How to Configure Windows Server 2016 Automatic Updates

Keeping Windows Server 2016 patched with the latest security updates is one of the most fundamental responsibilities of any system administrator. Unpatched systems are a leading cause of successful cyberattacks, and Windows Server environments are high-value targets. Windows Server 2016 includes several mechanisms for configuring automatic updates, from basic Windows Update settings to more granular Group Policy controls. This guide covers all key approaches to configuring automatic updates on Windows Server 2016 to ensure your systems stay current without requiring constant manual intervention.

Windows Server 2016 uses the same Windows Update infrastructure as desktop Windows, but the update behavior and defaults differ. By default, Windows Server 2016 does not automatically install updates without user or administrator interaction in order to prevent unexpected reboots that could disrupt services. This default behavior must be changed through configuration to enable truly automatic patching.

Configuring Automatic Updates via the Settings App

The simplest method to enable automatic updates is through the Windows Settings application. Open Settings from the Start menu, navigate to Update & Security, then Windows Update. Click “Advanced options” to access the automatic update configuration. Here you can toggle on “Give me updates for other Microsoft products when I update Windows” and configure restart behavior.

However, for production server environments, the Settings app method is not ideal because it does not give granular control over update schedules, reboot windows, or the types of updates applied. Group Policy provides much more control and is the recommended approach.

Configuring Automatic Updates via Group Policy

Group Policy is the preferred method for configuring automatic updates in Active Directory environments because it allows centralized management across many servers. Open the Group Policy Management Console (GPMC) on a domain controller or management workstation. Create a new GPO or edit an existing one, then navigate to:

Computer Configuration > Administrative Templates > Windows Components > Windows Update

The key policy to configure is “Configure Automatic Updates.” Double-click it, set it to Enabled, then choose the update behavior from the dropdown. The recommended option for servers is option 4, “Auto download and schedule the install,” which lets you specify a day of the week and time for automatic installation. This allows you to schedule updates during maintenance windows to avoid disrupting business hours.

Additional important policies to configure in the same location include:

No auto-restart with logged on users for scheduled automatic update installations: Set this to Enabled to prevent servers from rebooting while a user session is active. This is important for Remote Desktop Services servers.

Automatic Updates detection frequency: Set this to a value such as 22 hours to control how often the Windows Update client checks for new updates.

Allow Automatic Updates immediate installation: Enables immediate installation of updates that do not require a reboot, such as driver updates and minor patches.

Configuring Automatic Updates via Registry

For servers that are not joined to a domain or when Group Policy is not available, you can configure automatic updates directly through the registry. Open an elevated PowerShell prompt and run the following commands to configure automatic download and scheduled installation:

# Configure automatic updates (4 = auto download and scheduled install)
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" `
    -Name "AUOptions" -Value 4 -Type DWord

# Set install day (0=every day, 1=Sunday, 2=Monday, etc.)
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" `
    -Name "ScheduledInstallDay" -Value 1 -Type DWord

# Set install time (22 = 10 PM)
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" `
    -Name "ScheduledInstallTime" -Value 22 -Type DWord

# Enable automatic updates
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" `
    -Name "NoAutoUpdate" -Value 0 -Type DWord

Ensure the registry key path exists before setting values. If it does not exist, create it first:

If (-not (Test-Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU")) {
    New-Item -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" -Force
}

Configuring Maintenance Windows and Reboot Behavior

Controlling when servers reboot after update installation is critical for production environments. Windows Server 2016 supports Active Hours, which prevent automatic reboots during specified times. Configure Active Hours via Group Policy under:

Computer Configuration > Administrative Templates > Windows Components > Windows Update > Turn off auto-restart for updates during active hours

You can also configure the restart deadline using the policy “Specify deadline before auto-restart for update installation.” This forces a reboot within a defined number of days after an update is installed, ensuring systems do not remain unpatched indefinitely due to an administrator deferring reboots.

To check current Windows Update configuration on a server using PowerShell:

$AUSettings = (New-Object -ComObject "Microsoft.Update.AutoUpdate").Settings
$AUSettings | Select-Object NotificationLevel, ScheduledInstallationDay, ScheduledInstallationTime, ReadOnly

Checking Update History and Status

After configuring automatic updates, verify the configuration is working as expected by reviewing the update history. Use PowerShell to view recently installed updates:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 30 | Format-Table -AutoSize

To check which updates are currently pending installation:

$UpdateSession = New-Object -ComObject "Microsoft.Update.Session"
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$Updates = $UpdateSearcher.Search("IsInstalled=0 and Type='Software'")
$Updates.Updates | Select-Object Title, MsrcSeverity | Format-Table -AutoSize

Regularly reviewing update history and monitoring for failed updates is essential. Configure alerting in your monitoring system to notify administrators when updates fail to install or when a server has not been updated within an acceptable timeframe. The combination of automatic update configuration and proactive monitoring creates a robust patching posture for Windows Server 2016 environments.