Edit

Manage hotpatches on Arc-enabled machines

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ On-premises environment ✔️ Azure Arc-enabled servers.

Azure Update Manager enables you to install hotpatches on Windows Server Azure Editions and Arc-enabled machines. For more information, see Hotpatch for virtual machines.

This article explains how to install hotpatches on compatible Arc-enabled machines. For hotpatches being non-intrusive on availability, you can create faster schedules and update your services immediately after release, with less planning to maintain reliability of your machines at-scale.

Supported operating systems

  • Windows Server 2025 Standard Edition
  • Windows Server 2025 Datacenter Edition

Prerequisites

  • Verify that the machine has a supported OS SKU. Learn more.
  • Ensure that Virtualization Based Security (VBS) is enabled. Learn more.
  • Ensure the machine is Arc-enabled.

Manage Hotpatches

Enroll hotpatch license

To enroll hotpatch license, follow these steps:

  1. Sign in to the Azure portal and go to Azure Update Manager.

  2. Under Resources, select Machines and then select the specific Arc-enabled server.

  3. Under the Recommended updates section, in Hotpatch, select Change.

  4. In the Hotpatch, select Receive monthly Hotpatch updates option.

  5. Select Enable Hotpatching and then select Confirm.

    Screenshot showing how to enroll hotpatch license.

Manage hotpatch updates

After you enroll to hotpatch license, your machine automatically receives hotpatch updates.

To enable or disable hotpatching at scale, follow these steps:

  1. Sign in to the Azure portal and go to Azure Update Manager.

  2. Under Resources, select Machines and in the Azure Update Manager | Machines page, under Settings, select Update settings.

  3. In Change update settings page, select +Add machine, to select the machine to which you want to change the update settings.

  4. In Select resources page, select the machines and then select Add to view the machines in Change update settings page.

  5. In the Hotpatch dropdown, select Enable and then select Save.

    Screenshot showing how to manage hotpatch updates.

View hotpatch status

To view the hotpatch status at scale on your machines, follow these steps:

  1. Sign in to the Azure portal and go to Azure Update Manager.

  2. Under Resources, select Machines and then select Edit columns.

  3. In Choose columns pane, select Hotpatch status and then select Save.

    The Hotpatch status column appears in the machines grid and displays the status for all Azure machines and Arc-enabled machines. To view only Arc related details, you can filter Resource Type as Arc-enabled server.

    Screenshot showing how to view hotpatching status at scale.

Hotpatch statuses

Status Meaning
Not enrolled License is available but not enrolled on this machine.
Enabled License is enrolled and machine is enabled for receiving hotpatch updates.
Canceled License has been canceled on the machine.
Disabled License is enrolled but the machine is disabled for receiving hotpatch updates.
Pending Interim status while enrollment is in progress.

Check hotpatch updates

For latest hotpatch updates, enable either periodic assessment or a one-time update.

Periodic assessment automatically assesses for available updates and ensures that available patches are detected. You can view the results of the assessment on the Recommended updates tab, including the time of the last assessment.

You can also choose to trigger an on-demand patch assessment for your VM at any time using the Check for updates option and review the results after assessment completes. In this assessment result, you can view the reboot status of the given update under Reboot required column.

Screenshot showing how to check hotpatching updates.

Install hotpatch updates

To install, you can create a user-defined schedule or one-time update. You can install it immediately after it's available, allowing your machine to get secure faster.

Using either of these options you can choose to install all available update classifications or only security updates. You can also specify updates to include or exclude by providing the individual hotpatch knowledge base IDs. You can enter more than one knowledge base ID in this flow.

Screenshot showing how to include knowledge base ID.

This ensures that the hotpatch update which doesn't require reboots is installed in the same schedule or one-time update schedule, making patch installation window predictable.

View history

You can view the history of update deployments on your VM through the history option.

Update history displays the history for the past 30 days, along with patch installation details such as reboot status.

Screenshot showing how to view the history of update deployments on your VM.

Billing considerations

As of May 19, 2026, Hotpatch on Azure Arc-enabled machines running Windows Server 2025 Standard or Datacenter is available at no additional cost. There is no per-core meter, no hourly charge, and no separate Hotpatch line item on your invoice.

  • Existing enrolled servers: Billing has been stopped for all servers previously enrolled in Hotpatch. No action is required. These machines remain enrolled and continue to receive hotpatch updates when available.
  • New enrollments: Enabling Hotpatch on eligible Windows Server 2025 Arc-enabled machines incurs no Hotpatch charges, regardless of the underlying environment (VMware, Hyper-V, AWS, GCP, or other on-premises and multicloud environments) or edition (Standard or Datacenter).

Next steps

  • Last updated on