question

AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 asked ·

Windows Server 2016 auto install security updates

I've the following settings:

Allow Automatic Updates immediate installation Enabled WSUS
Configure Automatic Updates Enabled WSUS

Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance Disabled
Scheduled install day: 1 - Every Sunday
Scheduled install time: 02:00
Install updates for other Microsoft products Enabled



Policy

Setting

Winning GPO

Specify intranet Microsoft update service location Enabled WSUS

Set the intranet update service for detecting updates: http://WSUSHostnamer:8530
Set the intranet statistics server: http://WSUSHostname:8530
(example: http://IntranetUpd01)

I don't want all updates to auto install, like any update that requires updates (E.G. CU updates) to be auto installed. Just security updates. Is my requirements not able to be met, and is it not auto installing cause I have set the one setting "Configure automatic updating: 3 - Auto download and notify for install"?

Thanks for any replies


windows-group-policywindows-server-update-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 answered ·

Yup pretty much came to the same conclusion:

https://community.spiceworks.com/topic/2000234-server-2016-auto-install-definition-updates-but-nothing-else

solved-how-to-make-windows-defender-to-update-automatically <-- Server 2008 R2, this uses: C:\Program Files\Windows Defender\MpCmdRun.exe

I'm going to blog about the steps in detail here. Please note, my website is 100% free, no ads, donation based. Also note, my steps are detailed steps for deploying a script via GPO and the script is run and managed using a gMSA. This is NOT trivial, but I felt it was decently secured.

Thanks for your help. Wow.... Just noticed Adam the WSUS MVP himself is following this question. :O


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
0 Votes"
AllenLiu-MSFT answered ·

Hi, @AemilianusKehler-4003
Thank you for posting in Microsoft Q&A forum.

Is it not auto installing cause I have set the one setting "Configure automatic updating: 3 - Auto download and notify for install"?

Yes.

I'm afraid we can not achieve this requirement that only auto install part of the updates.
However, we can achieve this requirement easily by SCCM.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 answered ·

Is there not away to achieve it with just different GPO's set?

I don't not use SCCM

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry we cannot achieve it with different GPO's set, GPO can not set for specific updates, it applies to all updates.

0 Votes 0 ·
AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 answered ·

defender updates and CU updates s or any update requiring a reboot should be able to be set via GPOs...

Here's the definition from the "Allow Automatic Updates immediate installation" GPO setting

"Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.

If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.

If the status is set to Disabled, such updates will not be installed immediately."

Here's a Technet question with the exact same question/issue, with multiple people asking for a fix solution. Please advise.


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So have you tried to enable "Allow Automatic Updates immediate installation" and create automatic approve rule for CU to see if the CU can installed automatically?

0 Votes 0 ·
AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 answered ·

I think you are miss understanding, CU's or updates that require a reboot need to be manually installed. Any and all updates that don't need a service/server reboot should be automatically installed including Windows Defender updates.

Yes the GPO in question has been set and pushed to clients, and member servers. Yet Defender updates still don't seem to auto install.

Here's another TechNet post with an odd answer I even set that GPO setting and pushed to the clients and member servers, and it still not auto installing!

Please go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Client Interface > Suppress all notifications:(enable it to stop clients from receiving notifications).

It would be really beneficial for the systems administrators out there that have to rely on WSUS that there be concise setup documentation on how to make defender updates install automatically, while still retaining the ability to manually install heavier updates such as CU's.

If there is such documentation please excuse my ignorance as I have not been able to find it.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
0 Votes"
AllenLiu-MSFT answered ·

Hi, @AemilianusKehler-4003
Sorry for my misunderstanding, you want to install definition updates automatically.
And what I want to confirm with you is have your defender updates are automatically approved?
74499-38.jpg



38.jpg (73.4 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 answered ·

Yes that option is configured.

feyit0E.png


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 answered ·

Any update on what to check next?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
0 Votes"
AllenLiu-MSFT answered ·

Hi,
Your screenshot is the Default Automatic Approval Rule, please confirm if your Auto Approve Defender Definitions rule contain the following rule properties:

  • When an update is in Definition Updates.

  • When an update is in Windows Defender.

  • Approve the update for Required computer group.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AemilianusKehler-4003 avatar image
0 Votes"
AemilianusKehler-4003 answered ·

Sorry about that, I figured that it was checked off was good enough, yes those are defined as well as a deadline.

dbvfCfl.png


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.