WSUS has been discontinued, Azure Update Manager and Intune take over the helm

Unfortunately, there are now the first difficulties. Review: With the announcement of Windows Server 2025, Microsoft heralded the end of Windows Server Update Services (WSUS) last year.

The service has been officially marked as deprecated and will not be further developed. The recommended alternatives for modern, centralized management are: Azure Update Manager (AUM) for servers and Microsoft Intune.

Technical cut: Why WSUS 2025 Drops Older Clients

The discontinuation is accompanied by a drastic technical change in the WSUS service of Windows Server 2025, which is associated with the hardening The service is justified. Microsoft removes components that are considered problematic for security, although they are essential for the compatibility of older clients.

This may have been noticed by one or the other now at the rollout of the October patches, Since then, systems such as Server 2012 with ESU have been running empty..

The critical self-update problem in WSUS 2025

This September Update for Windows Server 2025 deletes the DLLs and EXEs, which older operating systems for the Self-update service need.

• Affected folder: The folder %systemdrive%\Program Files\Update Services\SelfUpdate, which contains these essential binaries, is removed.
• Follow-up: This means that WSUS servers running Windows Server 2025 can no longer deliver patches to older operating systems.
• Criticality: This concerns in particular: Windows Server 2012 (R2)systems connected to the chargeable Extended Security Update (ESUS)program whose patches will be released until October 2026. Without a functioning self-update service, these systems will no longer receive updates.

Workaround: Manual recovery (employee solution)

As a temporary fix, Microsoft recommends manually restoring the remote folder:

1. Obtain source files: Copy the folder SelfUpdate from an older, still fully functional WSUS server (e.g. on Windows Server 2022 or a WSUS 2025 version) before the September update).
2. Insert destination folder: Copy the folder to the directory %systemdrive%\Program Files\Update Services on the affected WSUS 2025 server.
3. Create a virtual directory: Add this directory as Virtual Directory (with the name SelfUpdate) under the WSUS website in the IIS.

Attention: This is a makeshift solution, the durability of which is unclear. There is no guarantee that Microsoft will not remove the folder again in future updates. The manufacturer's clear recommendation is migration.

The Road to the Cloud: Azure Update Manager and Costs

In view of these restrictions, the switch to the AUM is strongly recommended. The migration to a cloud service is considered by many to be "Cloud coercion" management of local servers via AUM with monthly costs of about 5€ per server connected.

Migration: The main steps to Azure Arc connectivity

Azure Update Manager manages your on-premises servers using Azure Arc. The connection of a local server to Azure via Arc takes place in a few main steps:

Installing the Azure Connected Machine Agent

• Prerequisite: The server should use Windows Server 2022/2025 or a compatible older version.
• Execution of the wizard: In the Azure portal, navigate to ‘Azure Arc’ and start there Azure Arc wizard.
• Script generation: The wizard generates an installation script (PowerShell) that contains the necessary parameters (such as Azure Region, Resource Group, and Service Principal credentials).
• Installation: Run the generated script on the local server. The script loads the Azure Connected Machine agents down and install it.

The server appears in the Azure portal

• After the agent is installed and the connection is successful, the local server appears as managed object in the Azure portal.
• It will now be displayed with the status indicator Connected (Connected) listed under Azure Arc resources.

Enabling Azure Update Manager

• Access: In the Azure portal, you access the object of the connected server.
• Functions: The available services appear as tiles, including the area ‘Updates’. Behind this is the connection to the Azure Update Manager.
• Configuration: The functions of the AUM can be set via this tile (e.g. hotpatching, Enable regular evaluation, Schedule updates).

Azure Update Manager serves as a central management point for your entire infrastructure, whether it's on-premises servers (via Arc) or Azure VMs. The new features allow automated scheduling of updates without the need for group policies.