Windows Server 2016 auto install security updates

Aemilianus Kehler 101 Reputation points

I've the following settings:

Allow Automatic Updates immediate installation Enabled WSUS
Configure Automatic Updates Enabled WSUS

Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance Disabled
Scheduled install day: 1 - Every Sunday
Scheduled install time: 02:00
Install updates for other Microsoft products Enabled



Winning GPO

Specify intranet Microsoft update service location Enabled WSUS

Set the intranet update service for detecting updates: http://WSUSHostnamer:8530
Set the intranet statistics server: http://WSUSHostname:8530
(example: http://IntranetUpd01)

I don't want all updates to auto install, like any update that requires updates (E.G. CU updates) to be auto installed. Just security updates. Is my requirements not able to be met, and is it not auto installing cause I have set the one setting "Configure automatic updating: 3 - Auto download and notify for install"?

Thanks for any replies

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,046 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,095 questions
0 comments No comments
{count} votes

Accepted answer
  1. Aemilianus Kehler 101 Reputation points

    Yup pretty much came to the same conclusion:

    solved-how-to-make-windows-defender-to-update-automatically <-- Server 2008 R2, this uses: C:\Program Files\Windows Defender\MpCmdRun.exe

    I'm going to blog about the steps in detail here. Please note, my website is 100% free, no ads, donation based. Also note, my steps are detailed steps for deploying a script via GPO and the script is run and managed using a gMSA. This is NOT trivial, but I felt it was decently secured.

    Thanks for your help. Wow.... Just noticed Adam the WSUS MVP himself is following this question. :O

    1 person found this answer helpful.
    0 comments No comments

10 additional answers

Sort by: Most helpful
  1. AllenLiu-MSFT 35,266 Reputation points Microsoft Vendor

    Hi, @Aemilianus Kehler
    Thank you for posting in Microsoft Q&A forum.

    Is it not auto installing cause I have set the one setting "Configure automatic updating: 3 - Auto download and notify for install"?


    I'm afraid we can not achieve this requirement that only auto install part of the updates.
    However, we can achieve this requirement easily by SCCM.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Aemilianus Kehler 101 Reputation points

    Is there not away to achieve it with just different GPO's set?

    I don't not use SCCM

  3. Aemilianus Kehler 101 Reputation points

    defender updates and CU updates s or any update requiring a reboot should be able to be set via GPOs...

    Here's the definition from the "Allow Automatic Updates immediate installation" GPO setting

    "Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.

    If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.

    If the status is set to Disabled, such updates will not be installed immediately."

    Here's a Technet question with the exact same question/issue, with multiple people asking for a fix solution. Please advise.

  4. Aemilianus Kehler 101 Reputation points

    I think you are miss understanding, CU's or updates that require a reboot need to be manually installed. Any and all updates that don't need a service/server reboot should be automatically installed including Windows Defender updates.

    Yes the GPO in question has been set and pushed to clients, and member servers. Yet Defender updates still don't seem to auto install.

    Here's another TechNet post with an odd answer I even set that GPO setting and pushed to the clients and member servers, and it still not auto installing!

    Please go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Client Interface > Suppress all notifications:(enable it to stop clients from receiving notifications).

    It would be really beneficial for the systems administrators out there that have to rely on WSUS that there be concise setup documentation on how to make defender updates install automatically, while still retaining the ability to manually install heavier updates such as CU's.

    If there is such documentation please excuse my ignorance as I have not been able to find it.

    0 comments No comments