How to Apply LTSC Updates and Servicing on Windows Server 2016

Introduction

Windows Server 2016 follows the Long-Term Servicing Channel (LTSC), receiving cumulative security and reliability updates monthly. Understanding the update model and using PowerShell and WSUS for update management ensures servers remain secure and stable throughout the support lifecycle.

Checking Current Update Status

Verify installed updates and pending patches:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20

$session = New-Object -ComObject Microsoft.Update.Session
$searcher = $session.CreateUpdateSearcher()
$pending = $searcher.Search('IsInstalled=0')
Write-Host "Pending updates: $($pending.Updates.Count)"

Installing Updates with PSWindowsUpdate

Use the PSWindowsUpdate module for scripted patching:

Install-Module PSWindowsUpdate -Force
Import-Module PSWindowsUpdate
Get-WindowsUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot

Configuring WSUS via Registry

Point servers at a WSUS server for centralised update management:

$wu = 'HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate'
New-Item -Path $wu -Force
Set-ItemProperty -Path $wu -Name WUServer -Value 'http://wsus.contoso.com:8530'
Set-ItemProperty -Path $wu -Name WUStatusServer -Value 'http://wsus.contoso.com:8530'
$au = "$wuAU"
New-Item -Path $au -Force
Set-ItemProperty -Path $au -Name UseWUServer -Value 1
Set-ItemProperty -Path $au -Name AUOptions -Value 4
wuauclt /detectnow

Deferring Updates

Use registry settings to defer quality updates:

Set-ItemProperty -Path $wu -Name DeferQualityUpdates -Value 1
Set-ItemProperty -Path $wu -Name DeferQualityUpdatesPeriodInDays -Value 14

Compliance Reporting

Report patch compliance across a server fleet:

$servers = Get-ADComputer -Filter {OperatingSystem -like '*2016*'} | Select-Object -ExpandProperty Name
$report = foreach ($srv in $servers) {
    try {
        $count = (Get-HotFix -ComputerName $srv -ErrorAction Stop | Measure-Object).Count
        [PSCustomObject]@{Server=$srv; HotfixCount=$count; Status='OK'}
    } catch {
        [PSCustomObject]@{Server=$srv; HotfixCount=0; Status='UNREACHABLE'}
    }
}
$report | Export-Csv C:ReportsPatchCompliance.csv -NoTypeInformation

Summary

Managing Windows Server 2016 updates through LTSC, WSUS, and PSWindowsUpdate gives administrators complete control over the patching pipeline. Regular compliance reporting and staged rollouts ensure the server fleet stays secure without unexpected downtime from untested updates.