How to Configure Windows Server 2019 Automatic Updates

How to Configure Windows Server 2019 Automatic Updates

Keeping Windows Server 2019 patched is a critical security and operational requirement. Automatic Updates can be configured through multiple channels: the built-in Windows Update settings, Group Policy Objects (GPOs), registry keys, or PowerShell. This guide covers each approach in detail, including how to control update timing, classify update types, manage reboots, and verify update compliance across your server infrastructure.

Understanding Windows Update Behavior on Server 2019

By default, Windows Server 2019 checks for updates automatically but does not install them without administrator interaction. This cautious default is appropriate for production servers. The Windows Update service (wuauserv) runs as a background process and communicates with either the Microsoft Update catalog or an internal WSUS server. Updates are grouped into several categories: Critical Updates, Security Updates, Update Rollups, Service Packs, Feature Packs, and Driver updates.

The Windows Update for Business (WUfB) deferral model is available on Windows Server 2019. It allows you to defer quality (security and bug-fix) updates by up to 30 days and feature updates by up to 365 days, providing time to test updates in a lab environment before broad deployment.

Configuring Automatic Updates via PowerShell

The PSWindowsUpdate module provides comprehensive PowerShell-based update management. Install it first:

Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers

# Import the module
Import-Module PSWindowsUpdate

# List available updates
Get-WindowsUpdate

# Install all available updates silently and auto-reboot if needed
Install-WindowsUpdate -AcceptAll -AutoReboot

# Install only security updates
Install-WindowsUpdate -Category "Security Updates" -AcceptAll

# Schedule updates for 2 AM
$trigger = New-ScheduledTaskTrigger -Daily -At 2:00AM
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
  -Argument '-Command "Import-Module PSWindowsUpdate; Install-WindowsUpdate -AcceptAll -AutoReboot | Out-File C:WULog.txt"'
Register-ScheduledTask -TaskName "AutoWindowsUpdate" -Trigger $trigger -Action $action -RunLevel Highest -Force

Configuring Automatic Updates via Group Policy

For domain-joined servers, Group Policy is the preferred method for centralized update configuration. Open the Group Policy Management Console (GPMC) on a domain controller and create or edit a GPO linked to the Servers OU:

Computer Configuration
  > Administrative Templates
    > Windows Components
      > Windows Update

Key settings:
1. "Configure Automatic Updates"
   Value: Enabled
   Option: 4 = Auto download and schedule the install
   Scheduled install day: 0 = Every day
   Scheduled install time: 03:00

2. "Specify intranet Microsoft update service location"
   Value: Enabled
   Intranet update service for detecting updates: http://wsus.domain.local:8530
   Intranet statistics server: http://wsus.domain.local:8530

3. "Allow Automatic Updates immediate installation"
   Value: Enabled

4. "No auto-restart with logged on users for scheduled automatic updates installations"
   Value: Disabled (servers should reboot even with sessions)

5. "Re-prompt for restart with scheduled installations"
   Value: Enabled
   Wait: 10 minutes

Force policy application on a server immediately:

gpupdate /force

Configuring Automatic Updates via Registry

For non-domain servers or scripted deployments, configure the Windows Update registry keys directly:

# Set Automatic Updates configuration in registry
$regPath = "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU"

# Create the key if it doesn't exist
New-Item -Path $regPath -Force

# Enable automatic updates
Set-ItemProperty -Path $regPath -Name "NoAutoUpdate" -Value 0 -Type DWord

# Set update behavior: 4 = Download and schedule install
Set-ItemProperty -Path $regPath -Name "AUOptions" -Value 4 -Type DWord

# Set schedule: day 0 (every day), time 3 (3 AM)
Set-ItemProperty -Path $regPath -Name "ScheduledInstallDay" -Value 0 -Type DWord
Set-ItemProperty -Path $regPath -Name "ScheduledInstallTime" -Value 3 -Type DWord

# Auto-install minor updates
Set-ItemProperty -Path $regPath -Name "AutoInstallMinorUpdates" -Value 1 -Type DWord

# Enable recommended updates via Microsoft Update
Set-ItemProperty -Path $regPath -Name "IncludeRecommendedUpdates" -Value 1 -Type DWord

Deferring Updates with Windows Update for Business

Windows Update for Business allows granular control over when updates are installed. Configure deferral policies via Group Policy:

Computer Configuration
  > Administrative Templates
    > Windows Components
      > Windows Update
        > Windows Update for Business

"Select when Quality Updates are received"
  Value: Enabled
  Defer quality updates: 14 days
  Pause quality updates: (leave unchecked)

"Select when Preview Builds and Feature Updates are received"
  Value: Enabled
  Select the Windows readiness level: Semi-Annual Channel
  Defer feature updates: 180 days

Controlling Automatic Reboot Behavior

Production servers may require controlled reboot windows. Use the following GPO settings and registry values to manage restarts:

# Configure active hours to prevent reboots during business hours (8 AM to 8 PM)
$wuPath = "HKLM:SOFTWAREMicrosoftWindowsUpdateUXSettings"
Set-ItemProperty -Path $wuPath -Name "ActiveHoursStart" -Value 8 -Type DWord
Set-ItemProperty -Path $wuPath -Name "ActiveHoursEnd" -Value 20 -Type DWord

# Set maximum active hours range (up to 18 hours)
Set-ItemProperty -Path $wuPath -Name "ActiveHoursMaxRange" -Value 18 -Type DWord

# Via Group Policy:
# Computer Configuration > Administrative Templates > Windows Components > Windows Update
# "Specify active hours range for auto-restarts"
# Active hours start: 8, Active hours end: 20

Verifying Update Status and History

After configuring automatic updates, verify the configuration and recent update history:

# Check Windows Update configuration
$wu = New-Object -ComObject "Microsoft.Update.AutoUpdate"
$wu.Settings | Select-Object NotificationLevel, ScheduledInstallationDay, ScheduledInstallationTime

# View update history
$session = New-Object -ComObject "Microsoft.Update.Session"
$searcher = $session.CreateUpdateSearcher()
$historyCount = $searcher.GetTotalHistoryCount()
$history = $searcher.QueryHistory(0, $historyCount)
$history | Select-Object Title, Date, ResultCode | 
  Where-Object { $_.ResultCode -eq 2 } | # 2 = Succeeded
  Sort-Object Date -Descending |
  Select-Object -First 20 | Format-Table -AutoSize

# Check last update check time
(New-Object -ComObject "Microsoft.Update.AutoUpdate").Results.LastSearchSuccessDate

Regular auditing of update compliance is essential. Use WSUS reports or Microsoft Update Compliance in Azure Monitor to identify servers that are missing critical patches and take corrective action promptly. Set up email alerts when servers miss scheduled update windows to catch configuration drift early.