locked
Server 2016 WSUS settings question RRS feed

  • Question

  • So I've got a WSUS server set up on my 2016 server and it deal with 99% 2016 clients. I've run into the issue that my servers are automatically installing updates instead of only installing approved updates. Below are my current registry settings. I also work in tandem with another Windows Engineer and we've been trying to get WSUS working using the GPO. So when he makes changes in the WSUS GPO settings it overrides the registry settings.

    Am I missing something as to why my servers are auto updating? In my other environment I have 2008/2012 servers with practically identical registry settings and they have no issues automatically updating unless the patches are approved by me.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 
    "AcceptTrustedPublisherCerts"=dword:00000001

    "BranchReadinessLevel"=dword:00000020

    "DeferFeatureUpdates"=dword:00000001

    "DeferFeatureUpdatesPeriodInDays"=dword:000000b4

    "DeferQualityUpdates"=dword:00000001

    "DeferQualityUpdatesPeriodInDays"=dword:00000000

    "DoNotConnectToWindowUpdateInternetLocations"=dword:00000000

    "WUServer"=xxxxxxxxx

    "WUStatusServer"=xxxxxxxxx

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 

    "AlwaysAutoRebootAtScheduledTime"=dword:00000001

    "AlwaysAutoRebootAtScheduledTimeMinutes"=dword:0000000f

    "AUOptions"=dword:00000004 

    "AutoInstallMinorUpdates"=dword:00000001

    "DetectionFrequency"=dword:00000012 

    "DetectionFrequencyEnabled"=dword:00000001 

    "NoAutoRebootWithLoggedOnUsers"=dword:00000000 

    "NoAutoUpdate"=dword:00000000

    "ScheduledInstallDay"=dword:00000000 

    "ScheduledInstallTime"=dword:00000004 

    "UseWUServer"=dword:00000001 

    Sunday, January 26, 2020 1:56 PM

All replies

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 

    "AcceptTrustedPublisherCerts"=dword:00000001

    "BranchReadinessLevel"=dword:00000020

    "DeferFeatureUpdates"=dword:00000001

    "DeferFeatureUpdatesPeriodInDays"=dword:000000b4

    "DeferQualityUpdates"=dword:00000001

    "DeferQualityUpdatesPeriodInDays"=dword:00000000

    "DoNotConnectToWindowUpdateInternetLocations"=dword:00000000

    "WUServer"=xxxxxxxxx

    "WUStatusServer"=xxxxxxxxx

    Obviously, the relevant policies of Windows Update for Business have been configured, which will enable dual scan. When Dual Scan is enabled, the WU client scans WSUS and WU, but it only downloads Windows patches from Microsoft ’s update servers (Windows Update), effectively ignoring updates on WSUS servers in the ‘Windows’ product family.
      

    Enabling the policy above wouldn’t have any effect in this scenario. To enable WSUS updates only, make sure that all Windows Update for Business options are set to Not Configured and that the Turn off access to all Windows Update features policy under System > Internet Communication Management > Internet Communication settings is Enabled.
       

    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 28, 2020 2:51 AM
  • Enabling the policy above wouldn’t have any effect in this scenario. To enable WSUS updates only, make sure that all Windows Update for Business options are set to Not Configured and that the Turn off access to all Windows Update features policy under System > Internet Communication Management > Internet Communication settings is Enabled.

       

    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Are the business option settings in the GPO? My engineer is only seeing something similar to this in the CIS controls.


    • Edited by jerm20201 Tuesday, January 28, 2020 4:07 PM
    Tuesday, January 28, 2020 4:03 PM
  • Are the business option settings in the GPO? My engineer is only seeing something similar to this in the CIS controls.

    Yes, the policy for Windows Update for Business at: "Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update \ Windows Update for Business \"
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 29, 2020 2:57 AM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 3, 2020 2:19 AM
  • Currently still working on the issue.
    Tuesday, February 4, 2020 8:40 PM