Windows Server Patch Management: How to Keep Windows Server Secure & Up-to-Date. Are you reviewing the best Windows Server patch management options for your organization? This article provides two alternatives.
If your organization hasn’t adopted Azure Cloud and doesn’t plan to, then consider windows Servers with Windows Server Update Service (WSUS). We have discussed the steps to install and use WSUS in the first section of this article.
However, Azure Arc provides the best patch management solution for Windows Servers for organizations already using other Azure services. There is the complete step-by-step guide in the second section.
Option 1 of 2: Windows Server Patch Management with WSUS
Step 1 of 5. Install WSUS (Windows Server Update Service)
1. Sign in to the Windows Server designated to manage Windows patches – Server Manager opens automatically. Then, on the top right of Server Manager, click Manage and select “Add Roles and Features.”
6. Then, click Next twice until the wizard displays the “Content location selection” page. Enter a location to store downloaded updates and click Next.Â
Alternatively, if you do not want to store downloaded updates locally, uncheck “Store updates in the following location (Choose a valid local or remote path):.”
Step 2 of 5. Configure WSUS Post-Installation Tasks
1. Once the Windows Server Update Manager service role installs, click Close. Next, click the amber notification and select “Launch Post-Installation tasks.”
Step 3 of 5. Initial Configuration of Windows Server Update Service
1. Click the Tools menu and select “Windows Server Update Services.” This opens the WSUS configuration wizard.Â
7. Once connected with Microsoft Windows Update Server, the Next button becomes available. Click Next.Â
8. Next, select the languages and click Next.
9. The “Choose Products” page allows you to select the Microsoft products you want to update. After selecting the products and their updates, click Next.Â
10. Then, select Windows Server Patch Management classifications. If unsure, accept the defaults and click Next to continue
11. Select your update synchronization (downloads) option, and set the download time and frequency. “Synchronize manually” is the default.Â
Finally, on the “Finish initial configuration of your server” page, to start downloading Microsoft Updates immediately, check the “Begin initial synchronization” option. Then, click Finish,Â
Once you click Finish, the Update Services console opens. Modify most of the settings you selected in the initial configuration.Â
Read the Microsoft guide to learn how to use WSUS to manage updates.Â
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Step 4 of 5: Create a GPO for WSUS
1. Open the Group policy management console (GPMC). Open GPMC from an Active Directory DC. Alternatively, access GPMC via your Windows 10 or Windows 11 PC if you installed RSAT for GPMC.Â
Step 5 of 5: Configure Group Policy for WSUS
Configuring a group policy is the final step to preparing your Windows Server Updates Services server for patch management. Additionally, the GPO should be linked to the Active Directory container with the servers for which the WSUS server manages patches.
To proceed, follow the steps below to create a GPO.
1. After that, the GPO appears beneath the container. To edit the GPO, right-click it and select Edit.Â
5. When the policy opens, enable it. Then, navigate to the Options section and set the name of the WSUS server in the following fields:
“Set the intranet update service for detecting updates” and “Set the intranet statistics server.”Â
Set the name in the format: WSUSServerName:8530.Â
When you finish, click OK.Â
Option 2 of 2: Windows Server Patch Management with Azure Arc
The steps in this section are performed from the Azure Portal. So, before you proceed, sign in to portal.azure.com.Â
Step 1 of 3: Add the On-prem Server(s) to Azure Arc
1. On the Azure Portal, search for and open Azure Arc.Â
5. Then, complete the “Resource details” page of the “Add a server with Azure Arc” wizard.Â
If you did not have an existing resource group, create one by clicking “Create new” under “Resource group.”
7. Finally, download the PowerShell script file. Alternatively, click copy to copy the script.Â
Copying the script is necessary if you performed the steps above on a different PC and have no way to copy the file to the server you want to deploy to Azure Arc,
If you copy the script instead of downloading the file, open a text file, save the script in the text file, and save it with the .ps1 extension.Â
Step 2 of 3: Install the Azure Arc Agent Script on the On-prem Server(s)
1. Log in to the PowerShell script you want to manage with Azure Arc. Then, open Windows PowerShell as admin- search PowerShell, right-click it, and select “Run as administrator.”Â
2. When PowerShell opens, run the cd command to change the directory to the folder you saved, the Azure Arc PowerShell script you downloaded in the last subsection. While in the directory, run the command below.
.\OnboardingScript.ps1
Step 3 of 3: Configure Windows Server Patch Management on Azure Arc
1. Return to portal.azure.com and open Azure Arc, and the click Servers menu. The server you installed the agent is displayed.Â
If the server is not on the list, the “Subscription equals” filter, select all subscriptions and click Apply.Â
Click on the server you want to manage.Â
3. On the Updates page, force the server to download available updates by clicking “Check for updates” and click OK.Â
After that, perform one-time update by clicking the link. However, to ensure that the server downloads and installs update regularly, configure a schedule by clicking “Schedule updates.”
Windows Server Patch Management: How to Keep Windows Server Secure & Up-to-Date Conclusion
Effective patch management is crucial for maintaining the security and performance of your Windows Server environment. In this article, we explored 2 methods to achieve this, starting with WSUS.
Using WSUS, we outlined the steps to install and configure the Windows Server Update Service. Additionally, we discussed the steps to configure WSUS post-installation tasks and perform the initial configuration.
We also explained how to create and configure the GPO for managing Windows Servers using Windows Server Updates Services. WSUS provides a centralized approach to patch management, allowing admins to control updates across multiple servers.
Alternatively, Azure Arc offers a cloud-based solution for patch management. We explained how to add on-prem servers to Azure Arc by creating and downloading a script to install the agent.
The article also discussed how to install the Azure Arc agent on Windows Servers. Finally, we explored how to use Azure Arc to download, install and manage updates on the servers once the server is available on its console.
Both options provide valuable tools and processes for keeping your Windows Server environment secure and up-to-date. Ultimately, the choice between WSUS and Azure Arc depends on your specific needs and preferences.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
Related posts:
- How to Create and Link a GPO in Active Directory (Step by Step)
- Automate Security Tasks and Workflows in Your Azure Environment
- Using Group Policy to Enhance Active Directory Security
- Secure Azure Network with Azure Firewall & Security Groups
- Configure and Manage Windows Firewall for Your Windows Server