P4 · Cloud & Hybrid Infrastructure

Windows Server 2025 Hotpatching via Azure Arc — Setup, Requirements, and Limitations

Windows Server 2025 supports hotpatching through Azure Arc, allowing security updates to be installed without requiring a server restart in most months. Enablement requires Azure Arc enrollment with the Azure Connected Machine agent, Virtualization-based Security (VBS) enabled, and a supported Windows Server 2025 edition. Hotpatching is available at no additional charge for eligible Arc-enabled servers but does not eliminate all reboots — periodic baseline updates still require restarts.

Indicators

Server requires frequent reboots for monthly security updates, indicating hotpatching is not yet enabled
Azure Arc-enabled server running Windows Server 2025 not receiving no-reboot security patches
Hotpatching feature not visible or configurable in Azure portal for an Arc-enrolled Windows Server 2025 machine
Azure Connected Machine agent showing disconnected or unhealthy status in Azure Arc portal

Likely causes

Azure Arc not configured or Azure Connected Machine agent not installed on the target server
Virtualization-based Security (VBS) not enabled on the Windows Server 2025 instance
Unsupported Windows Server 2025 edition selected — not all editions qualify for hotpatching
Server not enrolled as an eligible Azure Arc-enabled server for the hotpatching feature

Diagnostic steps

Confirm the server is enrolled in Azure Arc by checking Azure Portal > Azure Arc > Servers, or verify the Azure Connected Machine agent service is installed and running locally: Get-Service -Name 'himds'

Determines whether the foundational Azure Arc connectivity prerequisite is met before attempting to enable hotpatching.
Verify that Virtualization-based Security (VBS) is enabled. Run msinfo32.exe and check for 'Virtualization-based security: Running', or use PowerShell: Get-ComputerInfo -Property 'DeviceGuardVirtualizationBasedSecurityStatus'

Confirms that VBS, a hard requirement for hotpatching, is active on the server.
Confirm the installed Windows Server 2025 edition is supported for hotpatching. Check via Settings > System > About or run: (Get-WmiObject Win32_OperatingSystem).Caption

Ensures the edition in use is eligible for hotpatching, as not all Windows Server 2025 editions qualify.
Check the Azure portal under the Arc-enabled server's Update Management or Hotpatch configuration blade to determine whether hotpatching is available and what its current enrollment status is.

Provides direct visibility into whether the feature is available for this specific server and whether any blocking conditions are flagged by Azure.
Verify Azure Connected Machine agent connectivity status: azcmagent show

Confirms the agent is connected to Azure and can receive hotpatch instructions.

Resolution path

1. Enroll the Windows Server 2025 machine in Azure Arc by installing the Azure Connected Machine agent. Download from Azure Portal > Azure Arc > Servers > Add and follow the onboarding script or manual installation steps.
2. Enable Virtualization-based Security (VBS) if not already active. Configure via Group Policy: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. Alternatively, configure through UEFI/firmware settings and Windows Security Center. A reboot is required after enabling VBS.
3. Once Arc enrollment is confirmed and VBS is active, navigate to Azure Portal > Azure Arc > Servers > [target server] > Updates or Hotpatch settings.
4. Enable hotpatching for the eligible Windows Server 2025 server — no additional licensing charge applies for eligible Arc-enabled servers.
5. Confirm hotpatching enrollment status shows 'Enabled' in the Azure portal before the next Patch Tuesday cycle.

Prevention

Establish a standard Azure Arc enrollment process for all new Windows Server 2025 deployments so hotpatching is available from day one, reducing patch-related reboot windows across the fleet.
Include Virtualization-based Security enablement in the Windows Server 2025 build baseline and deployment checklist, ensuring all eligible servers meet hotpatching prerequisites before they enter production.
Monitor Azure Arc agent health proactively — a disconnected or unhealthy Connected Machine agent will disrupt hotpatch delivery, so alert on agent connectivity failures before the next patch cycle.
Document which Windows Server 2025 editions are deployed across the estate and verify eligibility for hotpatching during procurement and deployment planning.

Tools

Azure Portal — Arc enrollment, hotpatch configuration, and update status management
Azure Connected Machine agent (azcmagent) — required agent for Arc connectivity
msinfo32.exe — verify Virtualization-based Security status locally
Get-ComputerInfo (PowerShell) — query VBS and system configuration details
Windows Update / WSUS — underlying patching mechanism hotpatching extends

References

Free Windows Server 2025 hotpatching with Azure Arc

windows-server-2025hotpatchingazure-arcpatch-managementazure-connected-machine-agentvirtualization-based-securityvbssecurity-updatesno-reboot-patchingarc-enabled-serversmicrosoft-azurehybrid-cloud