AA-in-CA
asked on
Server 2016 not accepting "manual" Windows Update mode in Sconfig
I've just installed and activated Server 2016, and learned that I need to use the sconfig utility to set my Windows Update preferences, as download only mode and manual mode aren't exposed in the new GUI.
When I launch sconfig, the "Windows Update Settings" setting is set to custom. However, whenever I try to switch to manual mode (option 5, then the letter M), the console displays "Setting updates to Manual...", and a separate alert appears, "Windows Update set to Custom. System has custom configuration for updates." After I dismiss the alert, the sconfig main menu reappears, and the setting is still "custom". Here's a screenshot of what I'm referring to:
Why won't sconfig accept the manual setting? This server doesn't participate in WSUS, and all of the WU settings in local policy (Computer Config-->Admin Templates-->Windows Components-->Windows Update) show as "Not Configured".
When I launch sconfig, the "Windows Update Settings" setting is set to custom. However, whenever I try to switch to manual mode (option 5, then the letter M), the console displays "Setting updates to Manual...", and a separate alert appears, "Windows Update set to Custom. System has custom configuration for updates." After I dismiss the alert, the sconfig main menu reappears, and the setting is still "custom". Here's a screenshot of what I'm referring to:
Why won't sconfig accept the manual setting? This server doesn't participate in WSUS, and all of the WU settings in local policy (Computer Config-->Admin Templates-->Windows Components-->Windows Update) show as "Not Configured".
McKnife
Disregard those settings. Setup a domain GPO and that's that.
ASKER
This server will not be joined to a domain. Using sconfig is a supported technique, this should work:
https://blogs.technet.microsoft.com/mu/2016/10/25/__trashed/
https://blogs.technet.microsoft.com/mu/2016/10/25/__trashed/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
2016 does not do manual updates. It takes updates just like windows 8 and 10. If you want granular control, you use an update manager such as WSUS.
ASKER
Manual updating is supported, and I got sconfig to reflect the change by setting the NoAutoUpdate key in HKEY_LOCAL_MACHINE\SOFTWAR
It'll reflect the registry key. But the update engine will ignore it. Just like it does in 8 and 10. Be prepared for that.
ASKER
Thanks, Cliff. Out of curiosity, which patch management platform do you use, WSUS or something third-party? We've been looking at Ivanti/Shavlik, but I'm always open to other options. Maybe I should start a separate thread for that...
In smaller deployments, I use WSUS. In larger ones, SCCM. It's been years since I used Shavlik so I have little feedback there. Sometimes its just down to personal preference.
Yes, that's what I thought, no manual updating would be possible using the policies/regkeys/sconfig. Just like win10 (not like 8, 8 did allow manual updating). AA, how do you plan to update your Host? You can of course do it scripted, using wuinstall, for example.
ASKER
Probably just manage it with WSUS, which while free, is a very flawed product. I'd prefer a third-party, agent-based tool with better reporting, but I'm not sure we have the budget for that.
So have a WSUS group just for your Hypervisor and manually approve updates? Why? Updates can be installed at night time, the host suspends all clients when it restarts, no big deal. Or use wuinstall (which contacts wsus as well), version 1.1 was free, even for commercial usage - I could supply a copy.
ASKER
That's very generous, I would love a copy if you're willing (and it's not against the product's terms of use).
You can even download that old version 1.1 from the original makers: http://www.hs2n.at/component/docman/cat_view/52-tools
ASKER
Thanks!
Be aware that of course the update service will still try to do the updating if you leave it enabled. And with it disabled, of course wuinstall won't run. So you'll need to disable the update service and in your script, re-enable and start it, update, reboot and again disable it using scheduled tasks or scripts. Might not sound nice, but it works.
Saw another thread where Cliff pointed out, that disabling the update service alone would mean to have an unsupported configuration. You have to consider if that is what you want.
Saw another thread where Cliff pointed out, that disabling the update service alone would mean to have an unsupported configuration. You have to consider if that is what you want.
ASKER
Can you link me to that thread? Or better yet, to the article he cites in the thread, if there is one? If there's an official TechNet article or even blog post that says, "disable the update service and you're using an unsupported config", I would love to have that to show to my management.
Cliff? I don't have a link and there wasn't one in that thread.