Do you use Group Policy to manage your Windows Update Policy?
21/11/2017 11:20 AM by
We all know it’s important to keep our servers updated. Unfortunately though, by default, Windows will automatically download and install all new Windows Updates on your servers. This will mean the servers will occasionally restart to install updates when you don’t want them too. You will also get annoying popups trying to get you to restart the computer.
- Bad example – it is automatically installing and you want control over your patching. Accidentally press Restart Now on a Production server and your users won't be happy!
Note : Server patching is also achievable via SCCM and you get more control over restarting windows like this. WSUS can also be used in conjunction with group policies to handle restart times better.
The best ensure you are still downloading updates but not installing them automatically is to use Group Policy.
- Create an Organization Unit (OU) in Active Directory, and put all your Production Servers in the OU
- Add all your Production Servers to the Production Server OU
- Create a new Group Policy object and link it to the Production Server OU
- Create a new Group Policy for your Production Servers
- Edit the new Group Policy object and drill down to Computer Configuration | Policies | Windows Components | Windows Update
- Edit the Configure Automatic Update Properties item and enable it
- Set the Configure Automatic Updating option to 3 – Auto download and notify for install
- Edit Configure Automatic Updates Properties and enable 'Auto download and notify for install
After the new Group Policy propagates, you will notice the update setting is now locked on the servers in the Production Server OU.
- The Group Policy locks the Windows Update setting
Now the next time you plan to reboot your server you can install updates quickly and reboot – keeping your servers updated without unplanned reboots.
The following screenshot is the settings applied to the default domain policy for the same group policy settings but this will apply to all machines joined to the SSW domain.
Do you feel this rule needs an update?