T
Tommy Gould
We have configured some Group Policy objects for Automatic Update behaviour against our Windows Server 2016 Standard estate.
We have a number of identical GPOs - all with the same settings, the difference being that they are then security filtered to a specific Active Directory security group.
We have a number of server computer objects in each group. Filtering is working correctly, and the servers are obtaining their correct GPO, which we have confirmed with gpresult and rsop on each server.
The main GPOs are used for Windows Update Automatic Update behaviour.
We have configured them to use auto download and schedule the install - then each GPO has a different day of the week, the same time of the day (3AM) and CRUCIALLY - the settings for the week of the month selected.
So we have AD groups named:
WSUS_1MON0300
WSUS_2MON0300
WSUS_3MON0300
WSUS_4MON0300
And these groups are then used as the security filter against a corresponding GPO with the same name.
Each GPO then has the same day (Monday) and time (3AM) - but a different day of the month selected - GPO WSUS_1MON0300 having the first week of the month, GPO WSUS_2MON0300 having the second week of the month and so on.
We expected the behaviour of this GPO to then only schedule and install updates that the server has downloaded on the exact day of the month - such as the 2nd Monday of the month at 3am for example.
This setting does not seem to work though, despite the GPO applying and correctly entering the setting in the registry on the targeted servers.
The setting just seems to be ignored by Windows Server 2016, and will schedule and update itself every Monday, rather than just the 3rd Monday of the month.
This is causing chaos - we have tried to segregate our services so that only one node of 4 will patch on any given Monday - but regardless of setting this GPO - they install every Monday.
Please can Microsoft confirm if these settings actually work for Windows Server 2016, and not just Windows 10 desktops.
Registry location is HKET_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
GPO setting is Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates
Windows Server 2016 Standard version in use is 14393.2608
Continue reading...
We have a number of identical GPOs - all with the same settings, the difference being that they are then security filtered to a specific Active Directory security group.
We have a number of server computer objects in each group. Filtering is working correctly, and the servers are obtaining their correct GPO, which we have confirmed with gpresult and rsop on each server.
The main GPOs are used for Windows Update Automatic Update behaviour.
We have configured them to use auto download and schedule the install - then each GPO has a different day of the week, the same time of the day (3AM) and CRUCIALLY - the settings for the week of the month selected.
So we have AD groups named:
WSUS_1MON0300
WSUS_2MON0300
WSUS_3MON0300
WSUS_4MON0300
And these groups are then used as the security filter against a corresponding GPO with the same name.
Each GPO then has the same day (Monday) and time (3AM) - but a different day of the month selected - GPO WSUS_1MON0300 having the first week of the month, GPO WSUS_2MON0300 having the second week of the month and so on.
We expected the behaviour of this GPO to then only schedule and install updates that the server has downloaded on the exact day of the month - such as the 2nd Monday of the month at 3am for example.
This setting does not seem to work though, despite the GPO applying and correctly entering the setting in the registry on the targeted servers.
The setting just seems to be ignored by Windows Server 2016, and will schedule and update itself every Monday, rather than just the 3rd Monday of the month.
This is causing chaos - we have tried to segregate our services so that only one node of 4 will patch on any given Monday - but regardless of setting this GPO - they install every Monday.
Please can Microsoft confirm if these settings actually work for Windows Server 2016, and not just Windows 10 desktops.
Registry location is HKET_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
GPO setting is Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates
Windows Server 2016 Standard version in use is 14393.2608
Continue reading...