Auto-Updating With No Reboot

Despite being a fan of security, I’ve always run Windows Update in “Download and Notify” mode for all of my machines. Having Windows Update reboot my machine without warning at 3:00 AM is just too destructive.

This has two negative effects:

- Security patches that don’t require a reboot are needlessly postponed.
- Programs that auto-update frequently via Microsoft Update turn into a permanent task-bar nag that you have updates to install.

After doing some research, it turns out that it’s possible to have the best of both worlds with just a little configuration. Set Microsoft Update to install updates automatically, and then set a Group Policy flag that prevents auto-reboot. Problem solved!

http://blogs.technet.com/mu/archive/2008/10/02/windows-update-and-automatic-reboots.aspx

3 Responses to “Auto-Updating With No Reboot”

  1. Jay Bazuzi writes:

    Where’s your ObPowershell to manipulate the group policy setting from PowerShell? 🙂

  2. totorocat writes:

    Here’s a reference that maps group policy settings to registry settings:

    Group Policy Settings References for Windows and Windows Server
    http://www.microsoft.com/downloads/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb&displaylang=en

    Here’s a PowerShell script that will create the registry value for ‘No auto-restart with logged on users for scheduled automatic updates installations’:

    # Enable-WUNoAutoRebootWithLoggedOnUsers.ps1
    # Sets Group Policy to prevent Windows Update from rebooting if a user is logged on.
    New-Item -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU -Force
    Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoRebootWithLoggedOnUsers -Value 1

    I’ve confirmed that it creates the same registry value as the Local Group Policy Editor, but for some reason the editor doesn’t show it as enabled. I haven’t received an update yet that requests a reboot, so the jury is still out on whether it is truly enabled… but it should work according to the reference I linked to above.

  3. totorocat writes:

    Correction to my last comment. The Set-ItemProperty line should actually use New-ItemProperty and set the value type to DWORD, as in the following:

    New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoRebootWithLoggedOnUsers -Value 1 -PropertyType DWORD

Leave a Reply