none
Controlling Windows Update RRS feed

  • Question

  • I have installed my first Windows 2016 servers, and Windows Update looks to be radically different out of the box.

    In every previous version of Windows for at least the past 13 years, I open Control Panel and click Windows Update.  It listed all available updates and I checked only those I actually wanted to install.  I also manually kicked off the install when I wanted it to run.

    Windows Update does not appear in the Control Panel in Windows Server 2016.  I went into Settings|Update & Security.  So far, I have applied updates to one server, and I appeared to have no ability to select which updates to install; rather, it installed every update that it identified.  

    This behavior is unacceptable on a server.  I need the ability to select which updates to install and to manually control when to install them.  This will be especially true when I install Exchange and will want to be able to search for Exchange patches as well.  I certainly will want to control which patches to install and when to restart.

     I do all Windows and Exchange updates manually; I do not use WSUS for these servers.

    How do I configure Windows 2016 to allow me to manually select which updates to actually install and when to install them?

    Thank you very much for your help.

    Friday, February 10, 2017 5:56 PM

Answers

  • Updates are no longer a pick-and-choose. They are simply cumulative packages.

    https://support.microsoft.com/en-us/help/4000825/windows-10-and-windows-server-2016-update-history

    You can set this one to disabled. Then updating windows will be a manual process.

     

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Dave PatrickMVP Thursday, February 16, 2017 2:47 AM
    • Marked as answer by Logan Burt Friday, February 17, 2017 4:12 PM
    Friday, February 10, 2017 6:17 PM
  • You may not have much control (outside of skip drivers) of updates direct from windows update site. In your case I'd suggest installing a Windows Server Update services (WSUS) somewhere on your network. This way updates to WSUS clients are not offered until you approve them. So you could, in your example, approve KB2313986, KB3211320 and skip the others assuming there's no dependency.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.



    • Edited by Dave PatrickMVP Friday, February 10, 2017 9:49 PM
    • Marked as answer by Logan Burt Friday, February 17, 2017 4:11 PM
    Friday, February 10, 2017 7:37 PM
  • Hi Logan Burt,

    Could the above reply be of help? If yes, you may mark useful reply as answer, if you have other questions, welcome to feedback.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Logan Burt Friday, February 17, 2017 4:11 PM
    Thursday, February 16, 2017 2:04 AM
    Moderator

All replies

  • Updates are no longer a pick-and-choose. They are simply cumulative packages.

    https://support.microsoft.com/en-us/help/4000825/windows-10-and-windows-server-2016-update-history

    You can set this one to disabled. Then updating windows will be a manual process.

     

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Dave PatrickMVP Thursday, February 16, 2017 2:47 AM
    • Marked as answer by Logan Burt Friday, February 17, 2017 4:12 PM
    Friday, February 10, 2017 6:17 PM
  • Thank you for your response.

    I set "Configure Automatic Updates" to disabled and restarted the server.  I opened Windows Update in the Settings app and searched for updates.  It discovered available updates, immediately downloaded all 4 of them, and then immediately started installing them.

    How do I set it to search for updates but then only list the updates but NOT install them until I take some action manually to initiate the installation?  I want to know what it proposes to install but not actually install it until I want it to.

    Also, I understand about cumulative updates, but that wasn't what I was trying to describe.  My Windows 2016 installations are discovering 4 updates, including one cumulative update,  They are discovering Update for Windows Server 2016 for x64-based Systems (KB3211320), Windows Malicious Software Removal Tool for Windows 8, 8.1, 10 and Windows Server 2012, 2012 R2, 2016 x64 Edition - January 2017 (KB890830), Windows Malicious Software Removal Tool for Windows Insider Preview and Server Technical Preview x64 - January 2017 (KB890830), and Cumulative Update for Windows Server 2016 for x64-based Systems (KB3213986).

    How would I, for example, install the cumulative update KB2313986 and the update KB3211320 but not install the two Malicious Software Removal Tools?  

    Thank you very much for your help with this.

    Friday, February 10, 2017 7:23 PM
  • You may not have much control (outside of skip drivers) of updates direct from windows update site. In your case I'd suggest installing a Windows Server Update services (WSUS) somewhere on your network. This way updates to WSUS clients are not offered until you approve them. So you could, in your example, approve KB2313986, KB3211320 and skip the others assuming there's no dependency.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.



    • Edited by Dave PatrickMVP Friday, February 10, 2017 9:49 PM
    • Marked as answer by Logan Burt Friday, February 17, 2017 4:11 PM
    Friday, February 10, 2017 7:37 PM
  • Hi Logan Burt,

    Yeah, on Server 2016, the behavior of windows update is changed in several aspects. By default, windows update will detect and install updates automatically. As far as I'm concerned, this design is mainly used to keep the Server up to date and not miss updates. (But I also understand your concerns about it)

    As a workaround, if want to control it, you may set the network to be metered:

    As for the "Restart" behavior, we may control it via "Active hours", after configuring it, the machine won't restart at active hours.

    What more, we may also schedule the "Restart Time" via "Restart Option" which can override the active hour.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 14, 2017 7:20 AM
    Moderator
  • Hi Logan Burt,

    Could the above reply be of help? If yes, you may mark useful reply as answer, if you have other questions, welcome to feedback.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Logan Burt Friday, February 17, 2017 4:11 PM
    Thursday, February 16, 2017 2:04 AM
    Moderator
  • Thank you both very much for your replies.  My apologies for such a delay in replying, but I've been mired in an application installation (ergo the questions about Windows 2016 updates) for the past few days.

    So far I have installed 4 Windows 2016 servers and have set "Configure Automatic Updates" to disabled in the local group policy on each of them.  Also, running SCONFIG on each of them shows windows Update Settings set to Manual.  I believe that both of these protect me from the server installing updates and restarting on its own.  Is that correct?

    Though I strongly disagree with the change in Windows update to not allow me to select which updates to install, thank you for informing me that this is by design (very flawed design, IMHO).

    One further concern I still have is that even though it is set for manual updates, when i do check for updates, it not only checks for updates but also downloads and installs them with no further prompting.  

    How do I view the updates it finds without having it proceed with their installation?  i understand that I can't select individual updates, but I want to determine when all the updates are installed after I search for them.

    Thank you again for your help; it is very much appreciated.  

    Friday, February 17, 2017 3:44 PM
  • .  

    How do I view the updates it finds without having it proceed with their installation?  i understand that I can't select individual updates, but I want to determine when all the updates are installed after I search for them.

    You can always take a look here to see what's currently available.

    https://support.microsoft.com/en-us/help/4000825/windows-10-and-windows-server-2016-update-history

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, February 17, 2017 3:53 PM
  • Thank you for the link.  At least it's one way to check this, though I will miss the convenience of letting Windows check without it doing anything but checking.  Microsoft really bungled this one.

    Thank you both again for your help.

    Regards,

    Logan Burt

    Friday, February 17, 2017 4:11 PM
  • I will miss the convenience of letting Windows check without it doing anything but checking.  Microsoft really bungled this one.

    I'd definitely provide this feedback here on windows server uservoice.

    https://windowsserver.uservoice.com/forums/304618-installation-and-patching

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, February 17, 2017 4:18 PM
  • See this blog which explains the servicing changes for Win2016, it explains the changes and the reasons why:

    https://blogs.technet.microsoft.com/mu/2016/10/25/patching-with-windows-server-2016/

    Thanks!
    Elden

    Saturday, February 18, 2017 3:23 PM
    Owner
  • Does it explain why your garbage OS shows three different settings for the same thing?

    Settings > Update shows as automatic
    Server Manager shows as Install Updates Automatically
    SCONFIG shows as manual.

    2018. Two years after release. Still a bugged mess. How is this even possible? Absolute garbage.

    Tuesday, April 24, 2018 5:45 AM
  • This mess with Windows Update on Server 2016 is just unacceptable.  Mind-bogglingly stupid actually.

    I had to make a call this week on new infrastructure for my employer.  Purely because of this issue with Windows Update patching, we are going with Windows Server 2012 R2 and we won't consider ANY new Microsoft Windows Server version until Microsoft restore the functionality that they took away from Windows Update.

    On a server by server basis, we need to make decisions on whether or not to allow individual patches/updates to be installed.  In a typical scenario, this would be because of things like .NET version compatibility (or rather, incompatibility) with applications such as SharePoint, Exchange, Skype For Business and line-of-business applications.

    We want to be able to approve patches in WSUS generally, but then ignore or just delay those on a particular server on a case-by-case basis, according to the needs of various applications.  We used to be able to run Windows Update, see the list of patches for that server, then de-select any that we didn't want at that time.

    We also need to schedule restarts at particular times that suit our business needs and not at a time that the server just decides for itself in a particular "window".  In the past we have achieved this by using a Scheduled Task to perform the reboot at the desired time, so we'd install the patches we needed and let the reboot occur when the task kicks in at our preferred time.

    There are a few years left for Microsoft to sort this out and return control back to systems administrators to decide how we want our environment to be run.  In the absence of that, we're likely to abandon MS and go looking in the murky world of Linux instead.


    • Edited by 0499FROSTY Tuesday, May 8, 2018 10:39 PM
    Tuesday, May 8, 2018 10:37 PM
  • AGREED.  Fix this MS.
    Friday, August 3, 2018 4:41 PM
  • Running Windows updates leaves me with a non working production environment (running Microsoft BizTalk 2016). No error in the Windows Event Log and BizTalk reports the error description "Error unknown".

    Good jobb Microsoft! You create a solution where you really want everybody to have updated environments with the result that no one will update anything. I can't think of a word harsch enough to say what I think about this.
    Thursday, August 9, 2018 12:04 PM
  • Hi,

    Create two GPOs.

    One that stops and disable Windows Update service and Windows Module Installer.

    Another one that enables Windows Update as automatic and starts it and enables Windows Module Installer as manual.

    Move you server from one to another at your own will.




    • Edited by lolix2 Friday, December 21, 2018 2:17 PM
    Friday, December 21, 2018 2:15 PM
  • Totally agree. Losing granular control of updates in a server product in unforgivable. What a complete and total mess. Why even have a 'check for updates' button if all it's going to do is download and install whatever it finds? Pointless. I am losing all faith in Windows Server. Everything since Windows 2008 R2 has been a step backwards, with Server 2016 falling off a cliff.
    Tuesday, January 29, 2019 4:02 PM
  • For my clients that don't have WSUS and updates are done manually on each machine, I have a GPO applied to all servers with the setting 'Configure Automatic Updates' set to Enabled with option '3-Auto download and notify for install'.  This allows me to at least see the updates that are listed before I decide to install them.
    Thursday, June 13, 2019 5:35 PM
  • I complete understand. This last month which was June of 2019 Microsoft released updates and a package update with network changes that totally killed iSCSI in 2016 & 2019 and you can't say no don't install the one fix that killed iSCSI. NOPE! you have to leave your system un-updated with a lot of active CVE's out. Not much of a choice. 

    Bad patches where  Server 2016 (KB4499177, KB4503267 & KB4503294 ) or Server 2019 (KB4497934 & KB4503327)

    Sorry Microsoft copy paste responses don't work for this. Turning updates to manual don't fix the issue. Please stop with the copy paste.

    So basically if your reloading a 2016 Datacenter Hyper-v node you just can't update it, or you'll end up with all updates rolled up in one.

    Oh and removing the updates bricks the system in my cases.

    Answer to this is Microsoft needs to turn back on selective updates.

    Monday, July 1, 2019 9:29 PM
  • I complete understand. This last month which was June of 2019 Microsoft released updates and a package update with network changes that totally killed iSCSI in 2016 & 2019 and you can't say no don't install the one fix that killed iSCSI. NOPE! you have to leave your system un-updated with a lot of active CVE's out. Not much of a choice. 

    Bad patches where  Server 2016 (KB4499177, KB4503267 & KB4503294 ) or Server 2019 (KB4497934 & KB4503327)

    Sorry Microsoft copy paste responses don't work for this. Turning updates to manual don't fix the issue. Please stop with the copy paste.

    So basically if your reloading a 2016 Datacenter Hyper-v node you just can't update it, or you'll end up with all updates rolled up in one.

    No one microsoft is going to read this + 2 year old thread. Better to mention it here on uservoice

    https://windowsserver.uservoice.com/forums/304618-installation-and-patching?category_id=141234

    or if immediate assistance is needed start a case here with product support.

    https://support.microsoft.com/en-us/hub/4343728/support-for-business

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, July 1, 2019 9:40 PM
  • You did. 
    Monday, July 1, 2019 11:42 PM
  • You did. 

    No sir, I do not work for microsoft.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, July 1, 2019 11:44 PM
  • Yeah, some corporation have the policy to consider that an old problem w/o solution is not a real problem...

    This can go as far as changing a problem into a feature.. ;-\

    Monday, July 22, 2019 8:18 AM