Microsoft Hotpatch is a Windows update feature that installs Security Patches on eligible endpoints without requiring a system reboot, ensuring higher availability and reduced downtime.
The support of Hotpatch content in BigFix requires a dedicated built-in utility that is downloaded on the endpoint through the Fixlet.
During the execution of the fixlet, the utility is executed in order to call the Windows Update APIs to connect to Microsoft Update and install the applicable hotpatch on machines that require it.
The Hotpatch fixlets will be published in the Patches for Windows Site.
Customer Benefits
Minimized Downtime – Hotpatches apply updates without restarting the server, reducing service interruptions.
Seamless Deployment – Delivered through BigFix Fixlets, ensuring easy rollout across environments.
Consistent Security – Keeps systems protected with the latest Microsoft updates while maintaining uptime.
Supported Environments
Windows Server 2025 (Azure-hosted)
Windows Server 2025 (On-premises, connected via Azure Arc)
How it works
Deploy the Fixlet published in the “Patches for Windows” External Site.
The Fixlet downloads the required utility on the endpoint.
The utility connects via the Windows Update API to download the Hotpatch binary and install it.
Targeted machines receive the hotpatch update without a reboot.
Pre-Requirements
Installing Hotpatch content requires entitlement from Microsoft and enablement of the devices. Check the Microsoft Website on how to do that
The endpoint must connect to Microsoft Update endpoints (e.g.,* windowsupdate.microsoft.com) to download and apply the Hotpatch.
The post states updates are deployed using Microsoft Update. Please clarify whether this means updates will be automatically deployed from Microsoft or if they can still be controlled via BigFix with fixlets. If controlled in BigFix, will there be different fixlets only for Hotpatch? Lastly, when will this be available for Windows 11 as well?
I would suggest looking at the Hotpatch fixlet. It’s doesn’t seem to be to complicated, and it looks to me there is the requirement for the Azure agent and the patch is triggered by a custom EXE. I assume it does some communications to trigger that event for the server to check in with MS and download the appropriate hotpatch.
It’s an MS requirement to be registered with Azure Arc, and have the agent running on the Win2025 system. It would be helpful to have a fixlet or task to support configuring Azure Arc - i purposely built out servers to not depend on External Azure and MS logins.
Hi Rony, yes, please see the following fixlet: Fixlet # 506547401 - MS25-SEP: Hotpatch Update for Microsoft server operating system version 2025 - Windows Server 2025 - KB5065474 (x64)
This fixlet has various prerequisites in order to be applicable and to execute successfully on your Win2025 endpoint. I would encourage you to review the Microsoft article “Enable Hotpatch for Azure Arc-enabled servers” at the link below for these additional details:
We’ve developed an executable which invokes the Windows Update Agent APIs in order to successfully download the hotpatch and install the patch on the targeted endpoint. The BigFix operator will control when they would like to execute this binary via the fixlet and it will then fetch the hotpatch via the Windows Update Agent APIs. Also as you will see in this month’s Hotpatch KB5065474 article linked below, this patch is only available via Windows Update. Therefore customers who would like to take advantage of this capability will have to allow their endpoints to communicate with Windows Update. Microsoft is not providing these patches in the catalog or server update services (only via Windows Update).