The September 2024 announcement that Windows Server Update Services (WSUS) is deprecated didn’t just mark the end of a familiar on‑premises patching tool — it forced thousands of organizations to confront the growing gap between traditional server management and cloud‑native operations. For hybrid enterprises running both Azure VMs and on‑premises servers, the recommended path forward is now clear: Arc‑enable those machines and consolidate patch management under Azure Update Manager. This isn’t a simple rip‑and‑replace migration. It reshapes network architecture, licensing, and operational runbooks. But the payoff — a single control plane, unified compliance reporting, and the ability to lean on Azure’s identity and governance stack — is making Azure Arc the strategic replacement WSUS never was.
Why Azure Arc + Update Manager Fills the WSUS Void
WSUS served admirably for two decades, but it was never built for hybrid reality. Most organizations ended up running dual systems: WSUS or Configuration Manager on‑premises, and cloud‑native tools for Azure workloads. That split meant duplicated update approvals, inconsistent reporting, and audit nightmares. Azure Arc, first released in late 2019, bridges that divide by extending Azure’s management plane to physical servers and VMs running anywhere. When you add the Azure Update Manager service, you get a single dashboard for discovering missing updates, scheduling maintenance windows, and pushing patches across your entire server estate — regardless of where that server lives.
The formula is straightforward: install the Azure Connected Machine agent on an on‑premises server, let it register as an Arc resource, and then treat it like any other Azure VM inside Update Manager. No VPN, no inbound firewall holes, no separate WSUS hierarchy. The agent makes outbound HTTPS connections to Azure, which means it slots into existing security postures with far less friction than many alternatives.
How Arc Patching Actually Works
At a high level, the lifecycle moves in four steps. First, you Arc‑enable a server by deploying the Connected Machine agent. Second, that server appears in the Azure portal’s Arc inventory. Third, Azure Update Manager queries the agent for missing updates, either on demand or on a schedule — just like it would for a cloud VM. Finally, compliance data flows into Azure Monitor and the resource graph, where you can build dashboards, set up alerts, and feed audit tools.
Under the hood, the agent communicates outbound over TCP 443 to a handful of well‑known Azure service tags: AzureArcInfrastructure, AzureResourceManager, and AzureActiveDirectory. This design minimizes firewall changes and removes the need for a site‑to‑site VPN as long as the machine has internet access or can route through an HTTP proxy. The agent supports proxy configuration during onboarding, and for highly regulated environments, Azure Private Link Scopes can reduce the public egress surface — though some endpoints still require direct cloud connectivity.
Pricing That Demands a Spreadsheet
Cost is the first question every admin asks when contemplating a move from a free on‑premises tool. The Azure Arc control plane itself — resource tagging, RBAC, resource graph — is free. But Azure Update Manager for Arc‑enabled servers is not. Microsoft’s published rate is $5 per server per month for non‑Azure VMs, prorated daily at roughly $0.16 per day in a 31‑day month. Azure VMs using Update Manager are not charged.
Before you budget, though, check for entitlements. Three scenarios can zero out that charge: if the server is covered by Extended Security Updates (ESUs) enabled through Arc; if the subscription includes Microsoft Defender for Servers Plan 2; or if the server runs Windows Server with active Software Assurance or pay‑as‑you‑go licensing. Because these entitlements depend on your specific licensing agreement, run the numbers through the Azure Pricing Calculator and confirm with your Microsoft account team. Tagging Arc resources aggressively — by cost center, environment, or owner — will make it far easier to audit which servers are driving Update Manager spend.
Onboarding a Single Server via the Portal
For small fleets or a proof‑of‑concept, the portal‑driven installer is quick and guided. Sign in to the Azure portal, navigate to Azure Arc, select “Add a resource,” and choose “Machines.” Pick “Add a single server with installer,” download the generated executable, and run it on the target server. The wizard authenticates you to Azure, picks a subscription and resource group, and registers the machine. Within a few minutes, that server shows up under Arc‑enabled machines.
But note the delay. During testing, both the TechTarget tutorial and community practitioners observed that after a fresh update cycle, the Update Manager dashboard took roughly 30 minutes to reflect the machine’s updated compliance status. Account for that lag in your monitoring scripts. Nothing is broken — the agent is just working through its sync interval. Building a 30‑minute grace period into your compliance checks will spare you a lot of false alarms.
PowerShell for Scale and Repeatability
Forty servers? Five hundred? The portal works, but you’ll want automation. The Az.ConnectedMachine PowerShell module is the workhorse.
Install-Module -Name Az.ConnectedMachine
Connect-AzAccount
Connect-AzConnectedMachine -ResourceGroupName "MyRG" -Name "Server01" -Location "EastUS"
That single cmdlet downloads and installs the agent, creates the Arc resource, and associates the two. Add the -Proxy parameter if your network forces traffic through an HTTP proxy. For unattended runs, use a service principal or a managed identity rather than your own credentials. Standardize your resource group and tagging conventions here — it’s far easier to enforce discipline at onboarding than to clean up a sprawl later.
On Windows, agent logs land in %ProgramData%\\AzureConnectedMachineAgent\\Log; on Linux, look in /var/opt/azcmagent/log/. Forward those to a central syslog or SIEM, because when an onboarding fails silently at 2 a.m., you’ll want immediate visibility.
Networking and Firewall Checklist
Because all traffic is outbound HTTPS, you don’t need to open any inbound ports for routine Arc management. Your firewall rules should permit egress to the service tags mentioned earlier. Use service tags in your firewall rules rather than hard‑coding IP addresses — Azure IP ranges change periodically, and service tags take that churn out of your change control process. If you’re in a locked‑down environment, consult Microsoft’s endpoint list carefully; some ancillary services, such as Windows Admin Center extension, may need additional endpoints.
For military‑grade segmentation, Azure Private Link Scopes let you route traffic over a private endpoint, but they don’t eliminate all public endpoints — the Connected Machine agent will still reach out to certain global Azure URLs. Plan your architecture accordingly and document the exact egress patterns before an auditor asks.
Patch Lifecycle Inside Azure Update Manager
Once a server is Arc‑enabled, it lands in the Machines view of Update Manager. Typical actions include running an on‑demand assessment, enabling automatic updates per machine, scheduling deployment rings, and setting maintenance windows with reboot controls. The portal will warn you when a machine lacks update data and offers an “Enable Now” link — click that as part of your baseline setup so the server participates in recurring scans.
A key operational note: don’t conflate “Check for updates” with immediate deployment. The assessment only reports what’s missing; you still need to create a scheduled deployment or trigger an immediate install. And because the dashboard can lag, wait 30 minutes before declaring a patch failed. If you’re automating compliance checks, query the resource graph or Azure Monitor logs rather than relying on a portal screenshot.
Security, RBAC, and Identity Hygiene
Arc inherits Azure’s identity model. That’s powerful but also dangerous if you’re sloppy. Lock down who can onboard machines (the Azure Connected Machine Onboarding role), who can create update deployments, and who can read resource data. Use least‑privilege service principals for automation and enforce conditional access policies where possible.
Pair Arc with Azure Policy to enforce security baselines, restrict which extensions can be installed, and audit configuration drift. Defender for Servers Plan 2 can extend threat detection to Arc‑enabled hosts — and if you already pay for it, Update Manager may be included, which sweetens the deal considerably.
Governance and Compliance Reporting
Standardize your tagging taxonomy early. Tags like Environment=Prod, App=SAP, CostCenter=Finance will let you slice Update Manager costs, build compliance dashboards, and respond to auditors without a treasure hunt. Export Update Manager compliance data into your SIEM or a Power BI dashboard and schedule monthly reviews. Keep a rollback playbook for each patch ring, and test it in a lab that mirrors your production firewalls — because the first time you need to roll back, you’ll be under pressure.
Operational Pitfalls (and How to Sidestep Them)
Dashboard latency is the most common surprise. The 30‑minute sync delay isn’t documented in every tutorial, but it appears consistently. Adjust your monitoring thresholds and give your team a checklist item to “wait 30 minutes before opening a ticket.”
Proxy misconfigurations are the next big pain point. A single missing allowlist entry — some organizations forget the AzureArcInfrastructure tag — can break agent registration or ongoing assessments. Test connectivity with the agent’s built‑in diagnostic commands before rolling to production.
Billing misunderstandings can also sting. If you assume the Arc control plane is free and forget that Update Manager charges $5 per server per month, your first invoice will be a wake‑up call. Use tags to tie usage to cost centers and review the Azure Cost Management blade weekly during migration.
Finally, mixed‑tooling drift: if you leave WSUS running while slowly onboarding to Arc, you’ll have two sources of truth. That leads to compliance gaps and confusion. Define a cutover strategy with clear phases: pilot, housecleaning, phased migration, and eventual WSUS decommission.
A Migration Playbook That Worked
A repeatable sequence has emerged from the field:
- Inventory your current WSUS scope, approval rules, and maintenance windows.
- Pilot on a non‑critical ring. Arc‑enable five to ten servers, test update assessments, and measure that dashboard delay.
- Policy first: before expanding, implement Azure Policy and RBAC to enforce how machines are onboarded and how updates are deployed.
- Phased rollout by environment, with clear rollback points. Use deployment rings inside Update Manager to stagger patches.
- Decommission WSUS only when you’re certain the new process meets compliance needs. Run a side‑by‑side report for at least two patch cycles.
- Audit and produce a compliance artifact showing parity between old WSUS reports and new Update Manager data — your auditor will ask for it.
When Arc Isn’t the Answer
Arc’s architecture demands outbound internet. Air‑gapped networks or systems that can’t reach Azure endpoints at all — think classified environments or isolated manufacturing lines — will need a different solution. Some regulated workloads may also forbid cloud management even with Private Link, though this is increasingly rare. Very small shops that are comfortable with WSUS’s current limitations and don’t need hybrid features might choose to stay put; WSUS will continue to receive security updates and remain supported for in‑market OS versions, just without new features.
Final Checklist for a Smooth Transition
- Pilot first: confirm networking, identity, and update behavior on non‑critical servers.
- Tag at onboarding: cost and compliance tags are the scaffolding for all future reporting.
- Budget for delay: build that 30‑minute dashboard lag into runbooks and monitoring.
- Harden connectivity: allow outbound 443 to the required service tags; use Private Link Scopes where you can.
- Validate entitlements: check whether Defender for Servers Plan 2 or Software Assurance removes Update Manager charges.
- Document everything: your migration runbook, your network exceptions, your RBAC roles, and your rollback procedures.
The deprecation of WSUS isn’t a crisis — it’s an opportunity to fix a long‑standing operational schism. Azure Arc plus Azure Update Manager delivers a unified, security‑conscious patch management system for hybrid Windows Server estates. The tools are mature, the pricing is largely predictable, and the community‑validated playbooks are ready. The 30‑minute delay, the $5 monthly fee when applicable, and the need for thoughtful networking are real but manageable trade‑offs. For most hybrid enterprises, the day‑two benefits — a single pane of glass for updates, Azure RBAC, integrated compliance reporting — make the migration almost inevitable. Start with a pilot server today, and by next quarter you could retire your last WSUS box.