Windows Server 2025 Hotpatching Preview

Hi All,

Microsoft has announced the Preview of Hotpatching for Windows Server 2025 and also supporting Azure and Arc Enabled machines:

• Now in preview: Hotpatch for Windows Server 2025
• Hotpatching is now available in preview on Windows Server 2025 Evaluation VMs in Azure
• Announcing Public Preview of Windows Server Hotpatch enabled by Azure Arc

Benefits:

• Lower workload impact with fewer reboots. Instead of 12 mandatory reboots a year on “Patch Tuesday”, you’ll now only have quarterly scheduled reboots (with the rare possibility of reboots being required in a nominal Hotpatch month).
• Fewer binaries mean updates download and install faster while consuming fewer disk and CPU resources.
• Easier patch orchestration and change control.
• Integrated with the optional Azure Update Manager.

Azure Arc Enabled Machine

I have a Windows Server 2025 that is ARC Enabled and i will use in this Blog Article.

To enable Hotpatch i went to the ARC Enabled server and click on “Hotpatch (previe)”

Turns out, that Virtualization-based security (VBS) is a prerequisite and has not been configured at my Windows 2025 Server

• Configure Credential Guard

According to the Article above you can check if Device Guard is running

(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

There are multiple ways of enabling Virtualization-based Security - one of them is to enable it in the Registry

Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
Key name: EnableVirtualizationBasedSecurity
Type: REG_DWORD
Value: 1 (to enable Virtualization Based Security)

After a Reboot i check the Device Guard again. Turns out you don’t need Device Guard only Virtualization-based Security needs to be enabled

(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

As we check again on our Azure Arc Enabled Server, the Virtualization-based Security has now been detected and we can enable Hotpatch

Hotpatch is enrolled

Status changes to Pending

And finally it has been enabled

I am curious, how that will work in the coming months. Anyway it’s well worth a try.

Regards
Andres Bohren