Where did the 2019 servers get their updates from?

Junk 430 101 Reputation points
2021-10-14T18:42:30.267+00:00

I'm trying to transition from one patch program to use WSUS to approve updates and then use an Ansible play to tell the clients to install and reboot.
It seemed to work in a test.
Now that it's after patch Tuesday I look and I only see patches for 2012R2 and all my 2019 boxes say they are ether fully patched or missing some number of patches BUT no patches show up for approval or needed.
When I log onto a 2019 server I see it has already downloaded the Oct OS and .net patches and is ready to install. How did it get them and approve them?

The 2012R2 servers show no updates available in Windows Update because I've not approved any.

I've used WSUS in the past and never had this issue. How does it think the 2019 servers are fully patched when they show patches waiting to install in Windows Update? Where did Windows Update get these patches? I'm guessing they went to MS.

GPO is set as follows:
Config Auto Updates: Enabled, download, don't install, don't reboot
Auto Update Detection: 5 hours
Dispay options for update notifications: 1- disable all notifications
Do not adjust default options to install updates and shut down: enabled
Do not connect to any Windows Update Internet Locations: Enabled -----Now this was enabled for some time because 2019 servers would not show up in WSUS without it.
Do not display install updates and shut down: enabled
No auto restart with logged on users: disabled
Specify intranet MS update service location: Enabled
Intranet Update service for detecting updates: http://mywusserver.myhouse.now:8530
Set intranet statics server: http://mywusserver.myhouse.now:8530

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,108 questions
Accepted answer
  1. Adam J. Marshall 8,621 Reputation points MVP
    2021-10-14T18:49:22.737+00:00

    Dual Scan Scenario likely - https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/
    Here's part 4 of my 8 part blog series on How to Setup, Manage, and Maintain WSUS - https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/
    Part 4 gives you policies, part 5 is the linking of the policies for an inheritance setup.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Junk 430 101 Reputation points
    2021-10-20T14:06:46.213+00:00

    AJ I have another question. After changing those WU for Biz setting it seems to be listing to my WSUS server only one problem.
    I'm using Ansible to have the client search for, then install updates and reboot.
    What I see happen is the server installs the patch, it's listed in installed patches, it falls of WSUS as needed but when I log into the server I see WU shows the patch as "Updates are ready to install" with the "Install now" button.
    What the heck... how is it installed and ready to install at the same time?

    142162-screen-shot-2021-10-20-at-100550-am.png

    0 comments
  2. Junk 430 101 Reputation points
    2021-10-20T14:10:52.157+00:00

    Ok may have answered my own question.. after clicking "install updates" it immediately changes to You're up to date. So I think the GUI was just not updating.

    Thanks again.

    0 comments