How to change Windows Update settings using SCONFIG.

In this post, we are going to walk through how to manage the Windows Update settings on Windows Server 2016.

Applies to:

  • Server with Desktop Experience
  • Server Core


Validate your current WU settings using SCONFIG

To determine what updates your machine has already installed, follow these steps:

  • Open a command prompt with Admin permissions.
  • Type sconfig and press Enter.
    • NOTE: There may be a short pause as the tool inspects your system.


  • Option #5 shows the current configuration of your Windows Update settings.


Change your Windows Update Settings

To change your Windows Update Settings with SCONFIG, follow these steps:

  • Open a command prompt with Admin permissions.
  • Type sconfig and press Enter.
    • NOTE: There may be a short pause as the tool inspects your system.


  • Press 5 and then Enter. This will bring up the following options for you to choose from:



    • (A)utomatic – This will configure your machine to automatically scan, download, install and reboot after applying any updates.
    • (D)ownloadOnly – This will automatically scan, download and notify the admin if updates need to be installed. This is the default setting on Windows Server 2016.
    • (M)anual -- This turns Automatic Updates off. Your system will never check for updates.


  • Press the letter specified in the "( )" and press Enter to apply.
  • When the tool applies the configuration you have selected, you will see a message pop-up similar to the one below. Click the OK button to dismiss the message. The tool will refresh the menu and option 5 will now show the new configuration.



That's it, you are all set.

Your thoughts, questions and feedback are very valuable to us and we encourage you to share them in the comments section below.

Comments (48)
  1. anon says:

    i would like a setting “notify only”

    1. Can you elaborate a bit more on the scenario in which you see this option being used? We have the ability today to configure the machine to scan for updates and notify the admin if any need to be downloaded. Learn more at:

  2. Harry Johnston says:

    Note that sconfig can’t change the WU settings if the WindowsUpdate\AU registry key doesn’t exist. (This can happen, for example, if you have a group policy applied to the system and then remove it.)

    Also that the Windows Update Settings panel seems to have a nasty habit of installing updates without permission no matter what the settings are.

    1. Buckethead says:

      SCPNFIG doesn’t prevent reboots outside of active hours. Go into task scheduler, scroll to Update Orchestrator look for the “reboots” task open actions and replace the entry with something else. Removing the “system” permission or setting the perm to “deny” on the “reboots” task perms doesn’t work as the OS resets the perms

  3. In Desktop Version I’m able to adjust the time when the server is allowed to reboot automatically. Is there an option in Core Version too?
    So that the server can automatically Download and Install all Updates and then (on a given time) it will reboot itself?!

    1. This feature does not exist on Windows Server 2016 (Server Core), but we are really keen on understanding when and how you would use it if it were implemented. Could you elaborate a bit more about your scenario? Such as would it be used on Hyper-V hosts, Domain Controllers, etc.? Thanks for helping improve the product.

      1. In Domain Controllers it would be absolutely great! in Hyper-V and other clusters the CAU is doing fine at the moment

  4. Mahadev says:

    Though I have done it on day 1 after the install of 2016, its still not downloading the hot-fixes automatically. Internet/proxy all are working. I have scheduled it for midnight 3AM, but no fixes are being downloaded nor getting installed automatically, on my 6 servers.

    1. Did you use SCONFIG to change the default? If you check the registry value for the AUOption, what is it set to? You can find the exact key by using the following:

  5. gchq says:

    I ran SConfig and 5 is set to ‘DownloadOnly’ – however update status says ‘Your device is scheduled to restart outside of active hours’ – active hours for us are 24/7 apart from scheduled maintenance on the Saturday after patch Tuesday. Is this warning just there to make us head for the brandy bottle in sheer panic, or will it carry out the threat and throw us under the proverbial bus with an unmonitored restart when it feels like it?

    With preview 5 we set this in group policy and it patiently waited after installing x-days until we were ready to reboot

    Server 2016 – Desktop Experience.


    1. gchq says:

      Seems like the only answer is to disable ‘Reboot’ in Task Scheduler UpdateOrchestrator and rename the Reboot file to prevent Windows re-enabling the schedule again… It would be bad enough having a desktop rebooting of it’s own accord – but a server??

    2. This is a known bug in the Windows Update Settings UI in which the text does not correctly reflect the configuration of your Windows Update settings. The feature team is actively working on a fix. At this time, we recommend that you leverage SCONFIG to verify your servers update configuration.

      1. Nenad says:

        Does this bug still exist ? Because it doesnt matter what i configure, it always shows me “automaticly download and install….”

        1. [UPDATE – 3/8/2017] The fix should be available in the March 2017 cumulative update.

  6. Kevin Dahl says:

    Why would you build a command line interface that then has the confirmation dialog outside of the command line?

    Also, the install updates feature has such minimal feedback that it’s rather useless – it currently says ‘Downloading updates…’, though I know they were already downloaded and I can see that it’s installing them when I look at the resource monitor.

    This sconfig solution looks to be pretty half baked at this point. The whole windows update path on Server 2016 is feeling disturbingly incomplete.

    1. SCONFIG was meant to provide a very basic and quick way to configure and manage several common aspects of Server Core installations. It is called out above to provide a way to verify your server’s Update configuration until the fix for the Windows Update Settings page can be implemented.

  7. Onder Cura says:

    I thought sconfig was deprecated as part of Windows Server 2016? Shouldn’t we be using PowerShell to do this instead?

    1. We recommend using PowerShell whenever possible. SCONFIG is not yet on a deprecation path and is available to use on Windows Server 2016 (Server Core) and Windows Server 2016 (Desktop Experience) install options.

  8. Sean says:

    Active hours should be more than 12 hours, and we should also be able to select which weekdays are active/inactive, our business is almost 24/7 and we would like the ability to select inactive hours of Sunday between 1am and 5am which is a more likely time we will not have active users on the system.

    It would also be really, really good if the updates downloaded through a proxy server. With our proxy the updates are detected, but the downloads never go past 0%. Open the firewall, remove the proxy and all os a sudden it works. This is very frustrating when wanting to do manual updates instead of relying on SCCM/WSUS

    1. Thank you for the feedback. I will pass this along to the development team.

  9. mdw says:

    There’s an issue with the settings and the UI being out of sync.

    I used SCONFIG to set updates to Manual. But the Settings UI (even after restarting the machine) states “Available updates will be downloaded and installed automatically, except over metered connections…”

    Any ideas from the Microsoft folks on this discrepancy?

    1. This is a known bug in the Windows Update Settings UI in which the text does not correctly reflect the configuration of your Windows Update settings. The feature team is actively working on a fix. At this time, we recommend that you leverage SCONFIG to verify your servers update configuration.

  10. mdw says:

    We’re migrating to Server 2016 w/desktop experience and want to set a specific date and time every week (or month) to automatically check for and apply Windows Updates. Outside of the time window we specify we don’t want any downloading or checking for updates.

    Is this possible? We’re fine with using powershell if that helps.

    1. In order to configure a weekly install schedule please use the “Configure Automatic Updates Group” policy Option 4 and pick the day and time of install. If you also use the “Always Automatically Restart at Scheduled Time” then we will only restart the device for Updates then.

      Irene Giannoumis
      Senior Program Manager

  11. anon says:

    Apologies for the off-topic remark but the Microsoft Update Catalog, although recently updated to remove the ActiveX requirement and the cart, is still in dire need of a major overhaul. Its navigation should not include pop-ups for downloading files and the files themselves need to be labelled and presented more clearly. Furthermore, most of the contact links on the Update Catalog appear to be no longer valid so users don’t know how to contact you.

  12. mdw says:

    Got a BIG problem with Windows Update on Server 2016.

    I’ve downloaded: “Cumulative Update for Windows Server 2016 for x64-based Systems (KB3201845)”. It downloads, but then stops “forever” at: “Downloading updates 95%”. Absolutely nothing happens after that… no install or restart.

    Happening on multiple servers. They are all just sitting there and it’s been this way for DAYS. Some are production so don’t want to mess around.

    Help! Need a way out of this mess.

    1. I am sorry to hear that you have had problems installing the update. Please contact us via our support channel so that we can collect additional data from you that will help us assist you in finding a resolution to the problem you are experiencing. You can reach our support at

  13. zeik says:

    I just installed Windows Server 2016 – Desktop Experience version 1607 Build 14393.0. Running sconfig, the default setting for Windows Update appears to be “Manual”. Has this changed from the “Download Only” default setting mentioned in the article?

    The GUI bug still seems to be there as mine says “Available updates will be downloaded and installed automatically” Can I trust that the sconfig setting of Manual is accurate and the server won’t check for updates/install/reboot without manual intervention or do I need to apply additional GPO settings to make sure updates only get installed when we want them to?

    1. Lars Nykvist says:

      No, I got “Download only” as default setting when I entered sconfig. Also 2016 Desktop Experience and version 1607.

    2. SCONFIG reads the registry setting directly to populate the menu. Could it be that there is something during your login or provisioning process that changed your default setting before SCONFIG was started? By default Windows Server 2016 (Desktop Experience) is set to Download Only.

  14. Exchangeguy says:

    Why did you think it was a good idea to remove these settings from the GUI, where we are all accustomed to finding it quickly and easily? Instead, you make us search around for it, and fail to find it. Then we have to start searching the Internet for a solution, eventually finding the answer on this page. Then we see all the problems associated with the “new improved” method: dialog box outside the command window; fails to update the UI text stating the correct update settings (“known bug” = sloppy programming, or inadequate/lazy Quality Control). Again, what about this was a good idea?

    1. Kenan says:


    2. Mark Hewitson says:

      It gets even better when you go to check the WindowsUpdate.log and you can’t read it unless you run a powershell command to convert the ETW traces into a readable WindowsUpdate.log

  15. David M says:

    Could you elaborate on how the (A)utomatic setting decides when the install and reboot will happen?

  16. Kenan says:

    Are you guys planning on removing active hours for Server 2016? Or the possibility to disable?
    We are worried what this would trigger automatic restarts on some of our servers, so we haven’t decided if we really want to upgrade from 2012R2 just jet.

    I know that i can use sconfig, but this doesn’t seem to help us. Some updates do install on their own their own and require a restart, even though i had set it on (D) download only..

    1. Can you provide an example of an update that was installed automatically when you had the WU configuration set to “(D)ownload Only”?

  17. S Kandil says:

    ,I wanna ask about which option will work with WSUS?

    1. AutomaticUpdate and DownloadOnly options both should work with WSUS defined as your source for updates, as well as if you choose option number 6 (Download and install updates) from SCONFIG menu.

  18. mE.! says:

    Why is it necessary to limit Active Hours to a maximum of 12 hours? What’s the logic in that?
    It’s going to break all automatic updates because everyone is going to set it to Manual or Download only and never end up rebooting.

    1. Irene[MSFT] says:

      Thanks for the feedback, we have expanded Active Hours to 18. If you’d like a more predictable reboot schedule I would recommend leveraging the Always Autoreboot at Scheduled Time Group Policy, This along with Configure Automatic Updates (that takes a day of week and time) can let you specify when you are rebooted. Please refer to for more info

  19. Antony Brooke-Wood says:

    Hi Derek, how about options to: (i) enable/disable Recommended Updates; (ii) enable/disable Microsoft Update; and (iii) configure the maintenance window? It’s annoying that you have to revert to other methods in order to handle those configuration items.

    1. Thank you for sharing your feedback. Are you suggesting adding these settings to the Windows Update page in the Settings UI or within SCONFIG?

  20. Gus says:

    Thanks. Very useful. 🙂

  21. Tim Anderson says:

    Give us the option to download and install then reboot at our discretion. We have locations that we can install the patches but have to wait for a 30 minute window for a reboot – we can’t patch and reboot in that time. We have multi-node clusters that we pre-load the updates and then when a maintenance window comes up we can just reboot each node in turn. Yes we have clusters so they shouldn’t be affected by these random reboots but we can’t find anything that specifically states that logic is incorporated in the update process to prevent multiple cluster members rebooting at the same time. Yes there is CAU but we can’t run that as we can only reboot once every 4 months, not monthly.

  22. Scott says:

    KB4013429 breaks Exchange 2016 in Hyper-V on Server 2016 if Content Filter is enabled, the transport service will stop.
    I have server set to download only, but I want to deny this patch. In the old days there was a simple check box to uncheck to not install a certain update. Please put this feature back in, as now I can’t install this update – nor probably can anyone in the world that has ContentFilter enabled and would like to use it.

  23. Jay says:

    Who took the windows update from control panel?

  24. Howdo I change the time for updates I don’t want all of them going off at 3 AM that is taxing to the bandwidth don’t you think?

  25. Chris Smith says:

    I am sick and tired of windows update costing me money forcing itself to update when im on a paid metered connection with limited bandwidth … it cost me money every time it updates and Microsoft doesnt pay for what it uses … and it doesnt pay for my internet and it didnt pay for my computer … if i want its virus updated I will go to a library and get free bandwidth untill that time dont update when i say dont update … and dont remote connect to my computer and force an update .. that is a violation of my right to privacy …. until such time as microsoft PAYS for its waste of my money it wont update on my machine … ever

Comments are closed.

Skip to main content