Making Windows Server 2016 Update Automatically

scottalanmiller

By default, Windows 2016 will download and alert for updates, but does not apply them on its own. This can be fixed with a pretty simple registry change, but it is not obvious. You can use regedit from the GUI, or PowerShell from the command line to do this easily.

Regedit

To enable automatic updates use regedit and change:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

The default setting is a value of "2". You will want a value of "5". Set this, and you can now schedule updates on the GUI.

PowerShell

Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 5

DustinB3403

@scottalanmiller Why would you want your server automatically installing updates? Besides the obvious "because I never want to have to sit through windows updates".

This seems like a bigger risk, in that an update could break your server.

scottalanmiller

@DustinB3403 said in Making Windows Server 2016 Update Automatically:

@scottalanmiller Why would you want your server automatically installing updates?

Whenever security is a top priority. Because having humans in the process is the biggest security risk.

Dashrender

Can it set it to reboot only between say 10 PM and 4 AM?

scottalanmiller

@DustinB3403 said in Making Windows Server 2016 Update Automatically:

This seems like a bigger risk, in that an update could break your server.

That's a "headline news" risk. In the real world, this is a risk, but a tiny one. In two ways. First, it is very unlikely to happen - when it does happen people make a big stink about it and it makes the news. So it sounds way more common than it is (like shark attacks.)

The second is impact. The impact of a bad patch is traditionally trivial. Just application compatibility normally. That has typically a tiny financial impact on a company.

The counter risk is ransomware or malware. These items are both far more likely to happen (if you aren't patching quickly) and the impact is dramatically more - data stolen, prolonged outages, data loss, etc.

So it is a double whammy... bigger damage, more often. The rule is... patch fast, patch often, don't let a human get in the way of security unless you really, really need to.

scottalanmiller

@Dashrender said in Making Windows Server 2016 Update Automatically:

Can it set it to reboot only between say 10 PM and 4 AM?

Yes, you control that.

dafyre

@scottalanmiller said in Making Windows Server 2016 Update Automatically:

@Dashrender said in Making Windows Server 2016 Update Automatically:

Can it set it to reboot only between say 10 PM and 4 AM?

Yes, you control that.

And Snapshot at 9:50 PM (assuming this is a VM).

jmoore

@dafyre Yes the Windows 1803 patch broke our database and caused EdExpress to go wonky for quite a while until I disabled updates. As soon as Windows went to 1809 it all started working again. So just an fyi for you @dafyre if you had any troubles with this too.

dafyre

@jmoore said in Making Windows Server 2016 Update Automatically:

@dafyre Yes the Windows 1803 patch broke our database and caused EdExpress to go wonky for quite a while until I disabled updates. As soon as Windows went to 1809 it all started working again. So just an fyi for you @dafyre if you had any troubles with this too.

EdExpress is one of two pieces of software I'm glad I don't have to deal with anymore... (EdConnect is the other, lol).

jmoore

@dafyre Ugghh lol and of course they are used in tandom. I support these and I hate it lol

Dashrender

@jmoore said in Making Windows Server 2016 Update Automatically:

@dafyre Yes the Windows 1803 patch broke our database and caused EdExpress to go wonky for quite a while until I disabled updates. As soon as Windows went to 1809 it all started working again. So just an fyi for you @dafyre if you had any troubles with this too.

did you roll back to 1709? then roll up to 1809 when it came out?

dafyre

@jmoore said in Making Windows Server 2016 Update Automatically:

@dafyre Ugghh lol and of course they are used in tandom. I support these and I hate it lol

I no longer have to do anything but snicker anytime somebody mentions them now, ha ha... so.... *snicker, snicker.

jmoore

@Dashrender Yes. I may have the version wrong but I did have to do that and then I disabled updates until 1809 tested well at my workstation.

jmoore

@dafyre lol and I can't wait for that same day

scottalanmiller

@jmoore said in Making Windows Server 2016 Update Automatically:

@dafyre Yes the Windows 1803 patch broke our database and caused EdExpress to go wonky for quite a while until I disabled updates. As soon as Windows went to 1809 it all started working again. So just an fyi for you @dafyre if you had any troubles with this too.

1803 is not a patch. That's a new OS version. While it is handled through Windows Updates, it's not the same as a patch.

black3dynamite

Has anyone tried this with 2019?

scottalanmiller

Not yet.