ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Server 2016 - Force Default Update Server to WSUS Server Via GPO

    IT Discussion
    windows windows server 2016 wsus windows update windows updates gpo pswindowsupdate powershell
    2
    4
    10.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wrx7mW
      wrx7m
      last edited by wrx7m

      I recently ran into an issue after starting to use PSWindowsupdate (https://mangolassi.it/topic/19897/pswindowsupdate-use-powershell-and-other-tools-to-automate-windows-updates) where Server 2016 had GPOs set to point the servers to a local WSUS server. The problem was that the server was actually going to Microsoft's public internet update server. When running the following in PowerShell -

      $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
      $MUSM.Services | select Name, IsDefaultAUService
      

      I found that the IsDefaultService for Windows Server Update Service was set to False and Windows Update was set to true.

      Name                          IsDefaultAUService
      ----                          ------------------
      Windows Store (DCat Prod)                  False
      Windows Server Update Service              False
      Windows Update                              True
      

      I found that these GPO settings, as outlined by, alexander.polomodov, at serverfault.com (https://serverfault.com/questions/857607/windows-server-2016-not-updating-through-wsus/868356), fixed the issue. There may be settings that aren't really required, but I do know that this fixed my issue. Now IsDefaultAUService shows true for Windows Server Update Service.

      Here is his post-

      "The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.

      The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.

      Here is what you have to do to fix it: Run the following commands in Powershell on the offending server

      $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
      $MUSM.Services | select Name, IsDefaultAUService
      

      You will get something back like this:

      Windows Update Standalone Installer - False
      Windows Server Update Service - False
      Windows Update - True

      If it says "Windows Update - True" Then that is your default source, no matter what your GPO says...

      The first thing you have to do is make sure the following patches are installed on your server.

      kb4103720 and kb4462928

      You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.

      These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.

      Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)

      **Computer Configuration > Policies > Administrative Templates > System > Device Installation

      Specify the search server for device driver source locations**

      Set to "Enabled"
      Select search order: "Do not search Windows Update"

      Specify the search server for device driver updates

      Set to "Enabled"
      Select Update Server: "Search Managed Server"

      Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings

      Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')

      Set to "Enabled"

      Turn off access to the Store

      Set to "Enabled"

      Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

      Do not allow update deferral policies to cause scans against Windows Update

      Set to "Enabled"

      No auto-restart with logged on users for scheduled automatic updates installations

      Set to "Enabled"

      Specify intranet Microsoft update service location

      Set to "Enabled"
      Set the intranet update service for detecting updates: "http://[YOUR SERVER]:8530"
      Set the intranet statistics server:"http://[YOUR SERVER]:8530"
      Set the alternate download server: "http://[YOUR SERVER]:8530"
      Uncheck the box Download files with no Url in the metadata if alternate download server is set

      Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.

      Run the above powershell commands again.

      It should now say

      Name                                   IsDefaultAUService    
      -------                                 --------------------------  
      Windows Server Update Service              True  
      Windows Update                             False
      

      If you get "Windows Server Update Service" True, then it should work!"

      1 Reply Last reply Reply Quote 2
      • dbeatoD
        dbeato
        last edited by

        This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.

        wrx7mW 1 Reply Last reply Reply Quote 0
        • wrx7mW
          wrx7m @dbeato
          last edited by

          @dbeato said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

          This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.

          It is strange that I didn't have these issues in 2012 R2. I essentially copied the same GPO for 2012 R2 and made some minor changes to it to convert it for 2016. My 2012 R2 show the correct default service.

          dbeatoD 1 Reply Last reply Reply Quote 0
          • dbeatoD
            dbeato @wrx7m
            last edited by

            @wrx7m said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

            @dbeato said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

            This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.

            It is strange that I didn't have these issues in 2012 R2. I essentially copied the same GPO for 2012 R2 and made some minor changes to it to convert it for 2016. My 2012 R2 show the correct default service.

            Weird, I have various Server 2016and now 2019 with WSUS and while dual scan was an issue for me on Server 2012/ 2012 R2 not anymore.

            1 Reply Last reply Reply Quote 1
            • 1 / 1
            • First post
              Last post