Prevent Server Restart after Windows Updates

windows-update windows-server-2003 automatic-updates

we have a number of servers in our office, as a small hosting company, and these servers are critical to business, ... web server, mail server, db server, etc.

On a semi-regular basis, when the machines get automatic updates, they just automagically reboot themselves in the middle of the night. A number of them have software which must be running on the console session (bad practice, I know, but out of my control). When they reboot themselves, these programs obviously shut down, leaving customers upset and services interrupted.

How do you set a Windows Server 2003 R2 machine to NEVER automagically reboot itself after updates? And perhaps, if possible, to instead email someone so that they are aware it needs a pending reboot and can schedule it for the best time?

Thanks in advance!


In group policy for the server, navigate to:

Computer Configuration->Administrative Templates->Windows Components->Windows Update->No auto-restart for scheduled Automatic Update installation

You can get to this by running gpedit.msc.

Reboot to apply changes.

Don't forget that your server won't be updated until you reboot and will be vulnerable to the threats!


You can accomplish this, and leaving updates installed waiting for a reboot does not leave the server in an inconsistent state. Updates that require a reboot are not applied until the reboot occurs. The settings to manage automatic updates are too numerous to list here, but you can manage them in a domain via Group Policy, or on stand-alone machines using Local Policy. Go to Computer Configuration>Administrative Templates>Windows Components>Windows Update.


The best solution that I am aware of is to turn off automatic updates. Then you schedule maintenance windows with your customers and apply the updates manually and do the reboot then make sure everything that you need is running after the reboot.

Just stopping the reboots is a bad idea because that gives the impression that you are fully updated when you really aren't since updates that need reboots to complete...well...you know...need reboots to complete.


If you can't (or don't want to) reboot a server, you should postpone update installation to when you can safely reboot it.

You should never install updates that require reboots without actually rebooting the machine; this leaves the system in an inconsistent state, and you can have any kind of troubles until a reboot is finally done.


I would suggest to keep the auto updates running, BUT have the servers only download the updates and not install them.

Have you thought about a WSUS server for easier patch maintenance?

Related

Multiple IP addresses per NIC
What tool can I use to manage the configuration of my Windows Server environments
Disable update popup on Windows 2012 R2
Can I trust that ZFS is consistent between Linux and FreeBSD?
Local or public NTP servers?
Set Default UPN Suffix for Creating New Users in Active Directory
Potential pitfalls associated with securely deleting SSD disks
Apache mod_auth_kerb and LDAP user groups
Convert directory to QEMU/KVM virtual disk image
ADFS - Restrict to AD Group
How do I "test" name-based virtual hosting?
How can I install git on RHEL 6?