Taking control of Windows Server 2016/2019 Updates

Note: Originally published 8th May 2017, updated with references to Windows Server 2019.

It’s hard to believe that Windows Server 2016 has been out for over half a year now. I do find it easier to believe why people aren’t so eager to jump on the Windows Server 2016 band wagon though. For all the great benefits it brings, ReFS & Veeam is absolutely amazing for example, I can’t help shake the feeling that Microsoft seeks to dictate our terms of use to servers and their uptime. To me this boils down to two things, automatic updates & active hours. I’ll go into their limitations below.

Automatic updates are a blessing for most IT technicians as with user machines we can set and forget our rules and feel comfortable that 99% of the machines are up to date. Now it’s our turn to feel the pain that our users have told us about with updates being installed at the most inappropriate moments. It boils down to Microsoft’s latest change for Windows 10 / 2016. Active hours.

Currently Active hours can only be set to a twelve hour daily window. In today’s 24×7 world it’s unacceptable to assume we can just have our servers reboot at any point in a twelve hour window every day. Now of course updates aren’t delivered daily but Microsoft are the ones that dictate the terms of update frequency to us and nobody is aware of anything Microsoft has put into automatic updates to prevent entire clusters from rebooting simultaneously, so it’s down to us to put in our own process.

This can be handled two ways, firstly you can ensure your servers are having their updates delivered by WSUS and then manually approve the updates to your servers at a given time, depending on your requirements this may suit you well enough, however if you’re like me and want a more granular control to ensure you can facilitate safeguards such as snapshots then I think you’ll like my solution. SCONFIG.

My disclaimer on SCONFIG is that currently it doesn’t update the desktop experience interface properly and the desktop experience interface will still tell you it’s going to install updates automatically and tell you about active hours. Ignore this, it’s a GUI bug that Microsoft have admitted to.

I set my Windows Updates to download only and then I manually install them through the desktop experience interface when I’m ready, to do this open an administrative Powershell on your server that you wish to change the settings on. Type SCONFIG and hit enter. You should now see a server configuration interface. Hit 5 and then enter to take you into the Windows Update settings menu. Finally Press D for Download Only and then hit enter, that’s your new update policy set to Download Only! You can also choose A for automatic if you wish to revert this or M for Manual if you want to control every aspect of patching yourself. As a handy link also please find below the Technet article in case this changes in the future!

Happy Patching!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: