Microsoft Confirms $1.50 Windows Security Update Hotpatch Fee Starts July 1

In a move that has sparked controversy and concern among users, Microsoft has confirmed that its no-reboot security update hotpatch feature will become a subscription-only service starting July 1st. The new policy applies to Windows Server 2025 users, who will need to pay $1.50 per CPU core per month for the privilege of receiving these updates.

The hotpatch system, which has been available in preview mode since 2024, promises to bring several benefits to the security update process. With no reboot required, updates will be faster to deploy and have easier patch orchestration with Azure Update Manager. Additionally, hotpatching reduces the "window of vulnerability" between a vulnerability becoming known and getting patched, making it harder for attackers to exploit them.

However, this new policy has raised questions about who gets to pay for these updates. Microsoft states that users of Windows Server 2025 Standard or Datacenter, connected to Azure Arc, will need to subscribe to the Hotpatch service. This means that those running legacy versions of Windows operating systems without security support will be left vulnerable.

For users of legacy Windows platforms, there is some good news. The 0patch micro-patching service has extended its availability for Windows 7 and Windows Server 2008 R2 until at least January 2027. This provides a temporary solution for those who cannot afford or do not need the Hotpatch feature.

What's Behind the New Policy?

The move to subscription-only hotpatching has been met with skepticism by some, who question why Microsoft is introducing this new fee. According to Artem Pronichkin, a senior program manager at Microsoft, hotpatching brings several benefits, including higher availability, faster deployment, and easier patch orchestration.

However, critics argue that the $1.50 per CPU core fee is exorbitant, particularly for small businesses or individuals who may not be able to afford it. This has led some to wonder if Microsoft's decision is driven by revenue needs rather than a genuine desire to improve security for its users.

What Can Users Do?

Users of Windows Server 2025 Standard or Datacenter, connected to Azure Arc, can still opt out of the Hotpatch service and choose not to pay the fee. However, this means that they will need to restart their servers for baseline updates every four years.

For users of legacy Windows operating systems without security support, there is limited options available. Microsoft has stated that it plans to continue supporting these versions until at least 2027, but users can also consider using third-party services like 0patch to provide temporary protection against zero-day threats.

Conclusion

The introduction of subscription-only hotpatching raises important questions about the future of Windows security updates. While Microsoft's decision may be driven by a desire to improve security, it also highlights concerns about revenue and accessibility. As users grapple with this new reality, they will need to weigh their options carefully and consider what is best for their business or personal needs.