Prevent servers from restarting after Automatic Updates

group-policywindows-server-2008windows-server-2012-r2windows-update

Work has started a new focus in the way that we look after clients, trying to be more proactive rather than just reacting to problems. Part of this focus is to make sure that servers are up to date. We have deployed a GP to make servers update (Computer Configuration > Administrative Templates > Windows Components > Windows Updates > Configure Automatic Updates).

We now need a a way to make sure that the servers only restart at a specific time, rather than when they finish. I found what I thought was the answer here but it was only for Server 2003, not 2008 and 2012 which I need. Is there a similar GP that I could use? The plan would be to have the servers automatically scan, download and install updates through the week and anything that needs a restart to install will happen on the weekend.

Best Answer

The trick here is to not have Windows Update do the install via the Automatic Updates mechanism. You can set it to automatically download, but for automatic installs, there's no way to stop the reboot timer from triggering unless there's a user logged into the system, such as with the No auto-restart with logged on users for scheduled automatic updates installations policy. Since this is for servers, I'm going to assume that this is not the default case, and that nobody being logged in doesn't mean the machine's resources aren't necessary at the moment.

Set up a scheduled task that will trigger the install of the updates and report when the updates are finished, or some other action, so that you know the computer is due for a restart.

I very quickly modified the script found here to suit your needs:

#      Author: Gregory Strike
#     Website: www.GregoryStrike.com
#        Date: 02-19-2010
# Information: This script was adapated from the WUA_SearchDownloadInstall.vbs VBScript from Microsoft.  It uses the
#              Microsoft.Update.Session COM object to query a WSUS server, find applicable updates, and install them.

# < --- SNIP --- >

$UpdateSession = New-Object -Com Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()

$SearchResult = $UpdateSearcher.Search("IsInstalled=0 and Type='Software'")

$UpdatesToInstall = New-Object -Com Microsoft.Update.UpdateColl

For ($X = 0; $X -lt $SearchResult.Updates.Count; $X++){
    $Update = $SearchResult.Updates.Item($X)
    If ($Update.IsDownloaded) {
        $Null = $UpdatesToInstall.Add($Update)        
    }
}


If ($Install.ToUpper() -eq "Y" -or $Install.ToUpper() -eq "YES"){
    Write-Host("")
    Write-Host("Installing Updates...") -Fore Green

    $Installer = $UpdateSession.CreateUpdateInstaller()
    $Installer.Updates = $UpdatesToInstall

    $InstallationResult = $Installer.Install()

    $ResultsBody = "List of Updates Installed with Results:"
    For ($X = 0; $X -lt $UpdatesToInstall.Count; $X++){
        $ResultsBody = $ResultsBody + "`r`n" + $UpdatesToInstall.Item($X).Title + ": " + $InstallationResult.GetUpdateResult($X).ResultCode
    }

    If ($InstallationResult.RebootRequire -eq $True){
        Send-MailMessage -From server@example.com -To admin@example.com -Subject "Server has installed updates that require a reboot" -Body 
    } else {
        Send-MailMessage -From server@example.com -To admin@example.com -Subject "Server has installed updates that do not require a reboot" -Body
    }
}

NOTE:
You can use the original script linked and modify that to do the detect and download as well, in which case it would probably be best to disable the Configure Automatic Updates policy.

Addendum:
There's a Windows Update PowerShell Module in the Microsoft Script Center that provides the functionality needed to write your own Windows Update scripts easily. In fact, there are many good resources (at the time of this writing) on the first page of google for the search: powershell windows update

Related Topic