3 min read
Patch management has always involved a trade-off: apply the update, schedule the reboot, absorb the downtime. For organizations running dozens or hundreds of Windows servers across hybrid and multicloud environments, that trade-off adds up quickly. Microsoft just changed the calculus.
As of May 19, 2026, hotpatch on Azure Arc-enabled machines running Windows Server 2025 Standard or Datacenter is available at no additional cost. There is no per-core meter, no hourly charge, and no separate hotpatch line item on your invoice. What was previously a paid add-on is now included for any Windows Server 2025 machine connected to Azure Arc. Microsoft published the full announcement on the Azure Arc Blog for teams that want the complete technical breakdown directly from the product group.
How Windows Server 2025 Hotpatching Works
Hotpatch updates apply security fixes directly to running processes in memory, bypassing the traditional update cycle that requires a full system restart. This approach maintains continuous uptime, reduces service disruption, and enables faster deployment of security fixes, while still using periodic full updates where necessary.
The patch cadence works in a quarterly cycle:
- Baseline months (January, April, July, October): A full cumulative security update installs, requiring one restart per quarter.
- Hotpatch months (the two months following each baseline): Security updates apply without a restart, taking effect immediately on running workloads.
In practice, that means up to eight months per year with no required reboot for security patching. For production workloads where maintenance windows are expensive or difficult to schedule, this is a meaningful operational improvement.
Windows Server 2025 Hotpatch Eligibility Requirements
Eligibility requirements are specific:
- The machine must run Windows Server 2025 Standard or Datacenter (build 26100.1742 or later)
- The machine must be connected to Azure Arc via the Azure Connected Machine agent
- Virtualization-based security (VBS) must be enabled, which requires UEFI with Secure Boot
Both Server Core and Server with Desktop Experience installations are supported. The underlying environment, whether VMware, Hyper-V, AWS, or GCP, has no effect on eligibility or cost.
One clarification to note: hotpatch has always been available without additional charge for Azure IaaS VMs running Windows Server 2022 Datacenter: Azure Edition and Windows Server 2025 Datacenter: Azure Edition. The May 2026 announcement extends that same no-cost access to Arc-enabled machines running on-premises and in multicloud environments.
Existing enrolled servers require no action. Billing has been stopped for all servers previously enrolled in hotpatch, and those machines remain enrolled and continue to receive hotpatch updates.
How to Enable Hotpatch on Azure Arc-Connected Windows Server 2025 Machines
For machines not yet enrolled, Microsoft's official documentation for enabling hotpatch on Azure Arc-enabled servers covers the full prerequisites and step-by-step configuration. At a high level:
- Connect the machine to Azure Arc by installing the Azure Connected Machine agent. Deployment supports Group Policy, service principal, or Terraform for at-scale rollout.
- Verify VBS is enabled on the target machine before proceeding.
- Enable Hotpatch via the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
- Use Azure Update Manager to schedule rollouts, monitor compliance, and orchestrate patching across your entire fleet from a single control plane.
Azure Update Manager gives operations teams centralized visibility into patch state across Azure, on-premises, and multicloud machines. For organizations already using Azure Arc for governance and monitoring, adding hotpatch enrollment is a lightweight addition to an existing workflow.
What Azure Arc Provides Beyond Hotpatching
The hotpatch announcement is worth reading alongside what Azure Arc already provides at no additional cost for connected machines: resource tagging and organization, infrastructure-as-code support via Bicep and Terraform, VM lifecycle management, and SSH-based administration through Azure. Management services included with Windows Server Software Assurance or Extended Security Updates extend that further with Azure Update Manager, Azure Machine Configuration (Policy), Change Tracking, VM insights, and Best Practices Assessment.
For IT leaders evaluating hybrid infrastructure strategy, this shifts the conversation. Azure Arc extends Azure-native management capabilities to on-premises, multicloud, and edge environments. CloudServus has written about that calculus in the context of hybrid cloud decision-making in 2026 for organizations still weighing on-premises versus cloud commitments.
Microsoft's hotpatch overview on Microsoft Learn provides the full supported OS matrix, including which combinations of publisher, offer, and SKU are eligible across Azure and Arc-enabled environments.
How Hotpatch Reduces Security Exposure Across Hybrid Server Fleets
For security and operations teams, the value compounds. Patches that don't require a reboot get deployed faster. Faster deployment reduces the window between a vulnerability disclosure and remediation. Fewer maintenance windows means fewer scheduling conflicts with application owners, fewer overnight change approvals, and less risk of a deferred patch sitting uninstalled because the business couldn't absorb downtime.
Across a hybrid fleet at scale, that's a material reduction in operational overhead and security exposure, at no incremental cost.
CloudServus's Azure Arc and hybrid infrastructure practice helps mid-market and enterprise organizations build Arc-connected environments designed for governance, security, and long-term manageability. If your team is evaluating how to bring Windows Server 2025 hotpatch into an existing patch management program, or if you're running a hybrid fleet that isn't yet Arc-connected, a free cloud infrastructure assessment is a practical starting point for understanding scope, prerequisites, and deployment sequencing.
