Windows Server 2016 auto install security updates

Aemilianus Kehler 101 Reputation points
2021-02-23T15:42:41.267+00:00

I've the following settings:

Allow Automatic Updates immediate installation Enabled WSUS
Configure Automatic Updates Enabled WSUS

Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance Disabled
Scheduled install day: 1 - Every Sunday
Scheduled install time: 02:00
Install updates for other Microsoft products Enabled

Policy

Setting

Winning GPO

Specify intranet Microsoft update service location Enabled WSUS

Set the intranet update service for detecting updates: http://WSUSHostnamer:8530
Set the intranet statistics server: http://WSUSHostname:8530
(example: http://IntranetUpd01)

I don't want all updates to auto install, like any update that requires updates (E.G. CU updates) to be auto installed. Just security updates. Is my requirements not able to be met, and is it not auto installing cause I have set the one setting "Configure automatic updating: 3 - Auto download and notify for install"?

Thanks for any replies

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,740 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,117 questions
0 comments
Accepted answer
  1. Aemilianus Kehler 101 Reputation points
    2021-03-19T18:38:41.367+00:00

    Yup pretty much came to the same conclusion:

    https://community.spiceworks.com/topic/2000234-server-2016-auto-install-definition-updates-but-nothing-else

    solved-how-to-make-windows-defender-to-update-automatically <-- Server 2008 R2, this uses: C:\Program Files\Windows Defender\MpCmdRun.exe

    I'm going to blog about the steps in detail here. Please note, my website is 100% free, no ads, donation based. Also note, my steps are detailed steps for deploying a script via GPO and the script is run and managed using a gMSA. This is NOT trivial, but I felt it was decently secured.

    Thanks for your help. Wow.... Just noticed Adam the WSUS MVP himself is following this question. :O

    1 person found this answer helpful.
    0 comments

10 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AllenLiu-MSFT 40,316 Reputation points Microsoft Vendor
    2021-03-05T03:08:25.97+00:00

    Hi, @Aemilianus Kehler
    Sorry for my misunderstanding, you want to install definition updates automatically.
    And what I want to confirm with you is have your defender updates are automatically approved?
    74499-38.jpg

    0 comments
  2. Aemilianus Kehler 101 Reputation points
    2021-03-09T20:38:21.68+00:00

    Yes that option is configured.

    feyit0E.png

    0 comments
  3. Aemilianus Kehler 101 Reputation points
    2021-03-16T21:08:42.32+00:00

    Any update on what to check next?

    0 comments
  4. AllenLiu-MSFT 40,316 Reputation points Microsoft Vendor
    2021-03-17T08:36:56.23+00:00

    Hi,
    Your screenshot is the Default Automatic Approval Rule, please confirm if your Auto Approve Defender Definitions rule contain the following rule properties:

    • When an update is in Definition Updates.
    • When an update is in Windows Defender.
    • Approve the update for Required computer group.
    0 comments