Windows Server Azure Hotpatch

Question

I have an Azure VM running. The source image plan is "2022-datacenter-azure-edition-hotpatch" however, hotpatch is disabled and Azure update manager patch orchestration is set to "Customer Managed Schedules".

In this configuration the VM is not showing the current 2025-03 KB5053603 as available for install therefore Defender is reporting server as vulnerable. The last patch showing as installed was KB5053638, which is a hotfix cumulative (installed 14/3/25).

So, will this VM only install hotfix patches even though hotfix is disabled?

Does the build release for hotfix patches lag behind the standard build release? i.e. standard 21H2 build is currently 20348.3328 and this VM is showing 20348.3270 for KB5053638.

Are hotfix releases different to the standard patch Tuesday release?

Answer 1

Hello John Parker,

Yes, the command Get-ComputerInfo seems to be wrong as it has OsHotFixes only related to HotPatches and that doesn't have any boolean value (True or False).

The best way to identify if the VM's hotpatch is disabled or not using should be Azure Portal Update Manager only.

For double verification, you could get the same details using Azure-CLI or Azure Console bash as well using command:
<Note: Replace ResourceGroup with your VM's resource group name and VM_Name with your virtual-machine's name in the command>

 az vm show -g ResourceGroup -n VM_Name --query "osProfile.windowsConfiguration.patchSettings"

With the above command, you'll get a json output something like below:

{
  "assessmentMode": "ImageDefault",
  "automaticByPlatformSettings": {
    "bypassPlatformSafetyChecksOnUserSchedule": false,
    "rebootSetting": "IfRequired"
  },
  "enableHotpatching": true,
  "patchMode": "AutomaticByPlatform"
}

If you see "enableHotpatching": true, that means Hotpatching is still enabled on your virtual machine.

Let me know if there are more queries relate to this.

Answer 2

Hi DC Admin,
thanks for asking here, let’s address your questions one by one:

First Q. Will this VM only install hotfix patches even though hotfix is disabled?

If your VM is using the "2022-datacenter-azure-edition-hotpatch" image, it might still be treated as a Hotpatch-enabled VM by the update system, even if Hotpatch is disabled. This could explain why only Hotfix patches (like KB5053638) are being offered, and standard Patch Tuesday updates (like KB5053603) are not showing up.

To resolve this:

check that Hotpatch is fully disabled by running:

Get-ComputerInfo

If it returns True, Hotpatch is still active.

If Hotpatch is not needed, consider re-deploying the VM using a standard Windows Server 2022 Datacenter image (without Hotpatch).

Second Q. Does the build release for hotfix patches lag behind the standard build release?

Yes, Hotfix builds (e.g., 20348.3270) often lag behind standard builds (e.g., 20348.3328). This is because Hotfix updates are designed to minimize reboots and follow a different release cadence. They are cumulative but may not include all the fixes or features of the latest standard Patch Tuesday release.

Q#3. Are hotfix releases different to the standard Patch Tuesday release?

Yes, Hotfix releases are different

• Hotfix Patches: Smaller, cumulative updates designed for Hotpatch-enabled VMs. Released more frequently (outside the Patch Tuesday schedule). Do not require a reboot.
• Standard Patch Tuesday Updates: Larger, cumulative updates released monthly. Include security fixes, improvements, and new features. Require a reboot.

Summ.

Verify if Hotpatch is truly disabled.

If Hotpatch is not needed, switch to a standard Windows Server 2022 image.

Manually install the missing KB5053603 update from the Microsoft Update Catalog.

Consider changing the patch orchestration mode to "Azure Managed" if you want Azure to handle updates automatically.

For more details, check out:

• Azure Hotpatch Documentation
• Azure Update Manager Overview

Best regards,
Alex
P.S. If my answer help to you, please Accept my answer