Active Directory & Office 365 Reporting Tool

Windows Server Patch Management: How to Keep Windows Server Secure & Up-to-Date. Are you reviewing the best Windows Server patch management options for your organization? This article provides two alternatives.

If your organization hasn’t adopted Azure Cloud and doesn’t plan to, then consider windows Servers with Windows Server Update Service (WSUS). We have discussed the steps to install and use WSUS in the first section of this article.

However, Azure Arc provides the best patch management solution for Windows Servers for organizations already using other Azure services. There is the complete step-by-step guide in the second section.

Option 1 of 2: Windows Server Patch Management with WSUS

Step 1 of 5. Install WSUS (Windows Server Update Service)

1. Sign in to the Windows Server designated to manage Windows patches – Server Manager opens automatically. Then, on the top right of Server Manager, click Manage and select “Add Roles and Features.”

2. On the first page, click Next. After that, select “Role-based or feature-based installation” and click Next. 

3. Next, on the destination server page, click Next.

4. Check the “Windows Server Update Service” checkbox, 

5. Then, click “Select server roles” page. 

6. Then, click Next twice until the wizard displays the “Content location selection” page. Enter a location to store downloaded updates and click Next. 

Alternatively, if you do not want to store downloaded updates locally, uncheck “Store updates in the following location (Choose a valid local or remote path):.”

7. After that, click Next 3 times. Finally, confirm your installation selections and click Install to complete the process. 

Once the installation completes, process to step 2 below. 

Step 2 of 5. Configure WSUS Post-Installation Tasks

1. Once the Windows Server Update Manager service role installs, click Close. Next, click the amber notification and select “Launch Post-Installation tasks.”

2. After clicking the amber notification, wait for it to turn grey. Then, click on the notification badge again. 

The server Manager displays info confirming that the post-installation configuration has been completed. Proceed to 3 to continue with the next steps. 

Step 3 of 5. Initial Configuration of Windows Server Update Service

1. Click the Tools menu and select “Windows Server Update Services.” This opens the WSUS configuration wizard. 

2. On the first page of the wizard, read the “Before you begin”. Then, click Next. 

3. On the “Join the Microsoft Update Improvement Program” page, leave the checkbox and click Next if you want to join the program. Otherwise, uncheck it before clicking Next. 

4. When the wizard loads the “Choose Upstream Server” page, select the first option and click Next. Selecting this option makes Microsoft Update your WSUS server’s Upstream server. 

5. Then, on the “Specify Proxy Server” page, if your WSUS server connects to the internet using a proxy server, specify it and click Next. Otherwise, accept the default and click Next. 

6. When the “Connect to Upstream Server” page opens, click “Start Connecting.” Then, wait for your WSUS server to connect with Windows Updates Server

7. Once connected with Microsoft Windows Update Server, the Next button becomes available. Click Next. 

8. Next, select the languages and click Next.

9. The “Choose Products” page allows you to select the Microsoft products you want to update. After selecting the products and their updates, click Next. 

10. Then, select Windows Server Patch Management classifications. If unsure, accept the defaults and click Next to continue

11. Select your update synchronization (downloads) option, and set the download time and frequency. “Synchronize manually” is the default. 

Finally, on the “Finish initial configuration of your server” page, to start downloading Microsoft Updates immediately, check the “Begin initial synchronization” option. Then, click Finish, 

Once you click Finish, the Update Services console opens. Modify most of the settings you selected in the initial configuration. 

Read the Microsoft guide to learn how to use WSUS to manage updates. 

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Step 4 of 5: Create a GPO for WSUS

1. Open the Group policy management console (GPMC). Open GPMC from an Active Directory DC. Alternatively, access GPMC via your Windows 10 or Windows 11 PC if you installed RSAT for GPMC. 

2. Once GPMC opens, expand the Group Policy Objects container. Then, drag the “Default Domain Policy” GPO to the Group Policy Objects container node, and click OK to create c copy of the GPO. 

3. After a copy of the GPO is created, click OK. Then, rename the “Copy of Default Domain Policy” to a name that explains what it does. 

I call mine “Windows Server GPO.”

4. Next step, link the new GPO to your servers containers by dragging it to the container. In this example, I am dragging the “Windows Servers GPO” to the “Windows Servers” OU. 

This OU contains the servers I want to manage using WSUS. 

Step 5 of 5: Configure Group Policy for WSUS

Configuring a group policy is the final step to preparing your Windows Server Updates Services server for patch management. Additionally, the GPO should be linked to the Active Directory container with the servers for which the WSUS server manages patches.

To proceed, follow the steps below to create a GPO.

1. After that, the GPO appears beneath the container. To edit the GPO, right-click it and select Edit. 

2. Once the GPO opens, navigate to this path:

Computer Configuration > Policies > Administrative Templates > Windows components > Windows Update

Then, locate the “Configure Automatic Updates” policy and double-click it. 

3. Finally, when the policy opens, enable it (1), select your configuration options (2), and click OK (3). 

4. After enabling the policy, double-click the next policy you need to configure – “Specify intranet Microsoft update service location”. 

5. When the policy opens, enable it. Then, navigate to the Options section and set the name of the WSUS server in the following fields:

“Set the intranet update service for detecting updates” and “Set the intranet statistics server.” 

Set the name in the format: WSUSServerName:8530. 

When you finish, click OK. 

There is one more policy to configure – “Specify deadlines for automatic updates and restart.”

6. To begin, double-click this policy, enable it, then configure the options and click OK. 

When you finish, 3 policies highlighted in the screenshot below are enabled. 

Option 2 of 2: Windows Server Patch Management with Azure Arc

The steps in this section are performed from the Azure Portal. So, before you proceed, sign in to portal.azure.com

Step 1 of 3: Add the On-prem Server(s) to Azure Arc

1. On the Azure Portal, search for and open Azure Arc. 

2. Then, on the Azure Arc page, click Servers on the menu. After that, click “+ Add.”

3. Next, on the Add servers with Azure Arc page, click “Generate script” under the “Add a single server” option. If adding more than one server, use the “Add multiple servers” option.

4. On the next page of the “Add a server with Azure Arc” wizard, read the requirements and click Next. 

5. Then, complete the “Resource details” page of the “Add a server with Azure Arc” wizard. 

If you did not have an existing resource group, create one by clicking “Create new” under “Resource group.”

6. Use the physical locations tag to tag your server. This is optional but recommended, especially if you manage multiple servers from different data centers and locations. 

7. Finally, download the PowerShell script file. Alternatively, click copy to copy the script

Copying the script is necessary if you performed the steps above on a different PC and have no way to copy the file to the server you want to deploy to Azure Arc,

If you copy the script instead of downloading the file, open a text file, save the script in the text file, and save it with the .ps1 extension. 

Step 2 of 3: Install the Azure Arc Agent Script on the On-prem Server(s)

1. Log in to the PowerShell script you want to manage with Azure Arc. Then, open Windows PowerShell as admin- search PowerShell, right-click it, and select “Run as administrator.” 
2. When PowerShell opens, run the cd command to change the directory to the folder you saved, the Azure Arc PowerShell script you downloaded in the last subsection. While in the directory, run the command below.


After a while, an Azure login page opens on your default browser. 

2. Login with your Azure credentials. Then, return to the PowerShell console. 

After a while, PowerShell completes the agent installation and returns a confirmation – see the second screenshot below. 

Step 3 of 3: Configure Windows Server Patch Management on Azure Arc

1. Return to portal.azure.com and open Azure Arc, and the click Servers menu. The server you installed the agent is displayed. 

If the server is not on the list, the “Subscription equals” filter, select all subscriptions and click Apply. 

Click on the server you want to manage. 

2. Once the server page opens, the overview page displays essential information about the server. To manage updates, click Updates. 

3. On the Updates page, force the server to download available updates by clicking “Check for updates” and click OK. 

After that, perform one-time update by clicking the link. However, to ensure that the server downloads and installs update regularly, configure a schedule by clicking “Schedule updates.”

The Azure Arc server patch management has various options. Play around the console to explore the various options. Alternatively, read more about Azure Arc Windows Server patch management capabilities. 

Windows Server Patch Management: How to Keep Windows Server Secure & Up-to-Date Conclusion

Effective patch management is crucial for maintaining the security and performance of your Windows Server environment. In this article, we explored 2 methods to achieve this, starting with WSUS.

Using WSUS, we outlined the steps to install and configure the Windows Server Update Service. Additionally, we discussed the steps to configure WSUS post-installation tasks and perform the initial configuration.

We also explained how to create and configure the GPO for managing Windows Servers using Windows Server Updates Services. WSUS provides a centralized approach to patch management, allowing admins to control updates across multiple servers.

Alternatively, Azure Arc offers a cloud-based solution for patch management. We explained how to add on-prem servers to Azure Arc by creating and downloading a script to install the agent.

The article also discussed how to install the Azure Arc agent on Windows Servers. Finally, we explored how to use Azure Arc to download, install and manage updates on the servers once the server is available on its console.

Both options provide valuable tools and processes for keeping your Windows Server environment secure and up-to-date. Ultimately, the choice between WSUS and Azure Arc depends on your specific needs and preferences.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *