1

I’ve seen a few questions and discussions on this topic but nothing that specifically answers my burning question. How are other admins dealing with this BS? I built a 2019 VM template so I could start upgrades from 2012 R2 and immediately hit a brick wall when I went to run updates on the server. I never thought server updates would be treated like a Windows 10 desktop but there it was. Here’s a mystery blob of updates and you can pick a window where your server is going to reboot.

Am I missing something? I really don’t want to disable updates and have to manually download and install every month. I thought about building a WSUS server to control the updates. We’re not a very big company so the cool tools like SCCM are not an option for us. What’s everyone doing?

I forgot to add - I did not see a way to remove an individual update either. Is that not possible anymore?

3 Spice ups
2

Microsoft hasn’t had individual updates for a long time. You don’t even get them on 2012 R2 anymore…just a big cumulative update for the OS, and maybe separate .NET and such.

So yes, Microsoft treats desktop OS and server OS basically the same.

I use WSUS, but I automatically approve categories of updates. Even back in the day of individual updates I didn’t approve them automatically. My less critical servers that could afford to get borked would get a daily patch window. Regular servers automatically patch on the weekend. Some require manual intervention to apply. I control the time window and other settings via GPO. You can do this even without WSUS.

3

WSUS is a must if you want control over your environment.

Use WAM to automate the maintenance of WSUS and keep it working in tip top shape.

4

Yeah, patches have been bundled into rollup’s for a long time and while I still prefer seeing them individually, it did get a lot easier (and more stable with 2012) doing the cumulative updates. I found that I didn’t need a WSUS server anymore because I only have about 30-40 servers and I could download/install/pick and choose on my schedule. That doesn’t seem to be the case anymore.

Thanks Adam, that looks like a helpful guide.

Kevinmhsieh that’s how I normally do things. Less critical servers get patched first then critical ones only go when the others made it ok. Which do you think is easier to manage / saves time long term? GPO or WSUS? And, if you do GPO only, are you able to go into Update & Security and still download/install patches on your own schedule (like for critical server) or does it block updates all together where you have to go fetch them manually?

5

GPO sets the schedule, not WSUS. I have WSUS mainly for reporting purposes. GPO and WSUS do different things.

You save time by using GPO to automatically install updates. This happens automatically in my environment.

Where administrative time is required is for any machine that doesn’t automatically install updates and reboot. Other thing that takes time is remediation of systems that failed to properly install all updates.

6

I want to make sure I have a clear understanding how the updates will work for the 2019 servers. If you set a GPO, can you block the automatic installs/reboots but still be able to go in and manually click the “update” button when your ready and it will download/install whatever is missing?
I am almost done setting up the WSUS server on 2019 and realized I needed policies for 2019 servers so figured I would use the same server for creating those. Then started wondering… do I need to split off the 2019 servers into their own OU and keep the 2012R2 ones where they are?

@kevinhsieh

7

You can use the same policies for 2012 and 2019 servers. They apply the same way.

I will quote you the help information from the group policy editor regarding the possible settings at Computer Configuration, Administrative Templates, Windows Components, Windows Update, Configure Automatic Updates. It should answer your questions about the behavior.

===begin quote===

Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.

Note: This policy does not apply to Windows RT.

This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:

2 = Notify before downloading and installing any updates.

When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.

3 = (Default setting) Download the updates automatically and notify when they are ready to be installed

Windows finds updates that apply to the computer and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to Windows Update, users can install them.

4 = Automatically download updates and install them on the schedule specified below.

Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)

On Windows 8 and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer is not in use, and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.

Automatic maintenance can be further configured by using Group Policy settings here: Computer Configuration->Administrative Templates->Windows Components->Maintenance Scheduler

5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates.

With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.

If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.

If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.

===end quote===

8

Do I understand correctly that you are looking for a way to manage the update process on Windows Server 2019?
Why don’t you use a third-party solution to manage updates?

Our free cloud-based product Action1 will help to automate the Windows update management process across all your computers and servers in a few clicks.
Using the following command, running as administrator, you can remove the specific update (e.g. KB 4100347):
wusa.exe /uninstall /kb:4100347

9

Looks like your free version only supports up to 10 servers and we have more than that. It’s complicated; but we have a MSP that uses Kaseya and while it does other stuff fairly well, I don’t like the way it does server patching and prefer better control over how, what, when, why patches go onto servers. I have no say-so in the software the MSP is using and do not have admin rights on Kaseya. So, not likely the company is going to fork out money for something they consider a “duplication”.