Do you use Group Policy to manage your Windows Update Policy?
20/05/2020 7:54 AM by
We all know it’s important to keep our servers updated. Unfortunately though, by default, Windows will automatically download and install all new Windows Updates on your servers. This will mean the servers will occasionally restart to install updates when you don’t want them too. You will also get annoying popups trying to get you to restart the computer.
Note: This rule applied to both client PCs and servers.
It is also one more reason developers don’t like to join a company domain on their personal laptops!
- Bad Example - Windows 10 shows a ‘Restart now’ – do not accidentally press it! Your production server and your users won't be happy!
- Bad example – Remember this nasty one from Vista days?
Note: Server patching is also achievable via SCCM and you get more control over restarting windows like this. WSUS can also be used in conjunction with group policies to handle restart times better.
The best ensure you are still downloading updates but not installing them automatically is to use Group Policy.
- Create an Organization Unit (OU) in Active Directory, and put all your Production Servers in the OU
- Add all your Production Servers to the Production Server OU
- Create a new Group Policy object and link it to the Production Server OU
- Create a new Group Policy for your Production Servers
- Edit the new Group Policy object and drill down to
Computer Configuration |
Windows Components |
- Edit the
Configure Automatic Update Properties item and
- Set the
Configure Automatic Updating option to
3 – Auto download and notify for install
- Edit Configure Automatic Updates Properties and enable 'Auto download and notify for install
After the new Group Policy propagates, you will notice the update setting is now locked on the servers in the Production Server OU.
- The Group Policy locks the Windows Update setting
From now on your servers will be updated without unplanned reboots!
- Figure: Good example - AD shows the Group Policy setting “3 – Auto download and notify for install”. This policy is applied to the specified OU eg. Production Servers joined to this domain
Do you feel this rule needs an update?