\n“…control of when patches are applied to our servers…”<\/p>\n<\/blockquote>\n<\/aside>\n
We did ours manually*, whether it was once a week, or once a month, researched each update & patch that that server wanted to install, and then manually installed them myself: for the larger ones I would give the Hyper-v clients more CPU’s so it wouldn’t take forever, and then set them all back to their paid for limit, It was all very manual: but the updates got done, on a regular basis, and there were no MS Induced downtimes: we controlled it.<\/p>\n
If I remember correctly, we had set to updates to download, but not install, this gave us the list of updates so we could research them see if we actually needed it wanted it or not.<\/p>\n
It’s like feeding your laundry into the washer one piece at a time, you can soak it give it more soap, ring it out, hand rub it a bit, give each piece due diligence before dropping them down in to the wash-bin that already filling and working. (not a perfect analogy, but you see my meaning I hope.<\/p>\n
This manual method is only going to work for “so many computers” beyond that, you have to employ a tool or other delivery method: /Agreed. Something liek what Rod mentioned above would be my first stop in researching a replacement to the fully automatic MS deployment.<\/p>\n
*We had 1 host with 4 to 7 clients on it, depending on who we had with us at the time. No a big workload, but it paid the bills!<\/p>","upvoteCount":3,"datePublished":"2025-07-13T14:13:37.555Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/3","author":{"@type":"Person","name":"TimJjr","url":"https://community.spiceworks.com/u/TimJjr"}},{"@type":"Answer","text":"
JordanCN,<\/p>\n
I think, that you are the victim of broken update 2025-06 with DHCP problem. \nI have corporate rule for install updates for DC and important servers one-two weeks after Windows issued this and all updates for DC are approved manually.<\/p>\n
You should have possibility for update Windows Servers, but you should have one-two servers for test updates before you will approve for other servers. DCs should be on the end of list.<\/p>","upvoteCount":3,"datePublished":"2025-07-13T18:41:40.687Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/4","author":{"@type":"Person","name":"spiceuser-6em4","url":"https://community.spiceworks.com/u/spiceuser-6em4"}},{"@type":"Answer","text":"
I feel you… I have a few machines that are halted at different stages of Win10, even have a couple of 32bit machines running. \nI am scared of this upcoming change - manufacturer, we cannot afford downtime & ‘please wait while we faff around restarting & don’t actually do anything<\/em>’ \nThe truly critical machines I lock down & use offline updaters to install critical updates, which will all change when I get them September Ready (anyone else hearing Pavlov’s dog?). \nI have already noticed that those machines that are up to date, no longer have the ability to edit group policy etc. I am genuinely scared about the uncontrollable updates environment ~~ It’s ALIVE!!<\/em>~~ \nHonestly, at this rate, the world will NEVER stop using embedded XP systems. We have already reverted some critical services to Linux based devices, with more planned.<\/p>","upvoteCount":4,"datePublished":"2025-07-14T00:26:09.871Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/5","author":{"@type":"Person","name":"blake-murphy","url":"https://community.spiceworks.com/u/blake-murphy"}},{"@type":"Answer","text":"Thanks Rod,<\/p>\n
But I would have to say, given the way the world is, it makes me much less likely to want to trust Microsoft or any company with pushing updates that I have not vetted myself. The only downtime or disruptions I have faced in the past 5 years has been due to Microsoft or some other vendor forced updates. I am sure everyone here could give you a list.<\/p>\n
Most of the actions you suggest are in place such as limiting access, 3rd party patching solutions, etc. But even when I try to limit where clients go, Microsoft has put in back doors to circumvent security measures.<\/p>","upvoteCount":5,"datePublished":"2025-07-14T14:02:05.607Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/6","author":{"@type":"Person","name":"JordanCN","url":"https://community.spiceworks.com/u/JordanCN"}},{"@type":"Answer","text":"
Computers here are set to pull from Microsoft Update for Business via Intune. Servers are set via WSUS to pull but not install (GPO). Once a month (usually Friday after Patch Tuesday) I will login to WSUS, confirm the updates that MS has suggested (due diligence is important, make sure no one is reporting server-bricking). Then, Friday afternoon, updates will be installed and restarts scheduled for around 8pm that night. I’ll login and monitor, verify the servers reboot, check for critical services post-reboot, then call it a day.<\/p>","upvoteCount":3,"datePublished":"2025-07-14T14:08:46.058Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/7","author":{"@type":"Person","name":"Jay-Updegrove","url":"https://community.spiceworks.com/u/Jay-Updegrove"}},{"@type":"Answer","text":"\n\n
<\/div>\n
JordanCN:<\/div>\n
\nBut I would have to say, given the way the world is, it makes me much less likely to want to trust Microsoft or any company with pushing updates that I have not vetted myself.<\/p>\n<\/blockquote>\n<\/aside>\n
Nothing stops you vetting them, your policies can be different for different devices, even with WSUS or WU.<\/p>\n\n\n
<\/div>\n
JordanCN:<\/div>\n
\nMicrosoft has put in back doors to circumvent security measures.<\/p>\n<\/blockquote>\n<\/aside>\n
Not sure how anyone can help if you are saying updates are forced, even if you decide not to apply them.<\/p>\n
Best of luck.<\/p>","upvoteCount":3,"datePublished":"2025-07-14T14:20:14.269Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/8","author":{"@type":"Person","name":"Rod-IT","url":"https://community.spiceworks.com/u/Rod-IT"}},{"@type":"Answer","text":"
Hey Jordan just thought I’d chime in with what I do. It works for me but it may not fit your situation. It also took some time to build out…<\/p>\n
So I have all my Production VMs and Physical Host Server in an separate address groups in my main firewall. I have rules built for each service that needs to go out, which was built by making a ‘DENY ALL ANY ALWAYS’ one VM at a time, and then looking at the logs to see what actually needed to go out, and then building a policy for to allow each thing, with a DENY all below. They only talk to a few things that the applications that run on them contain that are actually needed, and only on certain ports. We are allowing of course EDR and SIEM.<\/p>\n
How that looks is:<\/p>\n
VM1 can talk to A on port 1 \nVM2 can talk to C on port 2 \nVM3 can talk to E on port 3 \nHost1 can talk to G on port 4 \nHost2 can talk to I on port 5 \nHost3 can talk to K on port 6 \nProduction VMs Group can talk to EDR \nProduction VMs Group can talk to SIEM \nPhysical Host Servers Group can talk to EDR \nPhysical Host Servers Group can talk to SIEM \nProduction VMs Group DENY ALL ANY ALWAYS \nPhysical Host Servers Group DENY ALL ANY ALWAYS<\/p>\n
Like I said it took a while I just picked out one VM and restricted it, figured each thing out, got it working, then DENY all after, then moved on to the next machine. Once they were all done one by one cleaned up the policies and grouped everything.<\/p>\n
We use WSUS and it works perfectly fine for me, and they get no updates from anywhere else. We are aware of dual scan and are configured to prevent it. : )<\/p>\n
Maybe this will help someone, or maybe this is so commonsense everyone is like “duh we’d do that if we could but it won’t work because of X” <\/p>","upvoteCount":4,"datePublished":"2025-07-14T14:56:49.300Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/9","author":{"@type":"Person","name":"jasonfagan","url":"https://community.spiceworks.com/u/jasonfagan"}},{"@type":"Answer","text":"
Have you updated the ADMX files on the domain controllers recently, or ever? Two months ago, I updated the ADMX files for Win11, and the last time I had done anything with the ADMX files was in 2019. I had been running into servers & laptops ignoring the domain policies for years, and the last two Patch Tuesday cycles were significantly better, going from maybe 50% responding correctly to 90+% this month. I also had an additional Group Policy change with that ADMX update a couple months ago, so there might be coincidence instead of correlation, but the Group Policy was for a limited software installation that was not part of the OU the servers are in.<\/p>","upvoteCount":2,"datePublished":"2025-07-14T14:59:49.783Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/10","author":{"@type":"Person","name":"Dennis5204","url":"https://community.spiceworks.com/u/Dennis5204"}},{"@type":"Answer","text":"
I was going through my notes and there’s actually one additional change I made specifically to the Server 2016 servers in late May, so I wasn’t thinking about June. I enabled the local policy of “Always automatically restart at the scheduled time” in Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update. It is enabled now with a time value of 15 minutes, and the Server 2016 scheduled reboots were a lot of my problem, but not all of it.<\/p>","upvoteCount":2,"datePublished":"2025-07-14T16:22:36.548Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/11","author":{"@type":"Person","name":"Dennis5204","url":"https://community.spiceworks.com/u/Dennis5204"}},{"@type":"Answer","text":"
Thanks, but actually the point is I am not being allowed to vet them. As of July 4th, I was 100% patched with all Windows Updates, and less than 1 week later, this happened.<\/p>\n
I had not changed my policy and there were no other updates waiting because I ran the check 2 times each server after patching to ensure there was nothing else waiting.<\/p>\n
Main point is still, forced updates cause downtime at unpredictable times. I can’t think of a single company that finds it acceptable to have unpredictable outages just to apply an update.<\/p>","upvoteCount":2,"datePublished":"2025-07-14T22:22:20.323Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/12","author":{"@type":"Person","name":"JordanCN","url":"https://community.spiceworks.com/u/JordanCN"}},{"@type":"Answer","text":"\n\n
<\/div>\n
JordanCN:<\/div>\n
\nMain point is still, forced updates cause downtime at unpredictable times.<\/p>\n<\/blockquote>\n<\/aside>\n
I agree, and my point is, if they’re being forced, how can we help solve that?<\/p>\n
Perhaps a little outside the box thinking. Instead of granting your servers full internet access, or even restrictive internet access, cut it off where you can, until you know your patching cycle is ready.<\/p>\n
For example, if you patch every Sunday, disable internet access for your systems until Sunday, that way, when you enable it, any patches that are forced, will still be visible to you. But you choose to install them on Sunday only.<\/p>\n
Most firewalls have schedulers for rules.<\/p>","upvoteCount":3,"datePublished":"2025-07-14T22:27:44.103Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/13","author":{"@type":"Person","name":"Rod-IT","url":"https://community.spiceworks.com/u/Rod-IT"}},{"@type":"Answer","text":"
Please check these settings, especially if you are hybrid.<\/p>\n
\nWindows Update for Business (WUfB) policies taking precedence<\/li>\n Feature and quality updates being pushed via cloud-based policies<\/li>\n “Update Stack Packages” and “Experience Packs” installing silently<\/li>\n Azure-connected services (like Azure Arc or Defender) potentially triggering updates<\/li>\n<\/ul>","upvoteCount":2,"datePublished":"2025-07-14T22:32:48.764Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/14","author":{"@type":"Person","name":"Rod-IT","url":"https://community.spiceworks.com/u/Rod-IT"}},{"@type":"Answer","text":"\n\n
<\/div>\n
JordanCN:<\/div>\n
\nYears ago we had our GPO set to download and let admins install, but then some MS update along the way enabled updates to auto-install anyway. Now our latest GPO had Windows Updates set to:<\/p>\n
Computer Configuration > Administrative Templates > Windows Components > Windows Update → Configure Automatic Updates = Disabled<\/strong><\/p>\n<\/blockquote>\n<\/aside>\nBut I thought that some of the GPO were obsolete as Server 2016 or later (much like Win10 or Win11) have some options removed ? So now its like either download & install or do not download at all ?<\/p>\n
Then normally updates should be installed on test or UAT or Dev servers before installing on their production counterparts. In some cases, we would also use VM snapshots before installing updates just in case.<\/p>\n
One main reason why we moved off server 20xx with hyper-v role (since server 2012) was Windows Updates on hosts.<\/p>\n\n\n
<\/div>\n
JordanCN:<\/div>\n
\nWhat is the latest way to prevent any Windows Server from being updated automatically?<\/p>\n<\/blockquote>\n<\/aside>\n
Maybe disabling the Windows Update Services ?<\/p>","upvoteCount":1,"datePublished":"2025-07-15T03:52:03.768Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/15","author":{"@type":"Person","name":"adrian_ych","url":"https://community.spiceworks.com/u/adrian_ych"}},{"@type":"Answer","text":"
If you want to really disable Windows update create a GPO and stop services “Windows Update” and “Windows Modules Installer” in Computer Configuration > Policies > Windows Settings > Security Settings > System Services<\/p>","upvoteCount":1,"datePublished":"2025-07-15T05:00:58.246Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/16","author":{"@type":"Person","name":"naveenkatikam","url":"https://community.spiceworks.com/u/naveenkatikam"}},{"@type":"Answer","text":"
I think OP just want to manually update instead of automatically update then the server reboots by itself ?<\/p>\n
In the previous OSes, there is this option to either do not update or download but do not install…<\/p>","upvoteCount":1,"datePublished":"2025-07-15T05:32:10.214Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/17","author":{"@type":"Person","name":"adrian_ych","url":"https://community.spiceworks.com/u/adrian_ych"}},{"@type":"Answer","text":"\n\n
<\/div>\n
JordanCN:<\/div>\n
\nit makes me much less likely to want to trust Microsoft or any company with pushing updates that I have not vetted myself.<\/p>\n<\/blockquote>\n<\/aside>\n
this is simply unrealistic. There is no way to truely do this and you are always trusting the vendor (and 100 others) the Published Vulnerabilities you are running are a much higher risk than any occasional (non malicious and recoverable) mistakes that may occur due to updates. You are better off explaining a couple hour outage that wasn’t’ malicious vs explaining why you haven’t patched for 3-6 months and are down with something like ransomware<\/p>\n
A more realistic approach would be to delay installs so you are only applying patches that are 7-14 days old, and taking advantage of Heard Immunity for lack of a better word against mistakes.<\/p>\n
You can mitigate update risks, you can’t mitigate risks from running published CVEs<\/p>\n
@Action1<\/a> suggested by @Rod-IT<\/a> already would be a good option as it will allow you to control your patching and update schedules which sounds like your biggest challenge.<\/p>","upvoteCount":2,"datePublished":"2025-07-15T15:55:30.676Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/18","author":{"@type":"Person","name":"molan","url":"https://community.spiceworks.com/u/molan"}},{"@type":"Answer","text":"Agreed, the last time you could see EVERY update Windows was pushing was back in XP when each patch was a line item/check box instead of a packaged rollup/cumulative update.<\/p>","upvoteCount":1,"datePublished":"2025-07-15T15:57:22.943Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/19","author":{"@type":"Person","name":"Jay-Updegrove","url":"https://community.spiceworks.com/u/Jay-Updegrove"}},{"@type":"Answer","text":"
heehee…last time had SP1, SP2, SP3, SP4 etc…but at least not “MONTHLY” ?<\/p>","upvoteCount":1,"datePublished":"2025-07-16T09:01:20.982Z","url":"https://community.spiceworks.com/t/need-to-disable-windows-updates-yet-again/1223324/20","author":{"@type":"Person","name":"adrian_ych","url":"https://community.spiceworks.com/u/adrian_ych"}}]}}
JordanCN
(JordanCN)
July 13, 2025, 12:25pm
1
We have an enviroment that has mulitple sites and several servers that need to be running 24x7. They are all hosted on Hyper-V hosts at each site. We have fluctuating times when we can shut down servers and perform quarterly maintenance so WE, not Microsoft, need to control when updates are applied to the servers.
Years ago we had our GPO set to download and let admins install, but then some MS update along the way enabled updates to auto-install anyway. Now our latest GPO had Windows Updates set to:
Computer Configuration > Administrative Templates > Windows Components > Windows Update → Configure Automatic Updates = Disabled
This worked for the past year or more, but the week of July 4th we installed the 2025-06 cummulative update on all servers. On July 10th at 1:00 AM all of our servers installed the 2025-07 cummulative update which shutdown everything at every site for hours because the 2025-XX cummulative updates seem to take for ever to run and they had to run on the VMs and the hosts. It was a nightmare.
I know some are going to want to respond that you should never disable automatic updates for security reasons, which I understand, but this is not the case. We just need to be able to regain control of when patches are applied to our servers and if I need to totally disable the servers ability to update on its own then that is what I need to do. The only down times I have experienced in the past 5 years are due to untested Microsoft updates being crammed down my throat so I need this to stop.
Some of the servers are running DNS, Azure Connect, etc so restricting them from the Internet is not possible and trying to block sites that cram Windows Updates down is like playing Wack-a-Mole. What is the latest way to prevent any Windows Server from being updated automatically?
13 Spice ups
Rod-IT
(Rod-IT)
July 13, 2025, 1:18pm
2
On the contrary, given how the world is at the moment, you want automatic patching on, by whatever method.
First of all, confirm dual scan is disabled, otherwise they will, on-reboot grab queued patches form MS and apply them.
But you can limit where they go and what ports are used.
For DNS, only allow port 53 out, outside of this, why would the server itself need internet access, for your AZ connect box, I would see this as less important, but limit it again to only where it needs.
I wouldn’t rely on WSUS or WU alone, if you want control, I’d invest in a patch management solution to do this.
I have no idea how many you have or need to manage, but Vendors > Action1 is FREE for the first 200, so if you’re device count is less than 200, there are no fees.
All devices will need internet access, but the agent will disable WU completely and take over this.
It also includes management of 3rd party apps.
For your situation, I didn’t see any mention of WSUS, so can you confirm this is pure Windows Update directly?
3 Spice ups
TimJjr
(TimJr)
July 13, 2025, 2:13pm
3
We did ours manually*, whether it was once a week, or once a month, researched each update & patch that that server wanted to install, and then manually installed them myself: for the larger ones I would give the Hyper-v clients more CPU’s so it wouldn’t take forever, and then set them all back to their paid for limit, It was all very manual: but the updates got done, on a regular basis, and there were no MS Induced downtimes: we controlled it.
If I remember correctly, we had set to updates to download, but not install, this gave us the list of updates so we could research them see if we actually needed it wanted it or not.
It’s like feeding your laundry into the washer one piece at a time, you can soak it give it more soap, ring it out, hand rub it a bit, give each piece due diligence before dropping them down in to the wash-bin that already filling and working. (not a perfect analogy, but you see my meaning I hope.
This manual method is only going to work for “so many computers” beyond that, you have to employ a tool or other delivery method: /Agreed. Something liek what Rod mentioned above would be my first stop in researching a replacement to the fully automatic MS deployment.
*We had 1 host with 4 to 7 clients on it, depending on who we had with us at the time. No a big workload, but it paid the bills!
3 Spice ups
JordanCN,
I think, that you are the victim of broken update 2025-06 with DHCP problem.
I have corporate rule for install updates for DC and important servers one-two weeks after Windows issued this and all updates for DC are approved manually.
You should have possibility for update Windows Servers, but you should have one-two servers for test updates before you will approve for other servers. DCs should be on the end of list.
3 Spice ups
I feel you… I have a few machines that are halted at different stages of Win10, even have a couple of 32bit machines running.
I am scared of this upcoming change - manufacturer, we cannot afford downtime & ‘please wait while we faff around restarting & don’t actually do anything ’
The truly critical machines I lock down & use offline updaters to install critical updates, which will all change when I get them September Ready (anyone else hearing Pavlov’s dog?).
I have already noticed that those machines that are up to date, no longer have the ability to edit group policy etc. I am genuinely scared about the uncontrollable updates environment ~~ It’s ALIVE!! ~~
Honestly, at this rate, the world will NEVER stop using embedded XP systems. We have already reverted some critical services to Linux based devices, with more planned.
4 Spice ups
JordanCN
(JordanCN)
July 14, 2025, 2:02pm
6
Thanks Rod,
But I would have to say, given the way the world is, it makes me much less likely to want to trust Microsoft or any company with pushing updates that I have not vetted myself. The only downtime or disruptions I have faced in the past 5 years has been due to Microsoft or some other vendor forced updates. I am sure everyone here could give you a list.
Most of the actions you suggest are in place such as limiting access, 3rd party patching solutions, etc. But even when I try to limit where clients go, Microsoft has put in back doors to circumvent security measures.
5 Spice ups
Computers here are set to pull from Microsoft Update for Business via Intune. Servers are set via WSUS to pull but not install (GPO). Once a month (usually Friday after Patch Tuesday) I will login to WSUS, confirm the updates that MS has suggested (due diligence is important, make sure no one is reporting server-bricking). Then, Friday afternoon, updates will be installed and restarts scheduled for around 8pm that night. I’ll login and monitor, verify the servers reboot, check for critical services post-reboot, then call it a day.
3 Spice ups
Rod-IT
(Rod-IT)
July 14, 2025, 2:20pm
8
Nothing stops you vetting them, your policies can be different for different devices, even with WSUS or WU.
Not sure how anyone can help if you are saying updates are forced, even if you decide not to apply them.
Best of luck.
3 Spice ups
Hey Jordan just thought I’d chime in with what I do. It works for me but it may not fit your situation. It also took some time to build out…
So I have all my Production VMs and Physical Host Server in an separate address groups in my main firewall. I have rules built for each service that needs to go out, which was built by making a ‘DENY ALL ANY ALWAYS’ one VM at a time, and then looking at the logs to see what actually needed to go out, and then building a policy for to allow each thing, with a DENY all below. They only talk to a few things that the applications that run on them contain that are actually needed, and only on certain ports. We are allowing of course EDR and SIEM.
How that looks is:
VM1 can talk to A on port 1
VM2 can talk to C on port 2
VM3 can talk to E on port 3
Host1 can talk to G on port 4
Host2 can talk to I on port 5
Host3 can talk to K on port 6
Production VMs Group can talk to EDR
Production VMs Group can talk to SIEM
Physical Host Servers Group can talk to EDR
Physical Host Servers Group can talk to SIEM
Production VMs Group DENY ALL ANY ALWAYS
Physical Host Servers Group DENY ALL ANY ALWAYS
Like I said it took a while I just picked out one VM and restricted it, figured each thing out, got it working, then DENY all after, then moved on to the next machine. Once they were all done one by one cleaned up the policies and grouped everything.
We use WSUS and it works perfectly fine for me, and they get no updates from anywhere else. We are aware of dual scan and are configured to prevent it. : )
Maybe this will help someone, or maybe this is so commonsense everyone is like “duh we’d do that if we could but it won’t work because of X”
4 Spice ups
Have you updated the ADMX files on the domain controllers recently, or ever? Two months ago, I updated the ADMX files for Win11, and the last time I had done anything with the ADMX files was in 2019. I had been running into servers & laptops ignoring the domain policies for years, and the last two Patch Tuesday cycles were significantly better, going from maybe 50% responding correctly to 90+% this month. I also had an additional Group Policy change with that ADMX update a couple months ago, so there might be coincidence instead of correlation, but the Group Policy was for a limited software installation that was not part of the OU the servers are in.
2 Spice ups
I was going through my notes and there’s actually one additional change I made specifically to the Server 2016 servers in late May, so I wasn’t thinking about June. I enabled the local policy of “Always automatically restart at the scheduled time” in Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update. It is enabled now with a time value of 15 minutes, and the Server 2016 scheduled reboots were a lot of my problem, but not all of it.
2 Spice ups
JordanCN
(JordanCN)
July 14, 2025, 10:22pm
12
Thanks, but actually the point is I am not being allowed to vet them. As of July 4th, I was 100% patched with all Windows Updates, and less than 1 week later, this happened.
I had not changed my policy and there were no other updates waiting because I ran the check 2 times each server after patching to ensure there was nothing else waiting.
Main point is still, forced updates cause downtime at unpredictable times. I can’t think of a single company that finds it acceptable to have unpredictable outages just to apply an update.
2 Spice ups
Rod-IT
(Rod-IT)
July 14, 2025, 10:27pm
13
I agree, and my point is, if they’re being forced, how can we help solve that?
Perhaps a little outside the box thinking. Instead of granting your servers full internet access, or even restrictive internet access, cut it off where you can, until you know your patching cycle is ready.
For example, if you patch every Sunday, disable internet access for your systems until Sunday, that way, when you enable it, any patches that are forced, will still be visible to you. But you choose to install them on Sunday only.
Most firewalls have schedulers for rules.
3 Spice ups
Rod-IT
(Rod-IT)
July 14, 2025, 10:32pm
14
Please check these settings, especially if you are hybrid.
Windows Update for Business (WUfB) policies taking precedence
Feature and quality updates being pushed via cloud-based policies
“Update Stack Packages” and “Experience Packs” installing silently
Azure-connected services (like Azure Arc or Defender) potentially triggering updates
2 Spice ups
JordanCN:
Years ago we had our GPO set to download and let admins install, but then some MS update along the way enabled updates to auto-install anyway. Now our latest GPO had Windows Updates set to:
Computer Configuration > Administrative Templates > Windows Components > Windows Update → Configure Automatic Updates = Disabled
But I thought that some of the GPO were obsolete as Server 2016 or later (much like Win10 or Win11) have some options removed ? So now its like either download & install or do not download at all ?
Then normally updates should be installed on test or UAT or Dev servers before installing on their production counterparts. In some cases, we would also use VM snapshots before installing updates just in case.
One main reason why we moved off server 20xx with hyper-v role (since server 2012) was Windows Updates on hosts.
Maybe disabling the Windows Update Services ?
1 Spice up
If you want to really disable Windows update create a GPO and stop services “Windows Update” and “Windows Modules Installer” in Computer Configuration > Policies > Windows Settings > Security Settings > System Services
1 Spice up
I think OP just want to manually update instead of automatically update then the server reboots by itself ?
In the previous OSes, there is this option to either do not update or download but do not install…
1 Spice up
molan
(molan)
July 15, 2025, 3:55pm
18
this is simply unrealistic. There is no way to truely do this and you are always trusting the vendor (and 100 others) the Published Vulnerabilities you are running are a much higher risk than any occasional (non malicious and recoverable) mistakes that may occur due to updates. You are better off explaining a couple hour outage that wasn’t’ malicious vs explaining why you haven’t patched for 3-6 months and are down with something like ransomware
A more realistic approach would be to delay installs so you are only applying patches that are 7-14 days old, and taking advantage of Heard Immunity for lack of a better word against mistakes.
You can mitigate update risks, you can’t mitigate risks from running published CVEs
@Action1 suggested by @Rod-IT already would be a good option as it will allow you to control your patching and update schedules which sounds like your biggest challenge.
2 Spice ups
Agreed, the last time you could see EVERY update Windows was pushing was back in XP when each patch was a line item/check box instead of a packaged rollup/cumulative update.
1 Spice up
heehee…last time had SP1, SP2, SP3, SP4 etc…but at least not “MONTHLY” ?
1 Spice up