How to stop the auto reboot post the update installation from WSUS

Question

Hi team,

we have a WSUS server installed on Server 2019 and we are looking to implement the below patch process. Please help me to plan for the required GPO's.

1. Patch needs to install on a specific day and time.
2. Post successful patch installation suppress the reboot, engineer will login and perform the reboot manually.
3. User should receive a periodic popup when the patch is install and also when its in the pending reboot state.

Answer 1

Hi midhunPS-0986,

Thanks for your response.

I read that if we configure the deadline from WSUS console, it will override the policy Specify deadline before auto-restart for update installation and will perform an immediate reboot.

Would you mind to provide the article link for my reference? In my opinion, the deadline from the WSUS console is used for approval, not for reboot.

As I described it for the first time, it is difficult for us to control the restart on the Windows 10 clients.
Policy: [Specify deadline before auto-restart for update installation]

This policy means that the clients who applied this policy will reboot at any time before the deadline not reboot at the deadline moment.
For example, if the deadline is 15 days. The clients will reboot before 15 days. But the exact restart time of the clients are uncertain.

In addition, we could apply the policy to specify the active hours to delay restart:

But the default max active hours range is 18 hours. We could not restart the clients at the specified time.

Regards,
Rita

---

If the response is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hi MidhunPS,

we released this policy back in January 2020 specifically for servers which are affected by default active hours reboot behavior, this way the server does not reboot unless you press the restart now button or schedule the reboot (WSUS deadlines still override policies so do not deploy updates with mandatory deadline if you want to avoid this):

If you do not see this policies, please apply the latest ADMX templates from 2004:
https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra

HTH,
Andrei

Answer 3

Hi midhunPS-0986,

Thanks for your posting on Q&A.

It is difficult for us to restart the computer manually after installing updates in Windows 10. It is recommended to refer to the following policies to configure:

1. Patch needs to install on a specific day and time.

2. Post successful patch installation suppress the reboot, engineer will login and perform the reboot manually.

Here is the below policy about restarting the computer for your reference:

(Location: Group Policy Management Editor\Policies\Administrative Templates\Windows Components\Windows Update)
This policy does help to restart the computer manually after installing the updates when the user logs in. But if there is no one login after installing updates, the computer will restart as usual.

3. User should receive a periodic popup when the patch is install and also when its in the pending reboot state.

WSUS does not have this feature currently. This may need to be implemented using a script. I may need more time to research.

Regards,
Rita

---

If the response is helpful, please click "Accept Answer" and upvote it.

Answer 4

For the popup and alternative thoughts on how to deploy updates, check out part 4 of my 8 part blog series on How To Setup, Manage, and Maintain WSUS.

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/

For the popup - please scroll down to the section entitled:

I Want Notifications!!!

Answer 5

Thanks for the detailed explanation.

If WSUS doesn't have any option for manual reboot, how long we can extend or configure the Automatic reboot.
Like post patch installation, reboot pending, wait for 15 days for auto reboot, in between Admin can reboot.