How to patch Windows Server
Microsoft · Microsoft · 5 steps · Windows Server security status → · updated June 2026
Windows Server is patched through monthly cumulative updates. The safest, fastest route is to install the latest cumulative update for your version and confirm the new build number.
Windows Server has 302 tracked CVEs (8 critical) — keep it current.
Check your current version first
Before you patch, record what you're running (PowerShell / Run):
winver —or— Get-ComputerInfo | Select WindowsProductName, OsVersion, OsBuildNumberOr paste your version into the checker for an instant verdict.
Step by step
Run winver or Get-ComputerInfo to record the exact OS build and edition. You need this to know which cumulative update applies and to confirm the patch later.
Take a VM snapshot or a verified system-state backup, and make sure you have a tested rollback. Cumulative updates are large and occasionally need reverting.
On a GUI install: Settings → Windows Update → Check for updates. On Server Core: run sconfig and choose option 6 (Download and Install Updates). For managed fleets use WSUS, SCCM/Configuration Manager or Intune; for a specific KB, download from the Microsoft Update Catalog.
Install the latest cumulative update (it supersedes earlier ones) and reboot when prompted. Schedule a maintenance window — domain controllers and clustered roles need care.
Run winver again and confirm the build number matches the patched build listed in the Windows Server update history. If it did not advance, the update did not apply.
- Cumulative updates are all-or-nothing — you cannot cherry-pick a single fix; install the whole CU.
- Patch domain controllers and failover-cluster nodes one at a time, never all at once.
Official sources
- Advisory: Microsoft Security Update Guide ↗
- Download: Microsoft Update Catalog ↗
Don't patch blind. Windows Server has 302 tracked CVEs (8 critical) — keep it current. See exactly which versions are safe and what you're exposed to.
Windows Server security status →Stay ahead of the next one
- Windows Server security status & health score — score, open CVEs and safe version.
- Windows Server vulnerabilities — the full CVE list and what's exploited.
- Windows Server end-of-life dates — don't run a release that's stopped getting fixes.
- Monitor Windows Server — get an email alert the moment a new exploited vulnerability lands.
Frequently asked questions
What is the latest version of Windows Server?
As of June 2026, the latest supported Windows Server release we track is 10.0.26100. Patch to the current release on your branch and confirm the version after updating.
How do I check which version of Windows Server I am running?
Use: winver —or— Get-ComputerInfo | Select WindowsProductName, OsVersion, OsBuildNumber (PowerShell / Run). Record the result before and after patching to confirm the update applied.
Is Windows Server being actively exploited right now?
None of the Windows Server vulnerabilities we track are currently on the CISA KEV list, but that can change — keep it patched. See the exploitation radar.
How do I patch Windows Server safely without breaking production?
Always test in a non-production environment first, take a backup or snapshot, follow the official vendor advisory, and have a tested rollback. Patch one node at a time for clustered or high-availability setups.
Patch steps are general, well-established guidance for Windows Server — always test in a non-production environment first and follow the official Microsoft advisory for your exact version. IsItPatched is independent and not affiliated with Microsoft; this is not a substitute for vendor documentation. See our disclaimer.