How to patch a server

How to Patch a Server

To patch a server for a Windows system is a task that a skilled technician should be able to do without too much difficulty. Instead, the biggest challenge is often the logistics of carrying out tasks in the best order to balance security risks (like ransomeware) and disruption to the system. These are some key points to bear in mind when patching a server.


For most corporate set-ups, the easiest solution is to use Microsoft’s own Windows Server Update Services (WSUS) application. This is specifically designed to manage both updates and hotfixes (which patch a problem immediately without needing a reboot.) WSUS includes tools for downloading updates from Microsoft and applying them across a network. The tools still allow IT staff to control the distribution and decide which machines get which patches and when.

Microsoft has a couple of other network update tools, though these are arguably optimized for managing machines running Windows 10. One called Intune is specifically designed for businesses that subscribe to Microsoft 365. It’s particularly useful for businesses where a lot of staff work on mobile devices.

The most basic Microsoft option is Windows Update for Business. This is a souped-up version of the consumer version of the Windows Update tool that lets IT administrators set rules for which patches get installed and when. It can work well for small businesses with simple networks but doesn’t give much detail so any glitches or failed patching may get missed.


While manually patching a server may be appropriate for a critical vulnerability (one with both a high chance of being exploited and a risk of serious damage from attack), most businesses find it easier to schedule patches. The trick is to find a schedule that’s frequent enough to get important patches in place without delay, but infrequent enough to minimize disruption and downtime. This may involve negotiating with managers. The best solution also depends on the nature of the business and whether it has natural times when systems being offline will cause fewer disruptions.


The best set-up is to have a mirror server environment set up in the same way as your real server. You can use this as a “sandbox” to apply patches and test them for any compatibility problems before you go on to patch the real server. The key here is to make sure the mirror server is adjusted and updated as necessary to be identical (or as close as possible) to the real thing.

Other Logistics

While tools like Windows Server Update Services can take care of the logistics, it’s worth understanding some key principles to an efficient update. Where possible, downloading multiple patches before installing them in a batch will minimize the overall disruption to the server and systems.

Assess the patches in order of priority, taking into account the likelihood of exploits and the potential damage. Installing the patches in this order increases efficiency if you have to balance mitigating vulnerabilities with minimizing disruption. It also makes sure you get the maximum benefit from patching even if you have to cut short a maintenance window or if patching takes longer than anticipated and you can’t do everything you planned.


For more advanced IT Topics, please contact CPI Solutions.

Post a Comment