Do you use Group Policy to manage your Windows Update Policy?

Last updated by Kaique "Kiki" Biancatti [SSW] 8 months ago.See history

We all know it’s important to keep our servers updated. Unfortunately though, by default, Windows will automatically download and install all new Windows Updates on your servers. This will mean the servers will occasionally restart to install updates when you don’t want them too. You will also get annoying popups trying to get you to restart the computer.

Note: This rule is applied to both client PCs and servers.

It is also one more reason developers don’t like to join a company domain on their personal laptops!

Windows Update notification
Figure: Bad example - Windows 10 shows a ‘Restart now’ – do not accidentally press it! Your production server and your users won't be happy!

updates restart
Figure: Bad example – Remember this nasty one from Vista days?

Note: Server patching is also achievable via SCCM and you get more control over restarting windows like this. WSUS can also be used in conjunction with group policies to handle restart times better.

The best ensure you are still downloading updates but not installing them automatically is to use Group Policy.

  1. Create an Organization Unit (OU) in Active Directory, and put all your Production Servers in the OU

updates adou
Add all your Production Servers to the Production Server OU

  1. Create a new Group Policy object and link it to the Production Server OU

updates gpo
Create a new Group Policy for your Production Servers

  1. Edit the new Group Policy object and drill down to
    Computer Configuration | Policies | Windows Components | Windows Update
  2. Edit
    Configure Automatic Update Properties item and enable it
  3. Set Configure Automatic Updating option to 3 – Auto download and notify for install

updates editgp
Edit Configure Automatic Updates Properties and enable 'Auto download and notify for install

After the new Group Policy propagates, you will notice the update setting is now locked on the servers in the Production Server OU.

updates updatesforced
Figure: Good example - The Group Policy locks the Windows Update setting

From now on your servers will be updated without unplanned reboots!

Default domain policy1
Figure: Good example - AD shows the Group Policy setting “3 – Auto download and notify for install”. This policy is applied to the specified OU eg. Production Servers joined to this domain

Check out "auto-update" rules for PCs and Servers.

We open source. Powered by GitHub