Windows VPS First Steps After Purchase: Initial Setup Guide
Practical guide to the first steps on your Windows VPS after purchase: RDP connection, password change, firewall setup and initial updates.
You just received the email with the IP and password of your Windows VPS and you’re staring at the screen with no idea where to start. This guide covers the first steps before installing any application — connecting, changing the password, adjusting the firewall, running the pending updates and setting up basic security.
Most issues that appear during the first week of a Windows VPS come from things that weren’t done on the first access: original password left in an email, firewall opening too many ports, accumulated updates that freeze the server in the middle of a deploy. Sorting this out takes about 30 to 40 minutes and avoids headaches down the line.
The tutorial assumes you have a freshly provisioned Windows Server 2022, with RDP access enabled and credentials delivered by email or in the client panel. It doesn’t require prior Windows Server knowledge — every step is performed via the graphical interface or an elevated PowerShell prompt.
Prerequisites
Before connecting, double-check the access data delivered at provisioning time.
Windows Server 2022 provisioned (or Windows Server 2019), Administrator credentials delivered, RDP client installed on your local computer (built into Windows; on macOS use Microsoft Remote Desktop from the App Store; on Linux use Remmina or FreeRDP).
shown in the panel Administrator 3389 RDP / TCP The initial password is in the Hostini panel under “Services → your VPS → Credentials”. Don’t copy and paste from an old email — always go to the panel to guarantee the current version.
Connecting via RDP for the first time
The RDP connection is the standard entry point for Windows Server. On local Windows, the built-in client is Remote Desktop Connection (mstsc).
Open Remote Desktop Connection — press Win + R, type mstsc and hit Enter. In the “Computer” field, paste your VPS IP in the IP:PORT format if the default port has been changed, or just the IP if it’s still 3389.
203.0.113.42Click “Connect”. The client will ask for credentials — use Administrator as the username and the password from the panel.
Accept the self-signed certificate. On the first connection, the client warns about an unverified identity — that’s expected, the server doesn’t have an official certificate yet.
Tick “Don’t ask me again” if you want to avoid the alert on the next connections, but only do this after confirming you’re connecting to the correct IP of your VPS (compare with the panel).
Wait for Server Manager to open automatically. On Windows Server 2022, Server Manager is the entry point for all system settings — it shows server status, installed roles, recent events and performance.
If Server Manager doesn’t open, search for “Server Manager” in the Start menu.
Changing the Administrator password
The password delivered at provisioning was generated automatically and is stored in the panel. Changing it on first access removes that exposure vector.
Press Ctrl + Alt + End (this combination inside RDP is equivalent to Ctrl + Alt + Del locally). In the menu that appears, click “Change a password”.
Fill in the old password (from the panel) and define a new password with at least 16 characters mixing uppercase, lowercase, numbers and symbols. Avoid passwords based on dictionary words or predictable patterns.
Strong password example: gT9$kPm2#vXq8&Ln4Store the new password in a password manager (Bitwarden, 1Password, KeePass) — recovering access to a Windows Server whose password was lost requires recovery via console in the panel, with a maintenance window.
Windows Server 2022 ships with Password Complexity Policy enabled by default. Passwords that are too simple are rejected with the message “Unable to update the password” without details. Use at least 12 characters with 3 of the 4 categories (uppercase, lowercase, numbers, symbols).
Configuring the firewall
Windows Firewall is active by default, but the initial rules include several ports you likely don’t need. Reducing the attack surface is the first hardening step.
Open Windows Defender Firewall with Advanced Security — search for wf.msc in the Start menu. Go to “Inbound Rules” in the left pane. You’ll see a long list of pre-defined rules.
Identify and disable rules for services you won’t use. Typical cases: Network Discovery, File and Printer Sharing (if you won’t share files), Remote Assistance, Windows Remote Management (unless you use WinRM/remote PowerShell).
Right-click the rule → “Disable Rule”. Don’t delete — disabling lets you revert later.
Create a restrictive rule for the RDP port limiting the source IP. In “Inbound Rules”, find the “Remote Desktop - User Mode (TCP-In)” rules and click “Properties”. “Scope” tab → in “Remote IP address”, select “These IP addresses” and add your static IP or range.
If your local IP is dynamic (typical residential), skip this step and consider a VPN. Restricting RDP to a residential IP that changes daily will lock you out of the server.
If you disable the RDP rule by mistake or apply a wrong IP restriction, you lose immediate access and need to open a ticket for console recovery. Always test firewall changes from a second connection before closing the first.
Running the pending updates
A freshly provisioned VPS normally has dozens of patches accumulated since the image date. Applying everything now avoids unexpected reboots later.
Open Settings → Update & Security → Windows Update. Click “Check for updates”. The system will download the list and start installing automatically.
The first run can take between 20 and 60 minutes depending on the volume of patches and the server’s bandwidth. Don’t cancel mid-way.
After the installation, restart when prompted. Windows Update can request two or three reboots in sequence to finish dependent patches — repeat the cycle until “Check for updates” returns “You’re up to date”.
During the reboot the RDP connection drops. Wait 2 to 5 minutes and reconnect with mstsc.
In Settings → Update & Security → Windows Update → Change active hours, define the window in which the server is NOT allowed to reboot automatically (e.g. 08:00–22:00 for daytime production). Critical patches force reboots outside this window, but you avoid surprises during peak hours.
Verifying that everything worked
After the steps above, validate that the server is in a consistent state before installing applications.
Open PowerShell as administrator (right-click on Start → “Windows PowerShell (Admin)”) and run:
Get-ComputerInfo | Select-Object CsName, OsName, OsVersion, OsLastBootUpTime
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
Get-NetFirewallProfile | Select-Object Name, EnabledThe first command confirms the Windows version and uptime since last boot. The second lists the latest installed patches — recent dates should appear. The third shows the 3 firewall profiles (Domain, Private, Public) — all should be Enabled: True.
If any firewall profile is disabled, re-enable it with:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled TrueTroubleshooting
”Cannot connect to the remote computer”
Check that the IP is correct by comparing with the Hostini panel. If the IP is right, test basic connectivity:
Test-NetConnection -ComputerName <VPS_IP> -Port 3389If TcpTestSucceeded returns False, your internet provider’s firewall may be blocking outbound traffic to port 3389 — common on corporate networks. Test from another network (mobile 4G, for example) to confirm.
”Your credentials did not work”
Confirm you’re using exactly Administrator (capital A) as the username. If you just changed the password and the error persists, the password may not have synced — wait 30 seconds and try again.
Server slow or stuck after first boot
This is normal: during the first hours, Windows is indexing, downloading Defender definitions and processing updates in the background. Wait for the system to stabilize (15 to 30 minutes with no activity in Task Manager) before evaluating real performance.
Next steps
With the basics configured, you can move on to:
- Install IIS to host .NET applications or static sites
- Configure SQL Server Express or MySQL for databases
- Enable remote PowerShell access via WinRM for automation
- Install Chocolatey as a package manager to speed up future installs
- Configure scheduled backup of critical data via Windows Server Backup
If you’re putting an application into production, a Hostini VPS with Windows Server comes with daily automatic snapshots and emergency console access via the panel — useful when a firewall change locks you out or when you need to recover access without relying solely on RDP. Technical details and plans at /vps.
Frequently asked questions
What's the difference between Windows Server and Windows 10/11 on a VPS?
Windows Server is optimized for server workloads — no consumer bloatware, native support for multiple RDP sessions (with CAL licensing) and built-in administrative tools via Server Manager. Windows 10/11 on a VPS works, but has stricter licensing and was not designed to run 24/7 under sustained load. Among serious providers, Windows Server 2022 is the standard.
How many simultaneous RDP connections does Windows Server allow by default?
By default, 2 simultaneous administrative sessions — enough for administration tasks. For more connections (Terminal Server / Remote Desktop Services use cases), you need to purchase RDS CAL licenses from Microsoft and install the corresponding role. For typical application or panel hosting use, the 2 default sessions are plenty.
Can I change the default RDP port (3389) to reduce attacks?
Yes, but that's security through obscurity — it slows down automated scanners but doesn't stop targeted attacks. The real defense is: strong password (16+ characters), IP lockout after failed attempts via Account Lockout Policy, and source restriction in the firewall. If you want to change the port, edit the PortNumber key in HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and open the new port in the firewall before restarting.
Why does Windows Server come with IE Enhanced Security enabled?
It's a protection against insecure scripts and plugins when an administrator browses the web from the server itself — which shouldn't happen in production. The block forces confirmation for every site visited. You can disable it in Server Manager → Local Server → IE Enhanced Security Configuration, but the ideal is not to use the server as a workstation.
How do I know if Windows updates installed successfully?
Open Settings → Update & Security → Windows Update and check the history. Useful PowerShell commands: Get-HotFix lists installed patches, and Get-WindowsUpdateLog generates a consolidated log at %USERPROFILE%\Desktop\WindowsUpdate.log. Restart the server after critical patches — some only complete installation on boot.
Is it safe to leave the Administrator user with the default name?
It's not a direct vulnerability, but it makes brute-force attacks easier — every scanner tries Administrator first. Best practice: create a second administrative user with a different name, test access, and then disable (don't delete) the default Administrator account via lusrmgr.msc. Never delete it — it can break recovery workflows.