Controlling Windows Server 2022 Updates

chrishall5 · 2023-05-10T19:17:15.000Z

We’re a small business, a few servers with about 20+ Windows 10 PCs. Our servers are currently running Windows Server 2012 R2 (VMware ESXi 7 environment) which are coming up on EOL this year. I will be migrating our servers to Windows Server 2022. I’ve recently acquired and have been testing with the Evaluation edition to get a feel for the new OS, which feels much like a “server” version of Windows 10 (much like 2012 R2 is like the “server” version of Windows 8.1).

I’m about to begin the migration except for being able to configure Windows Updates. With Server 2012 R2, I’m able to go to Windows Update from the control panel and click on Change Settings. Here I have choices from Install Updates Automatically to Never check for updates. I have ours set for Download updates but let me choose whether to install them.

On or around patch Tuesday, the servers will download the usual monthly updates for which I’ll wait long enough to confirm the updates don’t break anything, and then install the updates and restart the servers on a weekend when no one is on the network. I can also choose which ones to install and which ones not to in the event there’s a problem update released that has yet to be recalled.

With Server 2022, I don’t see that same settings option to control how and when updates are installed. The Windows Update section on Server 2022 appears the same as Windows 10 where updates simply install automatically and will restart outside active hours. For us, it can’t just restart outside active hours, rather must be outside active “days” (eg. on weekends) as we sometimes have processes running overnight, not to mention not having the ability to skip a problem update.

I find it hard to believe that Microsoft servers update and restart without IT admins controlling how and when the updates are installed. Am I missing something?

da-schmoo · 2023-05-10T19:29:12.000Z

Run SConfig from a command prompt, choose option 5.

WSUS or other patch management tool will do what you want as well.

stefan-pulseway · 2023-05-11T06:26:56.000Z

Hey Op

Like @da-schmoo said you should definitely look into getting a patch management software to help you out with this. If interested Pulseway’s patch management tool could help you maintain control over all your windows environments as well as automate your patching. We also, in our most recent update added the ability to schedule a reboot within patching making it even more flexible than before

You can check it out and learn more here

And if you have any questions please don’t hesitate to reach out. Best of luck!

thomaswildgruber · 2023-05-11T07:52:12.000Z

Another way to configure Windows Update would be with group policies. Here you have the possibility to fine tune the behavior of Windows Update.

VD Tutorials – 9 Feb 22

Configure Automatic Updates on Windows Server 2022 | VD Tutorials

Windows Update automates downloading and installing Windows software updates, Group Policy is a feature used for Configure Automatic Updates.

Est. reading time: 1 minute

BTW: I wouldn’t focus on WSUS anymore, Microsoft already doesn’t support all current products in WSUS. For example, Office 2019 or 2021 are no longer supported in WSUS, or in this particular case only the versions with volume licenses.

HTH

karstenl84 · 2023-05-11T08:02:11.000Z

I would just setup WSUS and put some GPOs into AD or locally if no AD is in place. This gives you enough possibilities to automatically install security relevant updates on all Windows platforms and Microsoft products and configure the installation of updates and required reboots. Your WSUS server will ask itself for updates, just like all others servers and clients. Don’t configure driver updates! This might take your WSUS out of service or at least slow everything down until it really hurts.

WSUS is quite self sufficient, depending on the configuration you put in place.
It needs some maintenance for sure, like approving non-security related updates, if you want, or cleaning up the database, which can be automated, too…or just ignore the DB maintenance for a long time, without having a major impact on performance in small environments. But, again, don’t configure driver updates! WSUS downloads excessive amounts of drivers, if you do and this is just useless for most environments.

It’s free, if you already have your Windows Server license and it won’t hurt to give it at least a try

thomaswildgruber · 2023-05-11T10:11:34.000Z

KarstenL84:

[WSUS] It’s free, if you already have your Windows Server license and it won’t hurt to give it at least a try

Please keep in mind that WSUS no longer provides updates for Office 2019 and 2021 C2R version (click to run). It is expected that Microsoft will discontinue WSUS support one product after another:

“Since updates are cumulative and already included in the latest version of Office 2019 on the Office CDN, you don’t use Microsoft Updates or Windows Server Updates Services (WSUS) to update Office 2019. But you can use Microsoft Configuration Manager to help you deploy and manage updates to Office 2019, including controlling when and from where updates are applied.”

learn.microsoft.com

Update Office 2019 (for IT Pros) - Deploy Office

Provides IT admins with information on how to update Office 2019.

As I understand, there are no single updates anymore, but only new full versions, which are either simply installed over it or, if update management is supported, the program blocks that do not correspond to the current version are incrementally replaced. But I haven’t researched this further, because we’re remaining on Office 2016 for this reason, as long as it’s still supported.

HTH

karstenl84 · 2023-05-11T11:07:11.000Z

@thomaswildgruber Not sure about the intention of your… let’s call it…warnings about the discontinuation of Office updates from WSUS.
I’m still a huge fan. It’s setup so fast that I couldn’t believe it the first time. And also my other 2 times went flawless, almost magically simple. Fiddling the GPOs together for different system groups the first time has been the harder part in my opinion, but it’s easy too, if you just copy your initial GPO and fine adjust it to your needs.

WSUS also gives an admin an easy way to enforce removal of a broken system update in general, so the admin doesn’t need to run from every computer to the other just to remove this one update from each of them or let a script do it remotely (basically one shot try and forget in many cases).

We are on M365 E3 to take away many decisions and hassles that otherwise would have to be taken into considerations and taken care of. It also improves overall manageability of all systems and takes care of so many licensing options that you would need without it, including Intune etc. Clearly, you have to dive deep into the documents provided publicly by Microsoft, even the seemingly outdated ones are important, to get all the inclusions together and understand everything about it…but after all it was worth it I’ve learned things about it, that even our official Microsoft distributor couldn’t tell/answer or he just plainly got it wrong - seriously.
M365 bases on Office 16, it includes all updates and features and it is always the latest stable release (Enterprise Channel) in our environment.
WSUS never provided any Office updates in our environment, probably because I always used C2R installations, so CDN is the source for updates - no worries with this…

thomaswildgruber:

…

Please keep in mind that WSUS no longer provides updates for Office 2019 and 2021 C2R version (click to run). It is expected that Microsoft will discontinue WSUS support one product after another:

“Since updates are cumulative and already included in the latest version of Office 2019 on the Office CDN, you don’t use Microsoft Updates or Windows Server Updates Services (WSUS) to update Office 2019. But you can use Microsoft Configuration Manager to help you deploy and manage updates to Office 2019, including controlling when and from where updates are applied.”

Update Office 2019 (for IT Pros) - Deploy Office | Microsoft Learn

…

I’m not yet seeing deprecation of WSUS coming soon enough to drop it from all considerations, at least for “cloud antagonistic” or hybrid environments, indicated by the initial title of this topic about Server 2022.

"Configure where Office 2019 gets updates from

If network connectivity and other considerations based on your organizational requirements aren’t an issue, we recommend that Office 2019 is updated automatically from the Office CDN. Updating from the Office CDN is the default, so there’s nothing extra you need to do and it’s an easy way to keep Office 2019 up to date.

If you don’t want computers installed with Office 2019 to connect to the Office CDN to get updates, you can configure Office 2019 to get updates from a shared folder from within your internal network. You still need a least one computer to have access to the Office CDN to be able to download the latest version of Office 2019 to the shared folder on your internal network.

Keep in mind that installing and updating Office 2019 from a shared folder on your local network requires significantly more administrative effort and more disk space. For example, you have to keep track of when new builds of Office 2019 are available and then download the updated version of Office 2019 to your network. Downloading to a shared folder on your local network will always download a full copy of the updated version of Office.

You can also use enterprise software deployment tools, such as Microsoft Configuration Manager, to help you update Office 2019.

The location where Office 2019 looks for updates is specified in the configuration.xml file that you use to deploy Office 2019 with the Office Deployment Tool. For more information, see Deploy Office 2019 (for IT Pros). You can also use Group Policy."

ode2joy · 2023-05-11T11:16:56.000Z

Da_Schmoo:

Run SConfig from a command prompt, choose option 5.

How have I never known about this for all the times I’ve looked and asked about this?? I can’t thank you enough, @da-schmoo !!

chrishall5 · 2023-05-11T12:29:53.000Z

Da_Schmoo- I’m LMAO how simple SConfig is. Never knew that even existed. Good to know.

As simple as that is, I’m likely to go with configuring Windows Updates with Group Policy on the server as suggested by thomaswildgruber. This method more closely matches the functionality I’m used to on Server 2012 R2.

Regarding WSUS, I appreciate the recommendation, but our network is really small and things like setting up a WSUS server, patch management software, etc. would be a little overkill. Also, I too was aware of Microsoft’s eventual depreciation of WSUS and would rather not deploy something I’ll eventually have to replace down the road.

For the 20+ PCs in the company, I use Group Policy and have Windows Update for Business configured to delay Quality Updates for 30 days after release to protect from bad updates. This configuration keeps the update process on the PCs pretty much self-managed.

mike-action1 · 2023-05-11T23:29:04.000Z

@Action1 offers a free cloud-based patch management service for up to 100 endpoints, which is a purpose built tool for patching of Windows and third-party applications:

Windows updates and third-party application patching (web browsers, Adobe, Java, Cisco, etc)
Real-time patch compliance dashboard
Ability to selectively schedule updates using policies
Full control over the reboot process
Manually approve updates or automatically install based on update severity, and more.
Added bonus: web-based secure remote control (screen/mouse/keyboard).

Very simple to configure and use, takes just minutes to get it up and running. It is really free for 100 endpoints, with no strings attached, and we don’t sell you data either. Some people say it is too good to be true, but it is true.