Multicloud.is
Opining on the multicloud ecosystem
RD Logo     MVP Logo
Hotpatching on Azure Local: Security Updates Without the Reboot

Hotpatching on Azure Local: Security Updates Without the Reboot

4 mins read
Tags # Azure Local # Windows Server 2025 # Security # Lifecycle Management

Hotpatching on Azure Local

On July 1st, Microsoft made hotpatching for Windows Server 2025 generally available as a subscription service. This has been a long time coming, and for Azure Local customers in particular, it has real implications for how you think about maintenance windows, update cadence, and operational overhead. Let’s dig into what this actually means in practice.

What Hotpatching Is

Hotpatching is the ability to apply security updates to a running operating system without requiring a reboot. The update is applied in-memory to the running processes, the security fix takes effect immediately, and the workloads running on that system experience zero interruption.

This isn’t a new concept. Azure VMs running Windows Server Datacenter: Azure Edition have had hotpatching for a while. What’s new is that hotpatching is now available for Windows Server 2025 running on-premises, including as guest VMs on Azure Local.

The way it works in practice is that out of every quarterly update cycle, three of the four monthly security updates are delivered as hotpatches (no reboot required), and one is a traditional cumulative update that does require a reboot. This means instead of rebooting monthly, you reboot quarterly. For a single VM that might not sound transformative, but for a clustered environment with dozens or hundreds of VMs, the reduction in reboot-driven live migrations, failovers, and maintenance window complexity is substantial.

Why This Matters for Azure Local

If you’ve managed an Azure Stack HCI or Azure Local cluster through a monthly patching cycle, you know the drill. Update the first node, live migrate all workloads off it, reboot, wait for it to come back, validate, move to the next node. Repeat for every node in the cluster. For a four-node cluster, this is manageable. For a sixteen-node cluster, it’s a significant time investment.

Now consider the guest VMs. Each Windows Server VM that needs a security update also needs to be rebooted. If you have workloads that are sensitive to downtime, you need to coordinate application-level failovers, wait for services to drain, handle the reboot, and then validate that everything came back cleanly.

Hotpatching doesn’t eliminate all of this, the host OS update cycle for Azure Local itself follows its own cadence, but for the guest VMs running Windows Server 2025 on your Azure Local cluster, the reduction from monthly reboots to quarterly reboots is a genuine operational improvement.

For workloads where even a quarterly reboot is disruptive, the three months of hotpatch-only updates give you breathing room to plan and coordinate those quarterly reboots more carefully.

The Subscription Model

Hotpatching for on-premises Windows Server 2025 is delivered as a subscription service through Azure. This means your Windows Server 2025 VMs need to be Arc-enabled and connected to Azure to receive hotpatches. For Azure Local VMs that are already Arc-enabled by nature of being Azure Stack HCI VMs, this integration is straightforward.

The subscription cost is something to factor into your budgeting, but weigh it against the operational cost of the maintenance windows that hotpatching eliminates. If your patching process currently involves out of hours work for your operations team, the maths tends to work out favourably.

For Dell AX customers, the subscription can be bundled as part of your Azure Local licensing. Talk to your Dell account team about how this fits into your overall licensing and subscription structure.

Practical Considerations

A few things to be aware of.

Not every update can be delivered as a hotpatch. Some security fixes require changes that can only take effect after a reboot, and these will be rolled into the quarterly cumulative update. Microsoft’s documentation provides visibility into which updates are hotpatch-eligible.

Application compatibility is something to validate. While hotpatching applies to the OS level, some applications may have dependencies on specific OS behaviours during the patching process. Test in your non-production environment first, as you would with any update methodology.

The hotpatching capability is specific to Windows Server 2025. If you’re running older guest OS versions on Azure Local, those VMs will continue to follow the traditional reboot-required patching model. This is another reason to plan your guest OS modernisation alongside your Azure Local platform updates.

The Bigger Picture

Hotpatching is one of those features that on its own is a quality-of-life improvement, but in the context of the broader Azure Local operational story, it’s part of a pattern. Azure-managed updates for the platform, Dell SBE-managed updates for the hardware, hotpatching for the guest VMs, all of this is converging towards a future where the operational overhead of keeping your on-premises infrastructure current and secure is dramatically lower than it’s been historically.

We’re not all the way there yet, but the direction is right, and each step makes the overall experience meaningfully better. If you’re running Windows Server 2025 guests on Azure Local and you haven’t looked at hotpatching, now’s the time.