How can I stop Mandatory Automatic Restarts after I do a Windows Updates?

In Windows it used to be that when you do an automatic update, sometimes it would finish and let you close the window, sometimes depending on the update being installed you would be given the popup dialog asking to restart now or later. If you choose later it will ask again in 10 minutes and keep asking until you restart. So lately there are some updates done on servers that HAVE to have a restart done after the install, and there is no way to stop it from happening. It restarts within 5 minutes. This happens to a lot of people and a lot of different companies, we come in to work in the morning and see that servers have been restarted. We get pages in the middle of the night saying the servers are down. I didn't tell Microsoft to restart my computer, people are using them even at night and when they get restarted automatically it causes a drop in production and starts a panic.

So, is there a way to stop the servers from restarting automatically after these updates? I have searched and searched. I have found nothing that works. Others are asking the same question, yet I see no real answers. If it is impossible, then fine, I'll leave it at that and go on still believing that Microsoft sucks as always. At least they keep me in a job though huh?  :-)

I am using Windows 2003, 2000 and XP on a Windows 2000 domain. I am setting up WSUS, everything works perfect except it restarts machines automatically after I push certain installs.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi cwelchmindlessmediacom,

in GPO
Administrative Templates\Windows Components\Windows Update\No auto-restart for scheduled Automatic Updates installations

Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.  If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.  Be aware that the computer needs to be restarted for the updates to take effect.  If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.  Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.

WSUS will give you a lot more control also :)

cwelchmindlessmediacomAuthor Commented:
I tried this already, on 2 different domains even, it didn't work. All the servers I tested on were logged into, the AU was sheduled, they still restarted.
have you enabled the configure automatic updates policy also? ill send you a link to the reference sheet im going on - windows update is right down the bottom
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

cwelchmindlessmediacomAuthor Commented:
yeah the policy is setup. However, I did do as the WSUS docs say to do, I created and linked a new group policy and I called it WSUS Group Policy. That is where I made all of the settings for Windows Updates. That's what the docs said to do. But, as for the "no reboot after update" setting, should that also be done in the WSUS Group Policy or should it be set in the Default Domain Policy? Also, should any of these policies be Enforced?

For my servers I had to create a seperate OU for them and link their own GPO for updates...completely seperate from the standard workstation GPO.

Here is the GPO:

Computer Configuration (Enabled)hide
Administrative Templateshide
Windows Components/Windows Updatehide
Policy Setting
Allow Automatic Updates immediate installation Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours):  22
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  1 - Every Sunday
Scheduled install time: 20:00
Policy Setting
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Disabled
No auto-restart for scheduled Automatic Updates installations Enabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://server:8530 
Set the intranet statistics server: http://server:8530 

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
As to your question about the 'no reboot after update', I always keep the settings together that way you don't have to go fishing all over for each piece....
cwelchmindlessmediacomAuthor Commented:
Well I just worked on it more. Here's what I had it looking like...

    > Default Domain Policy
    > WSUS Policy
    > (ou) Computers
    > (ou) Servers
        > (ou) Windows 2000
            > Servers - Windows 2000 Policy
        > (ou) Windows 2003
            > Servers - Windows 2003 Policy
    > (ou) Test Servers
        > (ou) Windows 2000
            > Test Servers - Windows 2000 Policy
        > (OU) Windows 2003
            > Test Servers - Windows 2003 Policy

The policies inside the servers OU's are there just for the client side name. The WSUS Policy was what I had everything else set in, so like you said I would not have to go fishing. But what i realized throughout the day was that in order to have it so the servers do not reboot after updates are done, I need to enable that feature on the Default Domain Policy, not on the WSUS Policy. So, while all the MS documentation was stating that it is best practice to create a new WSUS policy and put all of our settings in there, they were forgetting to tell us that the one feature everyone is griping about should not be set there, but be done in the Default Policy which is the policy they stated is best not to touch.

Well, that is what worked for me. If it works for others in another way and not the way I just mentioned, then that's Microsoft for ya.
My policy looks virtually Identical to Mazaraats, but for any client that doesnt get controlled by WSUS i make the change in the default domain policy - MS best practices arent always best
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.