Microsoft released an out-of-band hotpatch on March 13, 2026 addressing critical vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool. This security update represents a significant advancement in Microsoft's patching strategy, allowing administrators to fix remote network-service vulnerabilities without requiring system restarts.

The hotpatch specifically targets RRAS, a component that enables Windows servers to function as network routers and provides remote access capabilities through VPN connections. According to Microsoft's security advisory, the vulnerabilities could allow remote code execution if exploited by attackers with network access to affected systems. The company rated these vulnerabilities as critical for Windows Server 2022 and Windows Server 2025 installations running RRAS.

What Makes This Hotpatch Different

Traditional Windows updates typically require system restarts to complete installation, causing downtime for critical servers and disrupting business operations. This hotpatch leverages Microsoft's evolving hotpatching technology, which allows security fixes to be applied to running processes without stopping services or rebooting systems.

The March 2026 RRAS hotpatch works by patching the in-memory code of running RRAS processes while maintaining service continuity. Microsoft has been developing this capability for several years, with previous hotpatching implementations requiring specific configurations or limited to certain Windows editions. This release appears to represent a more mature implementation available through standard update channels.

Technical Details and Requirements

Microsoft's documentation indicates the hotpatch is available for:
- Windows Server 2022 (all editions with RRAS enabled)
- Windows Server 2025 (all editions with RRAS enabled)

The update is delivered through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. Organizations using Microsoft Intune Autopatch can deploy the update through their automated patching workflows.

Administrators should verify their systems meet the prerequisites for hotpatch installation. These include having the latest servicing stack update installed and ensuring systems are running supported versions of Windows Server. The hotpatch cannot be applied to systems with pending restarts from previous updates.

Security Implications

The RRAS vulnerabilities addressed in this hotpatch affect the management interface of the routing service. Successful exploitation could allow attackers to execute arbitrary code with SYSTEM privileges on affected servers. Given that RRAS servers often sit at network perimeter positions, these vulnerabilities present particularly serious risks.

Microsoft has not disclosed whether these vulnerabilities are being actively exploited in the wild. However, the out-of-band release timing suggests the company considers them serious enough to warrant immediate attention outside the normal Patch Tuesday cycle.

Organizations running RRAS should prioritize applying this update, especially for internet-facing servers. The ability to patch without restart makes this particularly valuable for high-availability systems where downtime must be minimized.

Deployment Considerations

While hotpatching eliminates the restart requirement, administrators should still follow standard change management procedures. Testing in non-production environments remains essential, as does verifying that the patch doesn't introduce compatibility issues with dependent applications.

Backup and rollback procedures should be established before deployment. Although hotpatching is designed to be reversible, having system restore points or recent backups provides additional safety nets.

Monitoring systems after patch deployment is crucial. Administrators should watch for any unusual behavior in RRAS services or related network functions. Microsoft typically provides detailed logging of hotpatch installation in the Windows Event Log under the \"Hotpatching\" source.

The Evolution of Microsoft's Patching Strategy

This RRAS hotpatch represents another step in Microsoft's journey toward zero-downtime updates. The company has been investing in hotpatching technology for years, with previous implementations requiring Azure Automanage or specific Windows 11 configurations.

The March 2026 release demonstrates broader availability of this technology for critical server workloads. As organizations increasingly demand 24/7 availability for business-critical systems, Microsoft's investment in restart-free patching addresses a significant pain point for IT administrators.

Future developments may expand hotpatching to more Windows components and services. Microsoft's long-term goal appears to be making hotpatching the default method for security updates across its product portfolio.

Best Practices for Implementation

Administrators should follow these steps when deploying the RRAS hotpatch:

  1. Inventory affected systems: Identify all servers running RRAS in your environment
  2. Review prerequisites: Ensure systems have required servicing stack updates
  3. Test in isolation: Apply the patch to a test server first
  4. Monitor closely: Watch for any service disruptions during application
  5. Verify installation: Check that the hotpatch applied successfully
  6. Document changes: Update change management records

Organizations using automated patch management solutions should verify that their tools support hotpatch deployment. Microsoft Intune Autopatch users can configure policies to prioritize hotpatch installation for eligible systems.

Looking Ahead

The successful deployment of this RRAS hotpatch without requiring restarts marks progress toward Microsoft's vision of seamless updates. As the technology matures, we can expect more critical security fixes to be delivered via hotpatch, reducing the operational burden of patch management.

However, hotpatching isn't a panacea. Some updates will still require restarts due to architectural limitations or the nature of the fixes needed. Administrators should maintain comprehensive patch management strategies that include both hotpatch-capable and traditional updates.

Microsoft's continued investment in this area suggests that future Windows Server releases will have even more extensive hotpatching capabilities. The ultimate goal remains clear: keeping systems secure without disrupting the services they provide.

For now, organizations running RRAS should deploy this critical security update immediately. The ability to patch without restarting makes this one of the least disruptive ways to address serious vulnerabilities in network infrastructure components.