11

we have a number of servers in our office, as a small hosting company, and these servers are critical to business, ... web server, mail server, db server, etc.

On a semi-regular basis, when the machines get automatic updates, they just automagically reboot themselves in the middle of the night. A number of them have software which must be running on the console session (bad practice, I know, but out of my control). When they reboot themselves, these programs obviously shut down, leaving customers upset and services interrupted.

How do you set a Windows Server 2003 R2 machine to NEVER automagically reboot itself after updates? And perhaps, if possible, to instead email someone so that they are aware it needs a pending reboot and can schedule it for the best time?

Thanks in advance!

eidylon
  • 358
  • 1
  • 7
  • 18

8 Answers8

12

In group policy for the server, navigate to:

Computer Configuration->Administrative Templates->Windows Components->Windows Update->No auto-restart for scheduled Automatic Update installation

You can get to this by running gpedit.msc.

Reboot to apply changes.

Don't forget that your server won't be updated until you reboot and will be vulnerable to the threats!

Dave Drager
  • 8,315
  • 28
  • 45
  • Does running GPEDIT on the PDC actually edit the domain group policy? Because it says in the gpedit.msc console "Local Computer Policy". – eidylon Sep 09 '09 at 15:59
  • To deploy this to all of your servers, you will need to edit on PDC (or a PC on the domain) and apply that group policy to your servers. The directions I mentioned only edit local group policy - but I am not group policy expert! – Dave Drager Sep 09 '09 at 16:12
  • 1
    Don't forget though that you will remain vulnerable to whatever the patch fixed until you do the reboot. – EBGreen Sep 09 '09 at 19:28
  • 7
    "Reboot to apply changes." - *sigh* ;-) – Matthias Sep 30 '13 at 16:54
  • 1
    why the heck do I need to always reboot my server? this is server, and it's purpose is to be always running – Alexander.Iljushkin Jun 01 '16 at 12:35
4

You can accomplish this, and leaving updates installed waiting for a reboot does not leave the server in an inconsistent state. Updates that require a reboot are not applied until the reboot occurs. The settings to manage automatic updates are too numerous to list here, but you can manage them in a domain via Group Policy, or on stand-alone machines using Local Policy. Go to Computer Configuration>Administrative Templates>Windows Components>Windows Update.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
2

The best solution that I am aware of is to turn off automatic updates. Then you schedule maintenance windows with your customers and apply the updates manually and do the reboot then make sure everything that you need is running after the reboot.

Just stopping the reboots is a bad idea because that gives the impression that you are fully updated when you really aren't since updates that need reboots to complete...well...you know...need reboots to complete.

EBGreen
  • 1,443
  • 11
  • 10
  • Well, for that same reason I'd rather not turn them off, just to keep things updated for sure, but get a notification to an email address that would notify several people so we are sure to be aware. Something like the operator notifications in Sql Server. – eidylon Sep 09 '09 at 15:02
  • 2
    +1 for manual updates on production systems. Nothing worse than having an MS update auto applied, hose up your production SQL/Exchange/file/etc. server – Dayton Brown Sep 09 '09 at 15:02
  • But - lets be realistic. For most situations any kind of automatic update is not going to impact an installed program. If you do have software that ties in so closely with the Windows files, then you should turn it off. But for 90% of the situations out there, users will receive more security benefit from the automatic updates than the risk it will impact running software. – Dave Drager Sep 09 '09 at 15:06
1

If you can't (or don't want to) reboot a server, you should postpone update installation to when you can safely reboot it.

You should never install updates that require reboots without actually rebooting the machine; this leaves the system in an inconsistent state, and you can have any kind of troubles until a reboot is finally done.

Massimo
  • 68,714
  • 56
  • 196
  • 319
1

I would suggest to keep the auto updates running, BUT have the servers only download the updates and not install them.

Have you thought about a WSUS server for easier patch maintenance?

RateControl
  • 1,207
  • 9
  • 20
0

If you're running an application on an active console session, as stated, you can set the option to prevent reboots while users are logged into the server.

Kelsey
  • 1
0

The short answer is, you can't. The only options are to let them download and sit and wait until you can install manually and reboot, or just turn off AU and download/install in a maintenance window.

DanBig
  • 11,393
  • 1
  • 28
  • 53
0

I personally prefer the download updates but don't install option. That way the server lets you know that it has downloads that are ready, although you have to log on interactively to see the notice, and you don't have to wait for them to download when you have a maintenance window for an installation and reboot.

Catherine MacInnes
  • 1,958
  • 11
  • 15