During Windows development, Microsoft tries to find every risk and vulnerability to security breaches that can cause problems or downtime, such as external access, buffer overflows, blue screens, and system crashes. Even after the final version release, it is common to find these errors and bad functions in Windows. That's why Microsoft has a service named Windows Update, which provides update packages for all these problems that may arise in Hyper-V or any other component of Windows. It is also important to note that Microsoft has security teams that try to find security breaches before someone with bad intentions does. To make sure your servers are safe against all these threats, you need to make sure that they are up-to-date, with all updates installed.
The Nano Server installation option is a good option to reduce the number of updates to be installed once only the core components are used, but this doesn't mean that you don't need to install updates for it. Some of these updates are designed to modify or improve the core components of Windows, whether Nano Server, Windows Server 2016 Server Core, or Windows Server 2016 Server with Desktop Experience.
Configuring Windows Updates should not be confused with the servicing models Current Branch for Business (CBB) or Long Term Servicing Branch (LTSB), although there is a correlation.
For example, if you choose the Nano Server installation option, you will be opting for a more active servicing model and the operating system will be actively updated along the lines of Windows 10, with new features and functionality. This update experience is known as CBB and supports the fact that having the current features within the operating system are important to your business. If you're looking for a low-change servicing model, it is likely you will opt for LTSB.
The following recipe will show you how to configure Windows Update settings in Windows Server 2016 Server with Desktop experience, Windows Server 2016 Server Core, and Nano Server installations.
The Microsoft software update services can be accessed via the Internet or through an internal server named Windows Server Update Services (WSUS). Make sure you have your internal WSUS server up and running; you can also download the updates directly from the Internet onto your server or copy downloaded updates from another computer.
The following steps will show you how to configure Windows Update for both Windows Server 2016 Server with Desktop Experience, Server Core, and Nano Server installation options:
sconfig
in the command prompt.5
to select the option Windows Update Settings, as shown in the following screenshot:A
for automatic or M
for manual updates. If you choose manual updates, the system will never check for updates, and they will have to be installed manually, but if you choose automatic updates, the system will check for updates at 3:00 A.M. every day, by default; you can change this later by using Group Policy. Click on OK in the Update Settings pop-up.6
in the Server Configuration window to select Download and Install Updates.A
to search for all updates, or type R
for recommended updates only. A
to install all updates, N
to quit without installing, or S
to select a single update. If you elect to update the system, click on Yes to restart the computer and apply the updates.16
to quit sconfig.You can alternatively use Group Policy to configure Windows Update. To use Local Group Policy Editor to set Windows Update configuration, type gpedit.msc
in the Start menu or at the command prompt. Nano Server will also apply Local Group Policies, but these policies are ingested via policy files (.pol
files) using the PowerShell commandlet Import-GPRegistryPolicy
. The policy file itself can be generated from either a GPO backup, or it can be generated with Export-GPRegistryPolicy
PowerShell commandlet.
WSUS01
has been used. Click on OK when finished:Enter-PSSession -VMName <VMName>
$session = New-CimInstance –Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession Invoke-CimMethod -InputObject $session -MethodName ScanForUpdates -Arguments @{SearchCriteria="IsInstalled=0";OnlineScan=$true}
$session = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession $scanResults = Invoke-CimMethod -InputObject $session -MethodName ApplyApplicableUpdates
Restart-Computer
Enter-PSSession -VMName <VMName>.
$session = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession $scanResults = Invoke-CimMethod -InputObject $session -MethodName ScanForUpdates -Arguments @{SearchCriteria="IsInstalled=1";OnlineScan=$true} $scanResults | select -expand updates
The Windows Update service can be configured using the Settings, Update & Security option for Windows Server 2016 Server with the Desktop Experience, via CIM for Nano Server, or via the command line and sconfig
for Server Core scenarios.
For a single server installation or standalone servers, the Settings, Update & Security option is the most effective, although this assumes Windows Server 2016 Server with Desktop Experience is being used. For Nano Server, you simply need to establish a remote PowerShell session, and with sconfig
, you don't even need to know how to use the configuration commands to set up Windows Updates on Server Core.
For domain-joined servers or standalone servers that require WSUS configuration, you have to use group policies, with the exception here being Nano Server, as Nano Server does not process group policies "only local policies". For Windows Server 2016 with Desktop Experience and for Server Core scenarios, you saw how to use the group policy option. However, using Active Directory, you can also apply policies using Group Policy Objects (GPOs), which can be linked to an organizational unit with multiple servers.
It is important to remember that Windows updates have to be applied to every computer; it doesn't matter whether they are physical or virtual, clients or servers. Make sure that the Windows Update policy for the Hyper-V servers is aligned to your business requirements, as some updates require a reboot. Also, for production environments, the use of WSUS is strongly recommended.
With this configuration on every computer, you will make sure your servers are protected with the latest updates.
3.145.166.7