Need to control Windows update installation on domain joined PC's with Windows Server 2012 R2 Essentials domain controller via Group Policy


  • I'm posting here for the first time as I have an issue that is a bit elemental but surprisingly hard to solve.

    I have many clients that were affected by the recent botched security update KB4041676:

    After we had a very stressful week rebuilding PC's for angry clients we decided to try and put a delay on update installations (3 days for security, 1 month for feature) on those clients PC's that were domain joined via Group Policy. I found an article that outlined how this was possible for Windows 10 PC's:

    This GPO is not available however for the first client we have tried to do this for, who are using a server running WS 2012 R2 Essentials. There is a GPO for 'configure automatic updates', but the settings available are not good enough. There is no option to define delay on download as well as installation, while keeping both automatic. If the download isn't delayed then a bad update could still be pulled down.

    I am aware of WSUS but don't want to use it because it is much more than I need and requires manual updating to make sure it covers new versions of Windows or any other MS product. My need should be met by a simple GP, but for the life of me I can't see how to do this. I have fully updated the server via Windows Update, and installed this thing, assuming that MS OS designers are idiots and GPO's are not rolled out via normal Windows Updates:

    Still no 'defer upgrades and updates' GPO though. I know I must be missing something, but it's not easy for me to find out what. Any ideas, anyone?

    Saturday, November 11, 2017 6:16 AM

All replies