Installing Windows Hotpatches using the Windows Update API

BigFix provides a new method for managing Windows Hotpatch updates by leveraging the Windows Update API.

What Is Hotpatch for Windows Server 2025?

Hotpatching is a technology that applies security updates directly to the in-memory code of running processes. This eliminates the need for a full system or application restart.

This technology is designed to:
  • Reduce downtime
  • Improve system availability
  • Enhance patch compliance without service disruption.
Supported Editions
This technology is available on the following Windows Server editions:
  • Windows Server 2025 Standard
  • Windows Server 2025 Datacenter
  • Windows Server 2025 Datacenter: Azure Edition (Hotpatch enabled by default; no Azure Arc needed).

Availability & Subscription Details

  • General Availability: From July 1, 2025, Hotpatching transitioned into a paid subscription model.

  • Pricing:
    • $1.50 per CPU core per month for Windows Server 2025 Standard and Datacenter editions connected via Azure Arc.
    • Azure Edition (Windows Server 2025 Datacenter: Azure Edition) continues to receive Hotpatching at no additional cost.

How Hotpatching Works: Patch Cadence & Reboot Schedule

Hotpatching follows a quarterly baseline cycle:
Table 1. How Hotpatching Works: Patch Cadence & Reboot Schedule
Patch Type Month Reboot Required?
Baseline cumulative update January, April, July, October Yes (reboot required)
Hotpatch February, March, May, June, August, September, November, December No reboot required
Important: Critical or zero-day security patches may trigger an unplanned baseline update that needs a reboot outside the normal cycle.

Requirements for Using Hotpatch

  • Windows Server 2025 Standard or Datacenter edition (Azure Edition included).
  • Azure Arc connectivity for on-premises or multicloud deployments.
  • Virtualization-Based Security (VBS) enabled.

Prerequisites for API-based Hotpatch Installation in BigFix

Before you can begin, ensure the following BigFix prerequisites are met:

  • BigFix Platform 11.0 or later is installed.
  • Target endpoints must meet Microsoft Hotpatch requirements listed above.
  • The BigFix client service is installed and running on the endpoints.

Workflow of API-based Hotpatch Installation

  1. Search for Updates: BigFix queries the Windows Update API to find available hotpatches.
  2. Identify Hotpatch: The system identifies the hotpatch by its KB article number.
  3. Download Hotpatch: The package is automatically fetched from Microsoft Update.
  4. Install Hotpatch: The patch is applied silently to the endpoint.
    • During Hotpatch months, no reboot is required.
  5. Report Status: BigFix Console updates compliance reports with the installation status: Success or Failed.