Windows 10: Server 2016 WSUS settings question

So I've got a WSUS server set up on my 2016 server and it deal with 99% 2016 clients. I've run into the issue that my servers are automatically installing updates instead of only installing approved updates. Below are my current registry settings. I also work in tandem with another Windows Engineer and we've been trying to get WSUS working using the GPO. So when he makes changes in the WSUS GPO settings it overrides the registry settings.


Am I missing something as to why my servers are auto updating? In my other environment I have 2008/2012 servers with practically identical registry settings and they have no issues automatically updating unless the patches are approved by me.


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"AcceptTrustedPublisherCerts"=dword:00000001

"BranchReadinessLevel"=dword:00000020

"DeferFeatureUpdates"=dword:00000001

"DeferFeatureUpdatesPeriodInDays"=dword:000000b4

"DeferQualityUpdates"=dword:00000001

"DeferQualityUpdatesPeriodInDays"=dword:00000000

"DoNotConnectToWindowUpdateInternetLocations"=dword:00000000

"WUServer"=xxxxxxxxx

"WUStatusServer"=xxxxxxxxx


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

"AlwaysAutoRebootAtScheduledTime"=dword:00000001

"AlwaysAutoRebootAtScheduledTimeMinutes"=dword:0000000f

"AUOptions"=dword:00000004

"AutoInstallMinorUpdates"=dword:00000001

"DetectionFrequency"=dword:00000012

"DetectionFrequencyEnabled"=dword:00000001

"NoAutoRebootWithLoggedOnUsers"=dword:00000000

"NoAutoUpdate"=dword:00000000

"ScheduledInstallDay"=dword:00000000

"ScheduledInstallTime"=dword:00000004

"UseWUServer"=dword:00000001

:)

 

Windows Update of Windows Server 2016 against local WSUS server fails

Installing a new environment built around Windows Server 2016 that has some of the servers on a network that can't reach out to the internet, we installed Windows Server Update Services (WSUS) on one of the servers that has two Network Cards (dual NICed) one of the NICs can reach the internet to download updates and supply them to the rest of the servers VIA the other NIC (which is specifically configured to NOT route traffic). Once configured, all of the machines reported themselves to the WSUS server, but never downloaded updates.

We eventually found the "Do not allow update deferral policies to cause scans against Windows Update" policy which we Enabled that forced the servers and workstations on the non-internet accessible segment to make further use of the local WSUS server. In this configuration, our Windows 10 workstations fully worked, but the Windows Server 2016 machines still consistently failed.

We eventually found that the AppPool associated with the WSUS site had it's "Private Memory Limit" too small to allow Windows Server 2016 scans to complete. The default limit as installed by the WSUS was something like 2.8GB. The suggested setting is "0" (unlimited). Watching the scan of one Windows Server 2016 machine suggests that each Windows Server 2016 machine will take more than 6GB of memory during it's "Scan" phase of an update. There was some evidence that our server would not "page" this memory requirement to disk, so we also increased the physical memory as well. Once the scan phase consistently completed, the servers started to download updates but the OS cumulative patches consistently failed to apply. We used the Get-WindowsUpdateLog command to attempt to find out what was happening, but the produced log did not point to an issue. We looked through other logs and events, Googled the return code from the update failure (0x800705b4), but found no resolution/ pointers. Out of desperation, we postulated the update timed-out due to Windows Defender's activity. Note: We would eventually install these updates manually by downloading them from Microsoft and each time we attempted to install them manually, they installed without issue.

Based on the assumption that we were dealing with a timeout, we disabled Windows Defender's "Real-Time protection" which obviously slowed the install. Once the Real-Time protection was disabled, it seems to have sped up the install enough to allow the install to complete. This was done for one iteration, but we then re-enabled the Real-Time protection.

Finally the question: Is there a way to increase the time allowed for Windows Update to apply its updates? or is there a best practices on how to get these large updates to apply automatically?

 

Unable to download wsus updates in windows 2016 wsus server.

Hi ,

I have installed new wsus server on windows 2016 server.I am facing strange issue.It is showing me updates are being downloading but my content folder is empty.

All microsft sites are allowed to this server and able to download update http://download.windowsupdate.com/ site.

 

Windows Server 2016 can connect to WSUS but unable to install patch due to error 0x8024500c

Hi,

I'm facing an unable to install the WSUS patch update with error code 0x8024500c

My system is Windows server 2016 r2 which joining domain, The patches are deploy through WSUS hosted by ADserver

The only way it can go out is via firewall with specific rule set.

The patches can download normally, The rest of the server with the same setting in my system can get the patches installed perfectly

Things I've tried

i.) DISM /Online /Cleanup-Image /CheckHealth, DISM /Online /Cleanup-Image /RestoreHealth

ii.) Change and delete some keys in the registry : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\WindowsUpdate as some suggestion

iii.) Compare and change the registry between worked machine and error machine in the following

• reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
• reg query HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
• reg query HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings

Right now I really don't have a clue about where I should look into next

Kindly advice

Thank you in advance for your help

Nuwat.Kw