How to Set Up Windows Server Cluster-Aware Updating (CAU) on Windows Server 2025

How to Set Up Windows Server Cluster-Aware Updating (CAU) on Windows Server 2025

Patching a Windows Server Failover Cluster without disrupting workloads has historically required careful manual coordination — draining roles, applying updates on one node, rebooting, waiting for roles to fail back, then repeating across every node. Cluster-Aware Updating (CAU) automates this entire orchestration. Introduced with Windows Server 2012 and significantly enhanced in subsequent releases, CAU on Windows Server 2025 integrates natively with Failover Clustering to roll patches through cluster nodes sequentially while automatically migrating clustered roles and virtual machines to healthy nodes before each maintenance window begins. The result is a patching process that achieves full cluster patching with zero downtime for highly available workloads, with full PowerShell scriptability and WSUS integration for enterprise environments.

Prerequisites

• A Windows Server 2025 Failover Cluster with at least two nodes
• All cluster nodes joined to the same domain and able to reach each other over the cluster network
• The Failover Clustering feature installed on all nodes (Install-WindowsFeature Failover-Clustering)
• An account with local administrator rights on all cluster nodes and cluster administrator permissions
• Network connectivity to Windows Update or a WSUS server from all cluster nodes
• Sufficient cluster capacity to sustain workloads when one node is in maintenance mode
• PowerShell Remoting enabled on all nodes

Step 1: Install the CAU Feature and Remote Administration Tools

CAU is included with the Failover Clustering role but requires the remote administration tools to be present on the management host from which you will orchestrate updates. Run the following on your management server or on a cluster node that will act as the CAU update coordinator:

# Install Failover Clustering with all management tools on each cluster node
Install-WindowsFeature -Name Failover-Clustering -IncludeManagementTools -IncludeAllSubFeature

# On your remote management workstation (Windows Server 2025 or Windows 11 24H2+):
Install-WindowsFeature -Name RSAT-Clustering -IncludeAllSubFeature

# Verify the CAU cmdlets are available
Get-Command -Module ClusterAwareUpdating | Select-Object Name | Format-Table -AutoSize

Confirm that the ClusterAwareUpdating module loaded correctly and that all expected cmdlets — Add-CauClusterRole, Invoke-CauRun, Invoke-CauScan, Get-CauReport — are listed.

Step 2: Configure the CAU Clustered Role

CAU can operate in two modes: Remote-updating mode, where an external orchestrator computer drives the update run, and Self-updating mode, where the cluster hosts a CAU clustered role that acts as its own orchestrator. Self-updating mode is preferred for automated, scheduled patching because it does not require an external computer to be available at patch time.

# Add the CAU clustered role to the cluster (enables self-updating mode)
# -DaysOfWeek Wednesday = patch on Wednesdays
# -WeeksOfMonth 3       = third week of each month
# -MaxRetriesPerUpdateRound 1 = retry once if a node update fails
# -RequireAllNodesOnline    = abort if any node is unavailable at start time
Add-CauClusterRole `
    -ClusterName "CLUSTER01" `
    -DaysOfWeek Wednesday `
    -WeeksOfMonth 3 `
    -MaxRetriesPerUpdateRound 1 `
    -RequireAllNodesOnline `
    -EnableFirewallRules `
    -Force

# Verify the role was added
Get-CauClusterRole -ClusterName "CLUSTER01"

The -EnableFirewallRules parameter automatically opens the Windows Firewall rules required for CAU remote management on all cluster nodes, saving you manual firewall configuration.

Step 3: Run a Pre-Scan to Check Patch Applicability

Before applying any updates in a production maintenance window, use Invoke-CauScan to perform a dry-run scan. This queries each cluster node for applicable updates — via Windows Update or WSUS — and returns the list without installing anything. Use this step to validate that the expected patches will be applied and to estimate the total update time.

# Scan all cluster nodes for applicable updates (no changes made)
$scanResults = Invoke-CauScan -ClusterName "CLUSTER01" -Verbose

# Display results per node
foreach ($nodeResult in $scanResults) {
    Write-Host "`n=== $($nodeResult.NodeName) ===" -ForegroundColor Cyan
    $nodeResult.Updates | Select-Object Title, KBArticleIDs, MaxDownloadSize |
        Format-Table -AutoSize
}

# Count total patches per node
$scanResults | Select-Object NodeName, @{Name="PatchCount"; Expression={ $_.Updates.Count }}

If any node returns an unexpectedly large or unexpected patch list, investigate before proceeding. This is particularly important for Hyper-V hosts running production VMs, where a surprise firmware-level update might require additional planning.

Step 4: Perform a CAU Update Run in a Maintenance Window

When you are ready to apply updates, use Invoke-CauRun. CAU will iterate through each cluster node, drain its clustered roles to other nodes, apply updates, reboot if necessary, wait for the node to rejoin the cluster and for all roles to stabilize, then move to the next node.

# Invoke a full CAU update run (this will reboot nodes as needed)
Invoke-CauRun `
    -ClusterName "CLUSTER01" `
    -MaxFailedNodes 1 `
    -MaxRetriesPerUpdateRound 1 `
    -RequireAllNodesOnline `
    -Force `
    -Verbose

# For WSUS-sourced updates instead of Windows Update, specify the CauPluginName:
Invoke-CauRun `
    -ClusterName "CLUSTER01" `
    -CauPluginName "Microsoft.WindowsUpdatePlugin" `
    -CauPluginArguments @{ 'QueryString' = 'IsInstalled=0 and Type=Software and IsHidden=0' } `
    -MaxFailedNodes 0 `
    -RebootMode AlwaysAfterUpdate `
    -Force

The -MaxFailedNodes 0 parameter is a conservative setting that halts the entire run if any single node fails to update successfully — the safest choice for production environments. Increase to 1 if you want to allow one failure and still patch remaining nodes.

Step 5: Configuring CAU Plug-ins

CAU uses a plug-in architecture for update sources. The built-in plug-ins cover most enterprise needs:

• Microsoft.WindowsUpdatePlugin: Uses the Windows Update Agent on each node; works with Windows Update for Business and WSUS via the local update policy.
• Microsoft.HotfixPlugin: Applies hotfixes from a network share — useful for updates that are not distributed via Windows Update, such as driver packages or firmware updates packaged as MSU/MSI files.

# Use the Hotfix plug-in for out-of-band patches from a network share
# First, copy hotfixes to a share accessible by all cluster nodes
# Share structure: \FILESERVERCauHotfixesHotfixConfig.xml

$hotfixArgs = @{
    'HotfixRootFolderPath' = '\FILESERVERCauHotfixes'
}

Invoke-CauRun `
    -ClusterName "CLUSTER01" `
    -CauPluginName "Microsoft.HotfixPlugin" `
    -CauPluginArguments $hotfixArgs `
    -MaxFailedNodes 0 `
    -Force

# Run both plug-ins in the same pass (Windows Update + custom hotfixes)
Invoke-CauRun `
    -ClusterName "CLUSTER01" `
    -CauPluginName @("Microsoft.WindowsUpdatePlugin","Microsoft.HotfixPlugin") `
    -CauPluginArguments @( @{}, $hotfixArgs ) `
    -RunPluginsSerially `
    -Force

Step 6: Monitoring CAU Progress and Reviewing Logs

CAU writes detailed logs to %SystemRoot%ClusterReports on the node that acted as the update coordinator. Each run produces a dated XML report and a human-readable HTML report. You can also query reports programmatically:

# List all CAU reports for the cluster
Get-CauReport -ClusterName "CLUSTER01" | Select-Object RunStartTime, RunEndTime, Status, ClusterName |
    Format-Table -AutoSize

# Get the most recent report and display per-node results
$latestReport = Get-CauReport -ClusterName "CLUSTER01" -Last | Select-Object -First 1
$latestReport | Get-CauReport -Detailed | ForEach-Object {
    Write-Host "`nNode: $($_.NodeName) — Status: $($_.Status)" -ForegroundColor $(if ($_.Status -eq 'Succeeded') { 'Green' } else { 'Red' })
    $_.UpdateResults | Select-Object Title, ResultCode, HResult | Format-Table -AutoSize
}

# View raw log files on the coordinator node
$reportPath = "$env:SystemRootClusterReports"
Get-ChildItem -Path $reportPath -Filter "CauReport_*.xml" |
    Sort-Object LastWriteTime -Descending |
    Select-Object -First 5 Name, LastWriteTime, Length

Step 7: Testing the CAU Configuration End-to-End

# Test CAU configuration — validates firewall, permissions, and cluster readiness
Test-CauSetup -ClusterName "CLUSTER01" -Verbose

# View current CAU scheduled update configuration
Get-CauClusterRole -ClusterName "CLUSTER01" | Format-List *

# Temporarily disable self-updating while performing manual maintenance
Disable-CauClusterRole -ClusterName "CLUSTER01" -Force

# Re-enable when manual work is complete
Enable-CauClusterRole -ClusterName "CLUSTER01" -Force

Cluster-Aware Updating on Windows Server 2025 transforms what was once a labour-intensive, error-prone monthly ritual into a reliable, automated pipeline. By combining a scheduled CAU clustered role with pre-scan validation, WSUS or Windows Update plug-ins, and the structured reporting in %SystemRoot%ClusterReports, you gain a fully auditable patching process that maintains workload availability throughout. Schedule your CAU scan the week before your maintenance window, review the patch list, and let CAU handle the orchestration so your team can focus on higher-value work. Always retain at least one node’s worth of spare cluster capacity and test your CAU configuration quarterly with Test-CauSetup to catch configuration drift before your next patch cycle.