In September 2024 Microsoft marked Windows Server Update Services (WSUS) as deprecated. WSUS still works and ships with Windows Server 2025, but Microsoft is no longer adding new features and recommends moving to cloud-based options. If your company relies on WSUS for patching many Windows servers, it is worth planning a target solution now: what next? In this article I show alternatives to WSUS, how to build an effective patch management policy and how to automate patch deployment. The guide applies to companies with infrastructure from a dozen to several hundred servers.
Why server patch management is critical
Windows servers run your IT infrastructure: Active Directory, Exchange, SQL Server, business applications. One unpatched security window can mean a breach, ransomware or data loss. Patching delays on servers are a common problem - many organizations do not deploy patches in the recommended time frame.
Worth knowing:
- A significant share of breaches involves known vulnerabilities - industry analyses (including reports citing Verizon DBIR and others) indicate that around 60% of breaches involve flaws for which patches were already available.
- Security patches require fast action - the window between vulnerability disclosure and exploitation can be very short, so critical patches should be deployed within a few to a dozen days.
- Auditors (SOC 2, ISO 27001, NIS2) require reports - you have to prove that all servers are patched.
- Lack of proper vulnerability management can have legal consequences - under NIS2 fines for essential entities can reach up to 10 million EUR or 2% of global turnover.
Without automation, patch management = chaos. With automation (Endpoint Central) = peace of mind.
WSUS deprecated - what to use instead
WSUS (Windows Server Update Services) lets you pull patches once from Microsoft Update and then distribute them across the company network. Microsoft has deprecated WSUS: the tool still works and will be supported for years to come, but it is not getting new features. For companies planning long-term, that is a signal to pick a target patch management solution.
Three alternatives:
1. Microsoft Update for Business
- Free (built into Windows Server)
- Direct communication with Microsoft Update
- No testing buffer - patches go out immediately
- Limited IT control (cannot defer Quality patches)
- For companies with fewer than 50 servers or no compliance requirements
2. Intune (Azure Mobile Device Management)
- Cloud-native, full integration with Microsoft 365
- Ability to defer patches per device, per group
- Compliance reporting to Microsoft Entra ID (formerly Azure AD)
- Cost depends on the Microsoft license plan - Intune is available standalone or in Microsoft 365 bundles
- Best choice for companies already on Microsoft 365
3. Endpoint Central (ManageEngine)
- On-premises or cloud, full control over patches
- Testing buffer: pre-production then production
- Advanced schedules (for example, deploy every second Tuesday)
- Compliance reporting for SOC 2, ISO, NIS2
- Licensing cost depends on number of devices and edition - quoted individually
- Best for companies that value security and full control over patches
Patching policies - pre-production vs production
Every patch carries risk: it can break an application, change an API, or even contain a bug itself. So you have to work in two phases: testing, then deployment.
Phase 1: Pre-Production (testing)
A set of test servers identical to production: Windows Server 2019/2022, SQL Server, business applications.
- Schedule: Second Tuesday of each month (Microsoft Patch Tuesday) - patches go to pre-prod
- Testing: 2-3 weeks - verify that applications work
- Documentation: "Patch KB5035607 - ok, no issues" vs "Patch KB5035608 - blocks communication with SQL Server XYZ - deferring"
- Security patches: testing 1 week max (they are critical)
- Quality patches: can wait 30-60 days (less risk, less urgency)
Phase 2: Production (deployment)
After approval in pre-prod, deploy to production.
- Schedule: Third Tuesday of the month or a defined window (for example, second Tuesday nights 02:00-06:00)
- Server groups: Deploy in waves - less critical first, critical last:
- Wave A: development and test servers (lowest risk)
- Wave B: application servers (medium risk)
- Wave C: Domain Controllers, SQL Server, critical (highest risk - deploy in the last wave)
- Timeout: If a patch causes a reboot longer than 10 minutes, wait, verify, and announce the change to users first
- Rollback plan: Always have a backup before patching - if something breaks, you have a way to restore
Sample annual schedule
| Month | Patch Tuesday (Microsoft) | Pre-Prod Deploy | Production Deploy | Patch type |
|---|---|---|---|---|
| May 2026 | 12.05 | 12.05 | 26.05 (2:00-6:00 AM) | Security + Quality |
| June 2026 | 09.06 | 09.06 | 23.06 (2:00-6:00 AM) | Security + Quality |
| July 2026 | 14.07 | 14.07 | 28.07 (2:00-6:00 AM) | Security (high priority) |
Automation in Endpoint Central - schedules and rules
Manual process? You forget a server, deploy gets delayed, the server stays unpatched. ManageEngine Endpoint Central automates: deploy on a specified day/time to selected servers, with no IT involvement.
Endpoint Central configuration (step by step)
- Admin -> Patch Management -> Deployment
- New Patch Deployment
- Name: "May 2026 Security Patches - PreProd"
- Patch Type: Windows OS, Security Updates (select Security only)
- Devices: Select pre-prod servers (device group)
- Schedule: "May 12, 2026, 08:00 AM" (right after Patch Tuesday)
- Reboot: "Scheduled Reboot on May 13, 2026, 02:00 AM" (planned overnight restart)
- Actions on failure: "Pause deployment, notify admin" - if a patch fails to install, the system stops the deployment to other servers
- Deploy - the system automatically applies patches at the specified day/time
- Monitoring: Dashboard shows status: "Pending" then "In Progress" then "Success/Failed"
Automatic rules (Business Rules)
You can set rules that automatically deploy Security patches without waiting for approval:
-
Rule 1: Auto-deploy Security patches on test servers
Condition: If Patch Type = Security Update, automatically deploy to pre-prod servers within 24 hours of release. Test servers carry low risk, so you can move faster.
-
Rule 2: Alert for critical patches with CVSS > 9
Condition: If CVSS Score > 9 (critical CVE), send an alert to Service Manager + security team. These patches require acceleration and can be deployed within 7 days.
-
Rule 3: Exclude unknown patches from auto-deploy
Condition: If Patch = Quality Update AND testing time > 14 days, wait for manual approval. Quality patches are less urgent and can wait.
Compliance reporting - what auditors want to see
If you have compliance requirements (SOC 2, ISO 27001, NIS2), you have to report that servers are patched. The auditor wants to see a report: "all servers have the latest patches, exceptions are XYZ scheduled for YY-MM-DD". How to manage CVE vulnerabilities and respond to ManageEngine security gaps is covered in our separate article on ManageEngine CVE and security.
What a patch compliance report contains
- Patch Inventory: List of all servers, number of installed patches, number of pending patches
- Compliance % per Server: For example, server PROD-SQL-01 has 145 installed patches, 2 pending (Quality) = 98.6% compliant
- Overdue Patches: If a server has a Security patch older than 14 days, flag as "Non-Compliant" with reason
- Patch Timeline: Rollout schedule - when further patches are planned
- Executive Summary: "99.2% of servers fully patched, 0 servers non-compliant, 3 Quality patches scheduled for 26.05"
Report configuration in Endpoint Central
- Admin -> Reports -> Patch Compliance Report
- Filter: Device Group = All Production Servers
- Period: Last 30 days
- Export PDF - send to auditor / Security Team monthly
FAQ - Patch Management Windows Server
What is the status of WSUS (Windows Server Update Services)?
In September 2024 Microsoft announced WSUS deprecation. WSUS still works and is part of Windows Server 2025 - Microsoft will keep supporting it for years, but stopped adding new features. Companies relying on WSUS should plan a migration to Microsoft Update for Business, Microsoft Intune, Windows Autopatch, or alternatives such as ManageEngine Endpoint Central. Separately, since 18 April 2025 Microsoft has ended driver synchronization in WSUS.
Can I connect servers directly to Microsoft Update Service?
Technically yes: servers can connect to update.microsoft.com directly. But that means no IT control: every server gets patches as soon as they appear, with no testing. Better: Microsoft Update for Business (built into Windows Server, free) or Endpoint Central (paid, but with more control).
What is the difference between Security patches and Quality patches?
Security patches fix security vulnerabilities and need to be deployed quickly (within 2-4 weeks). Quality patches fix bugs and improve stability and can wait (months). In a patch management policy: Security = high priority, Quality = normal priority.
Can patches cause issues with applications?
Yes, every patch carries risk: a patch may change a Windows API and conflict with a legacy application. That is why pre-production exists: you deploy patches first on test servers (identical environment), test the applications, then move to production.
How often should Windows Server be patched?
Microsoft releases patches on the second Tuesday of every month (Patch Tuesday). Recommendation: test in pre-prod for 2 weeks, then deploy to prod by month end. Security patches faster (7-10 days). Quality patches can wait 30-60 days.
Related articles
ManageEngine Endpoint Central - patch management step by step ManageEngine vs NinjaOne for MSPs 2026 - comparison for Managed Service Providers AI in ITSM 2026 - how artificial intelligence is changing IT helpdesk ManageEngine CVE and security - what you should know as an administrator ManageEngine ServiceDesk Plus - configuration from scratchNeed help migrating from WSUS to Endpoint Central?
Rotech Group runs a full audit of your infrastructure, proposes a patching policy (pre-prod, prod), implements Endpoint Central and configures schedules. Within 2-4 weeks: from chaos to automation.
Book an infrastructure audit →