The most common and generally recommended approach to Windows Updates is to let them run automatically as new updates are pushed out from Microsoft. However, Windows Updates can occasionally cause issues with custom software or settings, so you may want to disable or modify the Automatic Updates for your server so that you perform additional testing before applying updates to your production system. You can use either the Local Group Policy Editor or Powershell to make changes to your Automatic Updates settings.

NOTE:

Domain policies will override local policies. By default, all customer servers are joined to the Liquid Web customer domain. If you would like your server to be removed from the domain so that you can manage policies as described in this article, please reach out to our Support Team and asked to be removed from the Liquid Web customer Active Directory domain.

Changing Windows Automatic Updates using the Local Group Policy Editor

Open gpedit.msc

Go to “Computer Configuration” -> “Administrative Templates” -> “Windows Components” -> “Windows Update” and select the setting “Configure Automatic Updates”

This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:

2 = Notify before downloading and installing any updates.

When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.

3 = (Default setting) Download the updates automatically and notify when they are ready to be installed

Windows finds updates that apply to the computer and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to Windows Update, users can install them.

4 = Automatically download updates and install them on the schedule specified below.

When “Automatic” is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)

Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)

On Windows 8 and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer is not in use, and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.

Automatic maintenance can be further configured by using Group Policy settings here: Computer Configuration->Administrative Templates->Windows Components->Maintenance Scheduler

5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates.

Note! This option is not supported on Windows 10.

With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.

7 = Notify for install and notify for restart. (Windows Server only)

With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.

NOTE:

If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.

Windows Updates Config via Powershell

Open Windows Powershell
Type Sconfig and hit enter

powershell command for making policy changes

Select 5 and hit enter.

Choose your preferred update settings using the correct letter and hit enter.

Disabling the Update Service

Open Services.MSC from CMD line

Find the Windows Update Service and double click to open it.
Stop the service if it is running.
Set Startup type to Disabled and click apply

This will prevent any updates until this service is re-enabled.

Preventing Forced Automatic Reboot

To prevent the forced automatic reboot if a user is logged in, you can change the following

Local security policy for the server (mmc > Local security object editor)
Go to Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update.
Change the setting “No auto-restart with logged on users for scheduled automatic updates installations” to Enabled.

This will cause their server to not automatically restart if there are logged in users.