To upgrade, or not to upgrade. While that may not have been the question that Hamlet asked, it’s one you might be asking. You already made the mistake of asking Reddit, “should I do an in-place upgrade,” and, as expected, people had Big Opinions. A Windows Server Feature Update offers benefits, like performance and analytics. On the other hand, if you have problems, then your attempts can lead to business downtime and service disruption. Meanwhile, time rolls on toward the October 2025 end-of-service (EoS) for Windows Server 2016.

If you’re still trying to decide if or when to do a Feature Update, then these best practices for troubleshooting a Windows Server upgrade might help you.

What is an in-place Windows Server upgrade?

An in-place Windows server upgrade, also called a Feature Update, is when an organization updates an older operating system version to a new one without making changes to:

• Settings
• Server roles
• Data

By not requiring the IT department to reinstall Windows, the in-place upgrade reduces downtime and business disruption while improving security and system performance.

The process for an in-place Windows server upgrade is:

• Collecting diagnostic information for troubleshooting issues
• Backing up the server operating system applications, and virtual machines
• Performing the Feature Update using the Windows Server Setup
• Checking the in-place upgrade to see if it worked

Which version of Windows Server should I upgrade to?

Depending on your current operating system, you may have different supported paths:

• Windows Server 2012: Windows Server 2012 R2, Windows Server 2016
• Windows Server 2012 R2: Windows Server 2016, Windows Server 2019, Windows Server 2025
• Windows Server 2016: Windows Server 2019, Windows Server 2022, Windows Server 2025
• Windows Server 2019: Windows Server 2022, Windows Server 2025
• Windows Server 2022: Windows Server 2025
• Windows Server 2025: Windows Server 2025

Microsoft no longer supports Windows Server 2008 or Windows Server 2008 R2.

Reasons for Upgrading Windows Servers

Upgrading Windows Server provides many of the same benefits that updating other device operating systems (OS) provides.

1. Enhanced Security

As with any operating system, the Windows Server upgrades typically incorporate new security features. For example, Windows Server 2022 brought with it:

• Secured-core server: hardware, firmware, and driver capabilities to mitigate security risks during boot, at the firmware level, and from OS executing unverified code
• Secure connectivity: implementing HTTPS and TLS 1.3 by default, encryption across DNS and Server Message Block (SMB),

Meanwhile, Windows Server 2025 includes security upgrades for:

• Name and Sid lookup forwarding between machine accounts
• Confidential attributes
• Default machine account passwords
• LDAP encryption by default

2. Improved Performance

The OS updates improve performance by changing how processes work. For example, Windows Server 2022 improved performance with changes like:

• Encrypting SMB data before data placement
• Reducing Windows Container image sizes
• Improving both UDP and TCP networking performance
• Enhancing Hyper-V virtual switches with Receive Segment Coalescing (RSC)
• Allowing users to adjust storage repair speed
• Making storage bus cache available for standalone servers

Meanwhile, Windows Server 2025 improves performance with changes like:

• Block cloning support
• Dev Drive storage volume focused on file system optimizations that improve control over storage volume settings
• Enhanced Log to reduce impact on Storage Replica log implementation

3. Enhanced Efficiency and Agility

As the world migrates to hybrid on-premises and cloud infrastructures, the upgrades to Windows Server follow along. For example, Windows Server 2022 came with new Azure hybrid capabilities with Azure Arc, a way to manage Windows and Linux physical servers and virtual machines hosted outside of Azure to maintain consistency. With Windows Server 2025, the Azure Arc setup Feature-on-Demand is installed by default so adding servers is easier.

Challenges with Windows Server Upgrades

While upgrading Windows Server comes with multiple benefits, you may be concerned about the potential problems and challenges, including:

• Compatibility issues: Applications running on the server may not work with the new OS version, leading to outages.
• Configuration restrictions: Server boot configurations may complicate the upgrade process, requiring reconfiguration or virtualization changes.
• Disk space: Upgrades typically require extra space for installation files and temporary processing or else they fail.

How to Troubleshoot a Windows Server Upgrade

While you want everything to work perfectly, you don’t live in a perfect world. If you have to troubleshoot your Windows Server upgrade, then you might want to consider some of these issues.

Review event logs

Using the Event Viewer, you can scan the System and Application logs for Windows Events generated around the same time you did the upgrade. Some Windows Server error codes include:

• 0x80244007: Windows cannot renew the cookies for the Windows Update
• 0x80072EE2: WIndows Update Agent unable to connect to the update servers or your update source, like Windows Server Update Services (WSUS)
• 0x8024401B: Proxy error leads to Windows Update Agent being unable to connect to update servers or your update source, like WSUS.
• 0x800f0922: Updates for Windows Server 2016 failed to install.
• 0x800706be: Windows Server 2016 cumulative update failed to install and was
• 0x80090322: HTTP service principal name (SPN) registered to another service account so PowerShell unable to connect to a remote server using Windows Remote Management (WinRM)

Check for Pending Reboot

An upgrade typically requires four reboots. After the first reboot, you can expect another within 30 minutes. If you see no progress, the upgrade may have failed.

Review Servicing Stack Updates

The servicing stack updates (SSUs) fix problems with the component that installs the Windows Server updates to make sure they’re reliable. Without the latest SSU installed, you may not be able to install the feature or security updates.

Check CPU and I/O

Since the Windows Server upgrade uses a lot of compute power and disk space, you want to make sure that you check these metrics to make sure the process is progressing.

Check Firewall Service

You may need to have the Windows firewall service running for the updates to work. To check whether the service is running, go to Service Manager>Services>Windows Firewall.

Graylog Enterprise: Faster Troubleshooting

Graylog Enterprise enables you to aggregate, correlate, and analyze all your log data in a single location. With Graylog Extended Log Format (GELF) inputs and BEATS inputs, you have a standardized format across Windows log types

Graylog supports Winlogbeat to ingest Windows event logs directly into our BEATS input, or you can use the NXLog community edition that reads Windows event logs and forwards them in GELF.

Using Graylog Sidecar, you can implement multiple configurations per collector and centrally manage their configurations through the Graylog interface. Graylog Cloud accepts inputs from the Graylog Forwarder so that you can collect the same kind of logs from different parts of your infrastructure or maintain a more redundant setup.

In life, you get a lot of different alerts. Your bank may send emails or texts about normal account activities, like privacy notices, product updates, or account statements. It also sends alerts when someone fraudulently makes a purchase with your credit card. You can ignore most of the normal messages, but you need to pay attention to the fraud alerts. Security is the same way. Since your systems can generate terabytes of data everyday, your security tools can fire high volumes of alerts, leaving you overwhelmed. 

With risk-based alerts, you can reduce alert fatigue by incorporating additional security information, giving you a way to focus on high-value issues.

What is risk-based monitoring in cybersecurity?

In cybersecurity, a risk-based approach to monitoring means that the organization assesses the business impact and likelihood of an attack against various:

• People
• Devices
• Resources
• Networks
• Data

After identifying those people and assets who pose the highest risk, the security team often incorporates threat intelligence to help prioritize monitoring and remediation activities. For example, many security teams take a risk-based approach to vulnerability management by appling security updates to critical assets first. 

What is risk-based alerting?

Risk-based alerting (RBA) means that the detection logic incorporates additional attributes to reduce the overall number of alerts generated while enhancing them with meaningful data. 

When security analysts write these alerts, they may include security metadata including:

• Exploitability, like an asset’s distance from the public internet
• Impact, like users with privileged access
• Likelihood, like incorporating threat intelligence
• Asset criticality, like databases storing personally identifiable information (PII)

With RBA, security analysts can align their monitoring activities to the organization’s risk assessment more effectively. Further, when security teams have a solution that enables threat hunting, they can proactively use these enhanced rules to detect suspicious activity in their systems. 

What are the benefits of risk-based alerting?

While the frontend process of building risk-based detection rules can take some time, the overall benefits you get from them are worth it. 

Reduced Alert Fatigue

Alert fatigue is a real issue for anyone working in cybersecurity, and the problem has only gotten worse over the last few years. According to research, security teams are overwhelmed with inaccurate or unnecessary alerts, struggling to prioritize and review them effectively with:

• 59% of respondents saying they receive more than 500 cloud security alerts per day
• 43% saying more than 40% of their alerts are false positives
• 56% saying they spend more than 20% of their day reviewing alerts and deciding which ones should be dealt with first
• 55% saying that critical alerts are being missed

With risk-based alerting, you can correlate multiple events to generate fewer false positives. By reducing the overall number of alerts and making them more valuable, your security team can prioritize their responses better. 

Faster Investigation Times

With fewer alerts and better prioritization capabilities, your security team can investigate incidents faster. With more attributes added to the alert, the security team has a way to focus their investigations. For example, consider this risk-based alert that monitors for people who recently tendered their resignation who make changes to Active Directory:

By linking the organization’s HR information to its Active Directory, the security team has a way to monitor for a specific, high-risk use case more precisely. When the system generates the alert, they also have all the information necessary to investigate the root cause. 

Improved Security Metrics

Proving your security program’s effectiveness typically includes the following metrics:

• Mean Time to Detect (MTTD)
• Mean Time to Investigate (MTTI)
• Mean Time to Contain (MTTC)
• Mean Time to Recover or Mean Time to Remediate (MTTR)

With risk-based alerts, you reduce all of these times, ultimately improving the metrics. You can think of it like a chain reaction. With better detection, security teams work with better information and focus. With fewer overall alerts, analysts can investigate them faster. The faster they can find the incident’s root cause, the sooner they can contain the attacker, remediate the system, and get everything back online. 

Who benefits from risk-based alerts?

Even though risk-based alerts sit under the security function, various people across your organization benefit from them. 

Security Analysts

With better information, your security analysts can do their jobs more effectively and efficiently. Since they’re not spending as much time chasing down false alerts, they can focus their energy on high-impact activities like threat hunting. Further, when security analysts have the tools to do their job well, they’re more likely to stay with the company, reducing employee turnover. 

IT Help Desk

When something goes wrong in your environment, the help desk is the first place users turn. Often, security issues and operational issues mimic one another. For example, a Distributed Denial of Service (DDoS) attack slows down your network, but a network device configuration issue can have the same outcome. With security teams detecting and responding to incidents faster, your IT help desk gets fewer calls. 

Senior Leadership

Senior leadership is responsible for overseeing the organization’s compliance posture and making data-driven decisions about the cybersecurity program. Your risk assessment is the basis of your compliance program. With risk-based alerts, you can align your security and compliance objectives more effectively. Further, leadership needs to understand the program’s strengths and weaknesses to make meaningful decisions about security investments. When you map risk-based alerts to frameworks like MITRE ATT&CK, you gain visibility into potential tooling gaps.

Graylog Security: Risk-Based, High Fidelity Alerts to Mature Your Program

With Graylog Security, you can build risk-based, high fidelity alerts based on your organization’s unique technology stack and risk profile. Our cloud-native capabilities, intuitive UI, and out-of-the-box content enable you to build the security program you need without paying for the functionalities you don’t use. Using our prebuilt content, you gain immediate value from your logs wit search templates, dashboards, correlated alerts, dynamic lookup tables, and more. 

Built with end-users in mind, Graylog’s platform empowers people of all skill levels. You don’t need special skills or engineers to build the risk-based alerts so you can uplevel your security with your current team, reducing labor costs often associated with complex SIEMs.