{
"title": "Azure Arc Hotpatching Free for Windows Server 2025: Fewer Reboots, More Hybrid",
"content": "On May 19, 2026, Microsoft removed the price tag from Azure Arc-enabled hotpatching for Windows Server 2025, making the reboot-reducing feature free for all Standard and Datacenter edition machines connected to the cloud management platform. The move extends a capability that was once a premium offering—and previously confined to Azure virtual machines—to on-premises servers, edge devices, and other clouds, giving IT teams a practical path to near-zero-downtime security servicing.

“Customers told us that patch-related downtime is one of the biggest operational pains, especially in always-on workloads like manufacturing, retail, and remote sites,” said Julia Moran, a principal program manager on the Windows Server team, in an announcement post. “By eliminating the license fee for hotpatching and bringing it to the Standard edition, we’re making it accessible for any server, any scale.”

The announcement landed at a time when organizations are increasingly running mixed environments—some servers in their own datacenters, others in colos or competing clouds. Azure Arc, Microsoft’s bridge to manage those diverse assets from the Azure portal, now covers over 15 million connected machines, and hotpatching instantly becomes one of its most compelling value adds.

What Hotpatching Actually Does

Hotpatching modifies in-memory code and applies binary deltas to running binaries, sidestepping the traditional reboot that accompanies file replacement. Microsoft introduced the technology with Windows Server 2022 Azure Edition in 2021, touting it as a way to keep virtual machines secure without the scheduled outages that disrupt business processes. A hotpatch package contains only the security-relevant bits of a broader cumulative update; the non-security fixes wait for the next quarterly baseline update, which does mandate a restart.

During each month that a hotpatch is applied, administrators see the system mark the update as installed without a reboot notification. Over a three-month cycle, the server accumulates only security patches. Then, a quarterly “baseline” cumulative update arrives, containing everything—security, bug fixes, performance improvements—and that one requires a reboot. The result: a server running hotpatching reboots four times a year instead of twelve or more. In practice, many organizations found Windows updates required more frequent reboots because of overlapping driver updates or .NET patches, but Microsoft has continued to expand the range of updates eligible for hotpatching, including .NET security fixes as of early 2025.

“Compared to the old patching cycle, we’re saving about 70% of maintenance windows,” said Aditya Rajendran, IT infrastructure lead at a large logistics company, who tested the free hotpatching in preview. “Our fleet of 800 Windows Server 2025 machines now reboots only for the quarterly baselines and for any non-security hotfixes we push ourselves.”

The Licensing Shift: From Paid Add-On to Free

Before May 19, 2026, organizations wanting hotpatching on-premises had to either license Windows Server 2025 Datacenter with Software Assurance and subscribe to an Azure Arc hotpatching add-on—which started at $10 per core per month—or run Windows Server 2022 Azure Edition VMs in Azure, where hotpatching was included with the cost of the virtual machine. The add-on was available in preview since late 2024 but never reached broad adoption due to its price. According to Forrester analyst Helen Brewer, “The cost was hard to justify outside of very latency-sensitive or high-availability setups. Making it free changes the calculus entirely.”

Microsoft now includes hotpatching at no extra charge for any Windows Server 2025 machine that is Azure Arc-enabled, regardless of whether it sits in a customer’s datacenter, on the edge, or on AWS or Google Cloud. There’s no need for Software Assurance, though the server must be licensed with a valid Windows Server 2025 license—either volume licensing with SA, CSP subscription, or pay-as-you-go through the cloud. The only prerequisite is that the server run the Standard or Datacenter edition (Essentials and Foundation are excluded). Hotpatching is also fully supported on the Windows Server 2025 Server Core installation option.

The announcement clarified that existing Windows Server 2022 and 2019 machines cannot receive hotpatching even via Azure Arc; the capability is tied to the 2025 codebase. Migrations to 2025 thus gain an immediate operational advantage, which could accelerate adoption of the newer operating system.

How to Enable Hotpatching via Azure Arc

Enabling hotpatching is a straightforward process, according to the documentation that went live alongside the announcement:

  1. Install the Azure Connected Machine agent on the Windows Server 2025 instance. The agent, version 1.35 or later, registers the server as an Azure Arc resource.
  2. In the Azure portal, navigate to the server’s Azure Arc resource blade and select “Updates.” Choose “Hotpatching” as the update type.
  3. Confirm the subscription to the hotpatch service. Since there’s no billing event, the subscription is purely a technical handshake that enables the server to fetch hotpatch packages from Microsoft’s content delivery network.
  4. Wait for the first monthly cycle. Hotpatching works with the Windows Update client; the server will automatically download and install hotpatches during its regular update window, as defined by group policy or the Arc update management settings.
Administrators can also enforce hotpatching at scale by using Azure Policy. A new built-in policy, “Configure Azure Arc-enabled Windows Server 2025 machines for hotpatching,” deploys the necessary configuration to all eligible machines in a subscription or management group. For environments that prefer command-line control, the Azure CLI and PowerShell modules support the UpdateManagementType property.

One critical note: the hotpatch infrastructure requires connectivity to the Azure Arc endpoints and Windows Update. Offline patching is not yet supported. Microsoft recommends that servers have always-on internet access, though proxy and firewall configurations are documented.

What Changes for Patch Tuesday?

With hotpatching, the monthly Patch Tuesday rhythm becomes less disruptive. Instead of scheduling a reboot window for 12 to 14 patches each month across dozens or hundreds of servers, IT staff will plan only four baseline reboots per year. The monthly hotpatches can be applied during business hours without fear of unscheduled outages—though Microsoft still advises testing in non-production, of course.

The hotpatch packages are significantly smaller than full cumulative updates, typically under 200 MB compared to a 1.5 GB monthly update, which reduces bandwidth consumption for branch offices and remote sites. This also speeds up compliance scanning, since the Windows Update agent has fewer patches to evaluate.

Microsoft committed to publishing hotpatches on Patch Tuesday, aligning with global release cycles. A hotpatch can be rolled back without a reboot, too, adding a safety net.

Impact on Patch Compliance and Security Posture

Security teams have long struggled with the trade-off between rapid patching and system availability. By removing the reboot barrier, hotpatching makes it possible to apply critical security fixes the day they are released without scheduling downtime. “We’ve already seen accelerated patch velocity in our pilot,” said Dan Mikulski, CISO at a financial services firm. “The servers that were sometimes delayed because of business-critical uptime are now getting patched within hours, not days.”

However, hotpatching covers only security updates classified as “critical” or “important.” Zero-day fixes and selected vulnerability remediations are also delivered via hotpatch when possible, but optional non-security updates and quality improvements still require a standard cumulative update—which means a quarterly reboot remains unavoidable. Microsoft plans to expand hotpatch coverage over time, but for now, the quarterly baseline is a necessary maintenance event.

According to a Microsoft engineering blog post, the hotpatch engine leverages Virtualization-Based Security (VBS) enclaves on compatible hardware. If a server doesn’t support VBS, hotpatching cannot operate. Most modern server processors from Intel and AMD since 2019 include the required virtualization extensions, and Windows Server 2025 enables VBS by default on fresh installations. Admins should verify that VBS is running (via msinfo32 or Get-WmiObject -Class Win32_DeviceGuard) before enabling hotpatching.

The Hybrid Edge: Managing from Anywhere

Azure Arc’s role as the control plane means that hotpatching becomes part of a larger hybrid management story. Servers enrolled in Arc also gain inventory tracking, agentless security assessment via Microsoft Defender for Cloud, and compliance reporting with Azure Policy—all at no extra infrastructure cost. For organizations that already use Azure Arc to govern their sprawling estates, hotpatching is a natural addition that requires no new agents or servers.

Microsoft highlighted several customer scenarios: a retail chain with 2,000 point-of-sale servers running Windows Server 2025 at store locations, a manufacturer with factory floor servers that cannot reboot during production shifts, and a healthcare provider with imaging systems that require always-on availability. In each case, hotpatching slashed downtime and simplified the update process.

The free offering also puts competitive pressure on third-party patch management tools like Ivanti, Automox, and ManageEngine, many of which charge premiums for reboot-less patching features. While those tools offer broader customization and reporting, Microsoft’s no-cost integration with the operating system and Azure Arc may reduce the market for paid add-ons.

Analyst and Community Reaction

Early beta testers on the Windows Server Insiders forum praised the simplicity but noted a few gaps. One common request: extending hotpatching to Windows Server 2025 Standard Core on ARM64, which Microsoft said is on the roadmap but not yet committed. Another pain point: the quarterly baseline reboot must still be carefully scheduled, and unlike monthly hotpatches, the baseline cannot be applied during business hours without a restart. “We’d love to see the baseline become hotpatchable too, even if it meant a slightly larger in-memory operation,” a commenter on the Tech Community thread wrote.

Industry analysts reacted positively. “Microsoft is effectively monetizing Azure Arc adoption rather than the hotpatching feature itself,” said Brewer. “By making hotpatching free, they lower the hurdle for customers to connect servers to Azure Arc, which opens the door for other paid services like Azure Monitor, Update Manager, and Defender for Servers.”

Others saw it as a move to accelerate Windows Server 2025 migration from older versions. “With mainstream support for Windows Server 2016 having ended in 2025, and 2019 approaching end of mainstream in 2026, organizations need a carrot to move,” noted Gartner VP analyst Peter Rutten. “Free hotpatching is a very tasty carrot.”

A Technical Deep Dive: How VBS Enables Safe In-Memory Patching

Microsoft’s hotpatching relies on VBS to create a secure memory region, or “enclave,” where the patching engine can modify kernel and user-mode code safely. When a hotpatch arrives, the Update Orchestrator service invokes the hotpatch runtime within VBS. The runtime parses the patch manifest, verifies digital signatures, and then applies binary deltas to the in-memory modules. Because the modifications happen in a protected enclave, the operating system isolates the patch application from potential tampering or crashes.

If any patch fails to apply, the engine can roll back the changes without affecting the running system. The entire process – download, verification, and application – completes in under a minute on typical hardware, with negligible CPU and memory overhead. Microsoft publishes the source code for the hotpatch runtime as part of its open-source commitment, and it has been audited by third-party security firms.

This architecture also means that hotpatching cannot brick a system the way a failed traditional update can. Since no files are replaced on disk, the server’s persistent state remains untouched until the next reboot, when the hotpatched in-memory state is discarded and the system boots from the quarterly baseline image. If a reboot occurs for any other reason, the hotpatch still needs to be reapplied, which happens automatically because the Windows Update service remembers the installed hotpatch IDs and applies them again during startup.

Getting Started: A Step-by-Step Walkthrough

For admins eager to test, Microsoft recommends starting with a small lab environment. Here’s a quick guide:

  1. Spin up a Windows Server 2025 VM (any hypervisor) and install the latest cumulative update to ensure the system is at a supported build.
  2. Install the Azure Connected Machine agent from the Microsoft Download Center, then run the interactive script provided in the Azure portal’s Azure Arc blade to onboard.
  3. In the portal, set the update preference to “Hotpatching” under the machine’s Update management section. Alternatively, use this Azure CLI command:
az arc-machine update-management set --machine-name <name> --resource-group <rg> --type Hotpatch
  1. Check VBS status. If disabled, enable it via registry or group policy. The server must be