The third party software did exactly what it was designed to do:
Push security updates automatically, while holding back feature updates for testing.
This is standard operating procedure. Security updates are not supposed to change anything about how a server works, so the risk of breakage is very low.
And they need to be installed as fast as possible, to patch holes that are now known to every attacker.
Microsoft were the ones who pushed out a new Server OS installation and labelled it as security update.
The third party software did exactly what it was designed to do:
Push security updates automatically, while holding back feature updates for testing.
This is standard operating procedure. Security updates are not supposed to change anything about how a server works, so the risk of breakage is very low.
And they need to be installed as fast as possible, to patch holes that are now known to every attacker.
Microsoft were the ones who pushed out a new Server OS installation and labelled it as security update.