In Windows Server 2016 there are no GUI options available to change the update behavior.
In this blog I was outline the different ways to change the Windows Server 2016 Update settings.
Windows Server 2016 Update settings
Windows always looks at registry keys located in the following hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Typically there is a key named ‘AUOptions’ with a value in the range 2-5, and have the following meaning:
– 2 = Notify before download.
– 3 = Automatically download and notify of installation.
– 4 = Automatically download and schedule installation. Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.
– 5 = Automatic Updates is required and users can configure it.
But if there is a ‘NoAutoUpdate’ key with the value of ‘1’, no updates will be processed by Windows.
Powershell
You can change the registry key with the help of Powershell directly:
In Windows Server 2012 I used to change the setting using the .NET object as below, this doesnt work anymore in 2016 as the API only allows “GET” statements.
$WUSettings.NotificationLevel=3
$WUSettings.save()
SCONFIG
Sconfig is basically a simple batch script, which is sufficient for configuration tasks such as update settings.
In the sconfig prompt you can select options ‘5’ to enter the update settings configuration and then choose:
A – Automatically scan, download and install updates. After installation perform a reboot.
D – Automatically scan, download updates
M – Never check for updates, trigger manually.
Open a command prompt with administrative permissions and run SCONFIG from there.
Group Policy
You can always use the trusted GPO’s in an Active Directory domain environment. The settings are located under ‘Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update’.
You can configure the same range of numbers here.
More info on managing update polices with GPO’s here:
https://technet.microsoft.com/nl-nl/library/cc720539(v=ws.10).aspx
Scheduling Day / Time
When you set the update settings to “Automatically download and schedule installation” it could be that you also want to decide yourself which day/time it should update. This can be done using the ScheduledInstallDay and ScheduledInstallTime keys in the registry.
ScheduledInstallDay
| Value | |
| 0 | Install every day |
| 1-7 | Specific day of the week where Sunday =1 and Saturday = 7 |
ScheduledInstallTime
| Value | |
| 0-23 | Time of the day in 24-hour format |
Setting the Scheduled Install Day to Tuesday:
Setting the Scheduled Install time to 6 AM:
The changes take effect after logoff
More info on this Windows Update settings here: https://msdn.microsoft.com/en-us/library/dd939844(v=ws.10).aspx
—
Thank you for reading my blog.
If you have any questions or feedback, leave a comment or drop me an email.
Darryl van der Peijl
http://www.twitter.com/DarrylvdPeijl
Thanx Glenn!!!! Very handy.
Good information… One thing to add in the ‘registry section’ would be to define what setting NoAutoUpdate = 1 does. I noticed running the SConfig scrip in PowerShell that it set the NoAutoUpdate key to 1. I don’t know if it does other stuff or makes other changes, but just wanted to point it out. Thanks again for a clear well organized article. The only sad thing is that Google doesn’t have you ranked as number one on this subject.
I think you overlooked it 🙂
“But if there is a ‘NoAutoUpdate’ key with the value of ‘1’, no updates will be processed by Windows.”
I was looking to see how to change the frequeny of the AU job, you say there needs to be a day time reg key but when I set auto which should be 3am everyday I dont see any keys for that? Do you have any more details on where they live/format?
I figured out my previous question, if you set the “A” with sconfig you dont get to pick the time by default.
If you set with a gpo you can set it. reg key for date/time
ScheduledInstallDay – reg dword – 1-7 Sunday =1
ScheduledInstallTime- reg dword – 0-23 3=3am (I am guessing at the range)
It also sets AllowMUUpdateServce to reg dword 1 – not sure i know what it does. I am going to play with this a little more today and see if I can get it working with just reg keys versus GPO as then I can do it via IAC etc.
Hi Martin,
Thanks for your addition, I added some more info in the blog!
The ‘AllowMUUpdateService’ is used for ‘Manage whether to scan for app updates from Microsoft Update.’
-Darryl
Hi,
Very usefull. Thank you for sharing.
In the SCONFIG menu, what settings will be changed when you select Manual? Is it only the AUOptions registry setting?
Can I check these settings if they are enabled?
Hi,
I believe so, yes.
You could do a trace with https://docs.microsoft.com/en-us/sysinternals/downloads/procmon to know for sure.
Thank you for this blog post. For a few years now, I have been trying to get Windows Server 2016 to fully automatically install Windows Updates, like almost all previous versions of Windows have done. I haven’t been successful in that, even when learning about sconfig, and creating a Microsoft support case with them. *Then* I found this blog post of yours, and I *really* thought I had found the solution: the missing day and time registry entries! So I configured those, but *still* Windows Updates don’t occur automatically on Windows Server 2016! Am I the only person in the world who had my Windows Servers’ installing Windows Updates fully automatically up until Windows Server 2016 (and therefore I am the only one who was surprised by the seeming removal of fully automatic Windows updates in Windows Server 2016)? On the other hand, if it is possible to still have fully automated Windows Updates on Windows Server 2016, then what have I been doing wrong all these years? Thanks in advance for any assistance!!
Hi Brain,
Cannot help you with out-of-the-box installation of updates, I am not doing it.
BUT, does this help you: https://gallery.technet.microsoft.com/Force-Install-Updates-on-ef821f9a ?
Hello, thanks for the post.
Mine is setup exactly they way you described, however when I check the restart options in the settings of 2016 server, it should be saying restart at midnight on Sunday, BUT, sunday is not showing in the field where it should be showing, even though is setup in the registry. Any thoughts?
Thank you for this blog post I had an issue with one of my server through sconfig command I was not able to set value
– 3 = Automatically download and notify of installation.
As per the post I had written the mentioned value in registry and it worked.
Thanks a ton
Shiv Ratan Sahu(India)
Hello, I just came across your blog while searching for some information, and it is very helpful information. I did not find what I was looking for, but may be you know the answer.
I have 2 Server 2016 systems that keep getting set back to Windows Update Settings set to Automatic, but they should both be managed by SCCM. I can’t figure who, or what account is initiating that change. I reset to Download only state in September, but in checking SCCM patching deployments, I find they are set back to Automatic again.
Any suggestions on how to figure that out? I’ve been searching in Event Viewer and Task Scheduler, but maybe not looking for the right things.
Thank you,
Cathy
Is there not a GPO that is interfering?