Windows Server - Configuring Windows Update
Posted by Richard Lingsch on 19 November 2020 01:37 PM
Applicable Plans - All Cloud Hosting Plans
Configuring Windows Update
Your Windows Virtual Server needs to run Windows Update in order to stay current with the latest security patches and software updates.
Microsoft configures Windows Update, by default, to download the updates only. An administrator would then need to log in and accept the updates, which usually requires a restart of the server to apply the updates. As a best practice for security, eApps configures Windows Update as Automatic by default. The update process will run every Saturday between 1 AM and 4 AM server time, US Eastern time (EDT/EST). However, if you change the server timezone, the updates will run based on the new timezone setting.
In order to minimize bandwidth usage, the exact time the update runs is randomly determined by a script. In most cases, your Virtual Server will be rebooted as part of the update process.
Having Windows Update set to Automatic is a best practice so that your Virtual Server is regularly updated with the latest security patches and software fixes. This helps keeps your Virtual Server secure and reduces the chances of it being compromised or taken hostage by ransomware pirates. The downside is that your server will be rebooted periodically for most updates.
You can change the Windows Update behavior back to the Microsoft default of Download Only, or to be totally Manual. If needed, you can also change the schedule for the Windows Update, including changing how often the update runs. This is done by making a change to Windows Update.
More information about Windows Update can be found here - Microsoft - Windows Server Update Services (WSUS)
Changing the Windows Update Behavior
If you need to change the behavior of the Windows Update, you can do this by following the steps below. To make these changes, you will need to connect to the Windows Virtual Server using Remote Desktop as the Administrator user. More information about connecting to your Windows Virtual Server can be found at Connecting to your Windows Server using Remote Desktop.
To change Automatic Update Settings, follow these steps:
1. Open CMD or PowerShell as Administrator and run the command 'sconfig'
2. From the SCONFIG screen press 5 (Windows Update Settings:) and then Enter. This will bring up the following options for you to choose from:
(A)utomatic – This will configure your machine to automatically scan, download, install and reboot after applying any updates.
(D)ownloadOnly – This will automatically scan, download and notify the admin if updates need to be installed. This is the default setting on Windows Server 2016.
(M)anual -- This turns Automatic Updates off. Your system will never check for updates.
3. Press the letter specified in the "( )" and press Enter to apply.
4. When the tool applies the configuration you have selected, you will see a message pop-up similar to the one below. Click the OK button to dismiss the message. The tool will refresh the menu and option 5 will now show the new configuration.
Message popups :
(A) Windows Update set to Automatic. System will check for and install updates every day at 3:00 AM.
(D) Windows Update set to DownloadOnly. System will check for and download updates.
(M) Windows Update set to Manual. System will never check for updates.
Changing the Windows Update Run Time
If you need to change the schedule for the Windows Update, you can do this by following the instructions below. To make these changes, you will need to connect to the Windows Virtual Server using Remote Desktop as the Administrator user. More information about connecting to your Windows Virtual Server can be found here: Connecting to your Windows Server using Remote Desktop.
The settings are located under ‘Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update’.
1. Open CMD or PowerShell as Administrator and run the command 'gpedit'.
2. In the Group Policy Management Console (GPMC) expand computer Configuration, expand Policies, expand Administrative Templates, expand Windows components, and then click Windows Update.
3. In the details pane, double-click Configure Automatic Updates. The Configure Automatic Updates policy opens.
4. Click Enabled, and then select one of the following options under the Configure automatic updating setting:
- Notify for download and notify for install. This option notifies a logged-on administrative user before you download and install the updates.
- Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates. By default, this option is selected.
- Auto download and schedule the install. This option automatically begins downloading updates and then installs the updates on the day and time that you specify.
- Allow local admin to choose setting. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. For example, they can choose a scheduled installation time. Local administrators cannot disable Automatic Updates.
5. Once it is Enabled, you have the option to set the two following options:
Scheduled install day: [default(0 - Every day)]
Scheduled install time: [default (03:00)]
6. Once you have made the changes, click on OK.
NOTE - We recommend that you use the automatic update option to keep your Windows server up to date. if you make changes to the Windows Update behavior or scheduling that results in your Virtual Server being compromised you will be responsible for consequences resulting from your server being compromised. This includes but is not limited to bandwidth overage charges, business interruption or damage, loss of data, and the time required by eApps Support to secure or assist you with your Virtual Server.