Share via

Windows Server Azure Hotpatch

DC Admin 0 Reputation points
2025-03-19T12:59:59.93+00:00

I have an Azure VM running. The source image plan is "2022-datacenter-azure-edition-hotpatch" however, hotpatch is disabled and Azure update manager patch orchestration is set to "Customer Managed Schedules".

In this configuration the VM is not showing the current 2025-03 KB5053603 as available for install therefore Defender is reporting server as vulnerable. The last patch showing as installed was KB5053638, which is a hotfix cumulative (installed 14/3/25).

So, will this VM only install hotfix patches even though hotfix is disabled?

Does the build release for hotfix patches lag behind the standard build release? i.e. standard 21H2 build is currently 20348.3328 and this VM is showing 20348.3270 for KB5053638.

Are hotfix releases different to the standard patch Tuesday release?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,713 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 4,310 Reputation points
    2025-03-19T16:29:25.81+00:00

    Hi DC Admin,
    thanks for asking here, let’s address your questions one by one:

    First Q. Will this VM only install hotfix patches even though hotfix is disabled?

    If your VM is using the "2022-datacenter-azure-edition-hotpatch" image, it might still be treated as a Hotpatch-enabled VM by the update system, even if Hotpatch is disabled. This could explain why only Hotfix patches (like KB5053638) are being offered, and standard Patch Tuesday updates (like KB5053603) are not showing up.

    To resolve this:

    check that Hotpatch is fully disabled by running:

    Get-ComputerInfo

    If it returns True, Hotpatch is still active.

    If Hotpatch is not needed, consider re-deploying the VM using a standard Windows Server 2022 Datacenter image (without Hotpatch).

    Second Q. Does the build release for hotfix patches lag behind the standard build release?

    Yes, Hotfix builds (e.g., 20348.3270) often lag behind standard builds (e.g., 20348.3328). This is because Hotfix updates are designed to minimize reboots and follow a different release cadence. They are cumulative but may not include all the fixes or features of the latest standard Patch Tuesday release.

    Q#3. Are hotfix releases different to the standard Patch Tuesday release?

    Yes, Hotfix releases are different

    • Hotfix Patches: Smaller, cumulative updates designed for Hotpatch-enabled VMs. Released more frequently (outside the Patch Tuesday schedule). Do not require a reboot.
    • Standard Patch Tuesday Updates: Larger, cumulative updates released monthly. Include security fixes, improvements, and new features. Require a reboot.

    Summ.

    Verify if Hotpatch is truly disabled.

    If Hotpatch is not needed, switch to a standard Windows Server 2022 image.

    Manually install the missing KB5053603 update from the Microsoft Update Catalog.

    Consider changing the patch orchestration mode to "Azure Managed" if you want Azure to handle updates automatically.

    For more details, check out:

    Best regards,
    Alex
    P.S. If my answer help to you, please Accept my answer

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.