Muokkaa

Jaa


Manage hotpatches (preview) on Arc-enabled machines

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ On-premises environment ✔️ Azure Arc-enabled servers.

Azure Update Manager enables you to install hotpatches (preview) on Windows Server Azure Editions and Arc-enabled machines. For more information, see Hotpatch for virtual machines.

This article explains how to install hotpatches (preview) on compatible Arc-enabled machines. For hotpatches (preview) being non-intrusive on availability, you can create faster schedules and update your services immediately after release, with less planning to maintain reliability of your machines at-scale.

Supported operating systems

  • Windows Server 2025 Standard Edition
  • Windows Server 2025 Datacenter Edition

Prerequisites

  • Verify that the machine has a supported OS SKU. Learn more.
  • Ensure that Virtualization Based Security (VBS) is enabled. Learn more.
  • Ensure the machine is Arc-enabled.

Manage Hotpatches (preview)

Enroll hotpatch (preview) license

To enroll hotpatch (preview) license, follow these steps:

  1. Sign in to the Azure portal and go to Azure Update Manager.

  2. Under Resources, select Machines and then select the specific Arc-enabled server.

  3. Under the Recommended updates section, in Hotpatch, select Change.

  4. In the Hotpatch (preview), select I want to license this Windows Server to receive monthly patches option.

  5. Select Enable Hotpatching and then select Confirm.

    Screenshot showing how to enroll hotpatch license.

Manage hotpatch (preview) updates

After you enroll to hotpatch (preview) license, your machine automatically receives hotpatch updates.

To enable or disable hotpatching at scale, follow these steps:

  1. Sign in to the Azure portal and go to Azure Update Manager.

  2. Under Resources, select Machines and in the Azure Update Manager | Machines page, under Settings, select Update settings.

  3. In Change update settings page, select +Add machine, to select the machine to which you want to change the update settings.

  4. In Select resources page, select the machines and then select Add to view the machines in Change update settings page.

  5. In the Hotpatch (preview) dropdown, select Enable (current) and then select Save.

    Screenshot showing how to manage hotpatch updates.

View hotpatch (preview) status

To view the hotpatch (preview) status at scale on your machines, follow these steps:

  1. Sign in to the Azure portal and go to Azure Update Manager.

  2. Under Resources, select Machines and then select Edit columns.

  3. In Choose columns pane, select Hotpatch status and then select Save.

    The Hotpatch status column appears in the machines grid and displays the status for all Azure machines and Arc-enabled machines. To view only Arc related details, you can filter Resource Type as Arc-enabled server.

    Screenshot showing how to view hotpatching status at scale.

Hotpatch (preview) statuses

Status Meaning
Not enrolled License is available but not enrolled on this machine.
Enabled License is enrolled and machine is enabled for receiving hotpatch updates.
Canceled License has been canceled on the machine.
Disabled License is enrolled but the machine is disabled for receiving hotpatch updates.
Pending Interim status while enrollment is in progress.

Check hotpatch (preview) updates

For latest hotpatch updates, enable either periodic assessment or a one-time update.

Periodic assessment automatically assesses for available updates and ensures that available patches are detected. You can view the results of the assessment on the Recommended updates tab, including the time of the last assessment.

You can also choose to trigger an on-demand patch assessment for your VM at any time using the Check for updates option and review the results after assessment completes. In this assessment result, you can view the reboot status of the given update under Reboot required column.

Screenshot showing how to check hotpatching updates.

Install hotpatch (preview) updates

To install, you can create a user-defined schedule or one-time update. You can install it immediately after it's available, allowing your machine to get secure faster.

Using either of these options you can choose to install all available update classifications or only security updates. You can also specify updates to include or exclude by providing the individual hotpatch (preview) knowledge base IDs. You can enter more than one knowledge base ID in this flow.

Screenshot showing how to include knowledge base ID.

This ensures that the hotpatch (preview) update which doesn't require reboots is installed in the same schedule or one-time update schedule, making patch installation window predictable.

View history

You can view the history of update deployments on your VM through the history option.

Update history displays the history for the past 30 days, along with patch installation details such as reboot status.

Screenshot showing how to view the history of update deployments on your VM.

Next steps