Migration from WSUS to Azure Update Manager to modernize patch management and automate update operations across the Azure infrastructure.

Challenge / Problem

The existing Windows Server Update Services (WSUS) environment required significant operational effort and lacked integration with modern cloud-native services. Additionally, Microsoft announced the end of support for WSUS, making a new update management strategy necessary.

  • Microsoft announced the end of WSUS server support
  • High operational overhead for maintenance, storage management, and cleanup tasks
  • Lack of integration with modern Azure monitoring, automation, and security/compliance tools
  • Veralteter Patch-Zeitplan – Systeme bleiben lange ungepatcht
  • Patchen von Offline-Systemen nicht möglich

Our Approach

CloudAstro designed a modern update management strategy based on Azure Update Manager and automation-driven infrastructure management.

  • Implementation of Azure Update Manager including customer-specific automation
  • Design of a new patch scheduling model respecting environment order and enabling faster patch cycles
  • Migration of unsupported client OS VMs to Windows Update for Business (WUfB)
  • Rollout of Infrastructure as Code (IaC) for both existing and new Azure subscriptions
  • Implementation of resource tagging to improve transparency and visibility for operations teams

Implementation

The migration was executed in a structured and automated way to ensure a stable and scalable update management environment.

  • Migration of 1,500 virtual machines from WSUS to Azure Update Manager
  • Automated pre- and post-maintenance processes for offline machines using Azure Function Apps
  • Status tracking and monitoring of patch operations
  • Centralized patch overview across the entire environment

Results

The new update management platform significantly improves operational efficiency, transparency, and security.

  • Reduced IT operational costs by eliminating WSUS infrastructure
  • Simplified update operations with better visibility for operations teams
  • Faster patch cycles: 9 days faster overall, with 95% of the environment patched within the first week
  • Systems are patched according to the defined environment order (Dev → Prod)