Patch management has always involved a trade-off: apply the update, schedule the reboot, absorb the downtime. For organizations running dozens or hundreds of Windows servers across hybrid and multicloud environments, that trade-off adds up quickly. Microsoft just changed the calculus.
As of May 19, 2026, hotpatch on Azure Arc-enabled machines running Windows Server 2025 Standard or Datacenter is available at no additional cost. There is no per-core meter, no hourly charge, and no separate hotpatch line item on your invoice. What was previously a paid add-on is now included for any Windows Server 2025 machine connected to Azure Arc. Microsoft published the full announcement on the Azure Arc Blog for teams that want the complete technical breakdown directly from the product group.
Hotpatch updates apply security fixes directly to running processes in memory, bypassing the traditional update cycle that requires a full system restart. This approach maintains continuous uptime, reduces service disruption, and enables faster deployment of security fixes, while still using periodic full updates where necessary.
The patch cadence works in a quarterly cycle:
In practice, that means up to eight months per year with no required reboot for security patching. For production workloads where maintenance windows are expensive or difficult to schedule, this is a meaningful operational improvement.
Eligibility requirements are specific:
Both Server Core and Server with Desktop Experience installations are supported. The underlying environment, whether VMware, Hyper-V, AWS, or GCP, has no effect on eligibility or cost.
One clarification to note: hotpatch has always been available without additional charge for Azure IaaS VMs running Windows Server 2022 Datacenter: Azure Edition and Windows Server 2025 Datacenter: Azure Edition. The May 2026 announcement extends that same no-cost access to Arc-enabled machines running on-premises and in multicloud environments.
Existing enrolled servers require no action. Billing has been stopped for all servers previously enrolled in hotpatch, and those machines remain enrolled and continue to receive hotpatch updates.
For machines not yet enrolled, Microsoft's official documentation for enabling hotpatch on Azure Arc-enabled servers covers the full prerequisites and step-by-step configuration. At a high level:
Azure Update Manager gives operations teams centralized visibility into patch state across Azure, on-premises, and multicloud machines. For organizations already using Azure Arc for governance and monitoring, adding hotpatch enrollment is a lightweight addition to an existing workflow.
The hotpatch announcement is worth reading alongside what Azure Arc already provides at no additional cost for connected machines: resource tagging and organization, infrastructure-as-code support via Bicep and Terraform, VM lifecycle management, and SSH-based administration through Azure. Management services included with Windows Server Software Assurance or Extended Security Updates extend that further with Azure Update Manager, Azure Machine Configuration (Policy), Change Tracking, VM insights, and Best Practices Assessment.
For IT leaders evaluating hybrid infrastructure strategy, this shifts the conversation. Azure Arc extends Azure-native management capabilities to on-premises, multicloud, and edge environments. CloudServus has written about that calculus in the context of hybrid cloud decision-making in 2026 for organizations still weighing on-premises versus cloud commitments.
Microsoft's hotpatch overview on Microsoft Learn provides the full supported OS matrix, including which combinations of publisher, offer, and SKU are eligible across Azure and Arc-enabled environments.
For security and operations teams, the value compounds. Patches that don't require a reboot get deployed faster. Faster deployment reduces the window between a vulnerability disclosure and remediation. Fewer maintenance windows means fewer scheduling conflicts with application owners, fewer overnight change approvals, and less risk of a deferred patch sitting uninstalled because the business couldn't absorb downtime.
Across a hybrid fleet at scale, that's a material reduction in operational overhead and security exposure, at no incremental cost.
CloudServus's Azure Arc and hybrid infrastructure practice helps mid-market and enterprise organizations build Arc-connected environments designed for governance, security, and long-term manageability. If your team is evaluating how to bring Windows Server 2025 hotpatch into an existing patch management program, or if you're running a hybrid fleet that isn't yet Arc-connected, a free cloud infrastructure assessment is a practical starting point for understanding scope, prerequisites, and deployment sequencing.