing VMs into compliance without manual intervention.

Monitoring Hotpatch Status

Monitor the Hotpatch status of your VMs to ensure patches are being applied and reboot-free months are being achieved:

# Check Hotpatch status from inside the VM (PowerShell on the guest)
# The SQM registry key shows Hotpatch enablement state
$hotpatchEnabled = (Get-ItemProperty `
    -Path 'HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionHotPatching' `
    -ErrorAction SilentlyContinue).HotpatchingEnabled

if ($hotpatchEnabled -eq 1) {
    Write-Output "Hotpatch is ENABLED on this VM"
} else {
    Write-Output "Hotpatch is NOT enabled on this VM"
}

# Check Windows Update history for hotpatch-applied updates
$hotfixes = Get-HotFix | Where-Object { $_.Description -match 'Hotfix' }
$hotfixes | Select-Object HotFixID, Description, InstalledOn | Format-Table

# Query the Windows Update log for hotpatch activity
Get-WindowsUpdateLog -LogPath C:LogsWindowsUpdate.log

# Azure Resource Graph query to check Hotpatch status across all VMs
# (run from Azure Cloud Shell or with Az.ResourceGraph module)
Search-AzGraph -Query @"
resources
| where type == 'microsoft.compute/virtualmachines'
| where properties.osProfile.windowsConfiguration.enableHotpatching != null
| project name, resourceGroup, 
    hotpatchEnabled = properties.osProfile.windowsConfiguration.enableHotpatching
| order by name asc
"@

Hotpatch for Azure Arc-Enabled Servers (Preview)

Hotpatch for Azure Arc-enabled servers extends the reboot-free patching capability to on-premises Windows Server 2022 Datacenter Azure Edition servers connected to Azure Arc. As of 2024, this feature remains in preview and requires specific configuration:

# First ensure Azure Arc agent is installed and server is connected
# Download and install Arc agent from: aka.ms/AzureConnectedMachineAgent
azcmagent connect 
    --resource-group "arc-servers-rg" 
    --tenant-id "YOUR-TENANT-ID" 
    --location "eastus" 
    --subscription-id "YOUR-SUBSCRIPTION-ID"

# Verify Arc connectivity
azcmagent show

# Enable Hotpatch via Azure CLI for Arc-connected server
az connectedmachine update 
    --resource-group "arc-servers-rg" 
    --name "my-onprem-server" 
    --set "osProfile.windowsConfiguration.enableHotpatching=true"

Azure Edition vs Standard Windows Server 2022: Key Differences

The Azure Edition of Windows Server 2022 is distinct from the standard datacenter and standard editions in several important ways beyond just Hotpatch support:

SMB over QUIC: Azure Edition includes SMB over QUIC, which allows SMB file shares to be accessed securely over the internet without a VPN, using the QUIC transport protocol on UDP port 443. Standard editions require a VPN for secure remote SMB access.

Hotpatch: Available exclusively in Azure Edition when running on Azure or Azure Stack HCI.

Extended Network for Azure: Azure Edition supports Extended Network (extnet), which allows VMs to retain their on-premises IP addresses when migrated to Azure using Azure Migrate.

Licensing: Azure Edition is licensed per-VM through Azure’s pay-as-you-go or AHUB (Azure Hybrid Use Benefit) models. It cannot be installed on bare-metal on-premises servers that are not Azure Stack HCI or Arc-connected.

Limitations of Hotpatch

Hotpatch is a significant operational improvement, but it has important limitations to understand before planning your patching strategy:

Not all patches are hotpatchable: Only a subset of security patches qualifies for Hotpatch delivery. Baseline months still require reboots every three months. Additionally, some security patches that affect user-mode components outside the Hotpatch program will be delivered as standard reboot-required updates even in non-baseline months.

No .NET Framework patches via Hotpatch: Patches for .NET Framework are not delivered through Hotpatch and require reboots regardless of the month.

No non-security updates: Hotpatch only applies to critical and security patches. Quality/feature updates are not included.

Azure Edition only: Cannot be enabled on Windows Server 2022 Standard, Windows Server 2022 Datacenter without the Azure Edition SKU, or on any previous Windows Server version.

# Check if a specific KB is eligible for Hotpatch delivery
# Microsoft publishes a Hotpatch eligibility list at:
# https://support.microsoft.com/topic/hotpatch-for-windows-server-azure-edition-preview

# Check what updates are available and their reboot requirement
Get-WindowsUpdate -MicrosoftUpdate | 
    Select-Object Title, IsMandatory, RebootRequired, IsDownloaded |
    Format-Table -AutoSize
# Note: Requires PSWindowsUpdate module: Install-Module PSWindowsUpdate

Despite its limitations, Hotpatch significantly reduces the reboot frequency for production servers. In a typical year, a Hotpatch-enabled server requires only four planned reboots (one per baseline quarter) compared to twelve monthly patch reboots for traditional patching. For workloads with strict SLA requirements and limited maintenance windows, this reduction in downtime represents substantial operational value. Organizations running large Azure VM fleets often report significant cost savings simply from the reduction in maintenance window scheduling overhead and the ability to patch more aggressively without fear of service disruption.