Server 2016 - Force Default Update Server to WSUS Server Via GPO

wrx7m

I recently ran into an issue after starting to use PSWindowsupdate (https://mangolassi.it/topic/19897/pswindowsupdate-use-powershell-and-other-tools-to-automate-windows-updates) where Server 2016 had GPOs set to point the servers to a local WSUS server. The problem was that the server was actually going to Microsoft's public internet update server. When running the following in PowerShell -

$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService

I found that the IsDefaultService for Windows Server Update Service was set to False and Windows Update was set to true.

Name                          IsDefaultAUService
----                          ------------------
Windows Store (DCat Prod)                  False
Windows Server Update Service              False
Windows Update                              True

I found that these GPO settings, as outlined by, alexander.polomodov, at serverfault.com (https://serverfault.com/questions/857607/windows-server-2016-not-updating-through-wsus/868356), fixed the issue. There may be settings that aren't really required, but I do know that this fixed my issue. Now IsDefaultAUService shows true for Windows Server Update Service.

Here is his post-

"The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.

The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.

Here is what you have to do to fix it: Run the following commands in Powershell on the offending server

$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService

You will get something back like this:

Windows Update Standalone Installer - False
Windows Server Update Service - False
Windows Update - True

If it says "Windows Update - True" Then that is your default source, no matter what your GPO says...

The first thing you have to do is make sure the following patches are installed on your server.

kb4103720 and kb4462928

You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.

These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.

Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)

**Computer Configuration > Policies > Administrative Templates > System > Device Installation

Specify the search server for device driver source locations**

Set to "Enabled"
Select search order: "Do not search Windows Update"

Specify the search server for device driver updates

Set to "Enabled"
Select Update Server: "Search Managed Server"

Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings

Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')

Set to "Enabled"

Turn off access to the Store

Set to "Enabled"

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Do not allow update deferral policies to cause scans against Windows Update

Set to "Enabled"

No auto-restart with logged on users for scheduled automatic updates installations

Set to "Enabled"

Specify intranet Microsoft update service location

Set to "Enabled"
Set the intranet update service for detecting updates: "http://[YOUR SERVER]:8530"
Set the intranet statistics server:"http://[YOUR SERVER]:8530"
Set the alternate download server: "http://[YOUR SERVER]:8530"
Uncheck the box Download files with no Url in the metadata if alternate download server is set

Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.

Run the above powershell commands again.

It should now say

Name                                   IsDefaultAUService    
-------                                 --------------------------  
Windows Server Update Service              True  
Windows Update                             False

If you get "Windows Server Update Service" True, then it should work!"

dbeato

This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.

wrx7m

@dbeato said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.

It is strange that I didn't have these issues in 2012 R2. I essentially copied the same GPO for 2012 R2 and made some minor changes to it to convert it for 2016. My 2012 R2 show the correct default service.

dbeato

@wrx7m said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

@dbeato said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.

It is strange that I didn't have these issues in 2012 R2. I essentially copied the same GPO for 2012 R2 and made some minor changes to it to convert it for 2016. My 2012 R2 show the correct default service.

Weird, I have various Server 2016and now 2019 with WSUS and while dual scan was an issue for me on Server 2012/ 2012 R2 not anymore.