This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
In the past until Windows Server 2012 we were able to choose the updates we wanted to install by selecting the checkbox.
I think from 2016 onwards we do the search and automatically everything that Microsoft decides to install is installed.
Recently we are participating in some incompatibilities with windows updates and I want to know if it is possible to select what we want to be installed.
For example:
Case 1
During the update process some VMware update was installed where the server lost network connectivity, but we didn't know that Windows would download these updates.
Case 2
During the update process KB501466 was installed which to my surprise is not security, but I swore that Windows Update only installed security updates unless I chose any of the advanced options.
Given these scenarios, what solutions can I apply to prevent this from happening in the manual process where I don't have a WSUS?
Below are my current Windows Update settings:
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
KB5014669 Is a cumulative update preview. Yes a rollup contains both security and non-security updates.
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5014669
as far as preventing them; the best way may be to have your own WSUS at site where you can review and approve them.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi @Anonymous
I understand, using WSUS I can separate the server into a group where I would not approve this KB for example, while for the others yes.
There is no more option of a checkbox as of Windows 2016.
Thanks.
Sorry, not sure what check box you're asking about.
You can do that, yes. WSUS groups work well for that - and a computer can be a member of multiple WSUS Groups at one time.
I was answering to the original ask in this thread. Please close this one by marking answer and open a new thread about the WSUS setup.
Hi @Anonymous
checkbox I mean that on the server or desktop, when we click to fetch updates it shows everything it found.
You have no option to choose what you want to install.
It will install everything it found.
Thanks.
Ik, sounds good. I was answering to the original ask in this thread. Please close this one by marking answer and open a new thread about the WSUS setup.
Just to clarify that the checkbox I mentioned has nothing to do with wsus. I refer to the moment of checking the windows updates on the client.
Ok, I don't think I've ever seen this or at least recently.
The short answer is you don't unless you choose security only updates.
https://support.microsoft.com/en-us/topic/windows-8-1-and-windows-server-2012-r2-update-history-47d81dd2-6804-b6ae-4112-20089467c7a6
Security-only update
An update that collects all the new security updates for a given month and for a given product, addressing security-related vulnerabilities. It's distributed through Windows Server Update Services (WSUS), System Center Configuration Manager and Microsoft Update Catalog. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. This Security-only update would be displayed under the title Security Only Quality Update when you download or install the update. It will be classified as an Important update.
Monthly Rollup
The Monthly Rollup is product-specific and addresses both new security issues and nonsecurity issues in a single update. It will proactively include updates that were released in the past. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. This Monthly Rollup would be displayed under the title Security Monthly Quality Rollup when you download or install. This Monthly Rollup will be classified as an Important update on Windows Update. It will automatically download and install if your Windows Update settings are configured to automatically download and install Important updates.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi @Anonymous ,
how do i choose security updates only without WSUS?
I understand the concept of cumulatives, which "pools" all previous updates to prevent you from installing individually.
Now following your explanation, are you informing me that now a rollup will contain both security and non-security updates?
Does this mean that if I don't want to install a non-security update, I can't?
I was informed that this KB5014669 is not security, that is, if I had known that I would not have installed it this month. But I looked on Microsoft's website and it says it's security yes.
For example, these VMware updates were installed separately. How would I prevent them from being installed once I clicked to check for updates? It already came out installing automatically.
Thanks.
Manual approval on a WSUS server is the only way. Realistically it doesn't take much effort each month to review them - 5-15 minutes per month to review and approve to a test group, and then to production a few days later after your 'testing-in-production' test systems are showing no signs of issues.
https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/
Yes, I've managed 34 downstream with one upstream.
It was 34 remote sites, with groups of approval, contention and production.
We chose a % of cell computers (operation / sectors) to homologate and after OK, we approved the KBs for the production groups.
Today I no longer use it because of the culture of the company where I am, but I see that I need to resume this process.
Thanks.