Find us on social media

Client area
Windows UpdateSecurityPatches5 min read

Configure Windows Update

Configure Windows Update to install security patches automatically and in a controlled manner.

Keeping Windows Server updated is critical for security. Configure updates to install automatically during maintenance windows to minimize disruption.

Check for updates manually

powershell
# Install the PSWindowsUpdate module
Install-Module PSWindowsUpdate -Force
Import-Module PSWindowsUpdate

# Check available updates
Get-WindowsUpdate

# Install all updates
Install-WindowsUpdate -AcceptAll -AutoReboot

Configure automatic updates via PowerShell

powershell
# Set active hours (prevent restarts during these hours)
$settings = (New-Object -ComObject Microsoft.Update.AutoUpdate).Settings
$settings.NotificationLevel = 3  # Download and notify
$settings.Save()

Configure via Group Policy

Open Local Group Policy Editor:

powershell
gpedit.msc

Navigate to: Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update

Recommended settings:

  • Configure Automatic Updates: Enabled → Auto download and schedule install
  • Schedule install day: Every Sunday
  • Schedule install time: 03:00

Configure restart policies

powershell
# Prevent automatic restart when users are logged in
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoRebootWithLoggedOnUsers" -Value 1 -Type DWord

# Set active hours (no restarts between 8 AM and 11 PM)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "ActiveHoursStart" -Value 8 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "ActiveHoursEnd" -Value 23 -Type DWord

Schedule a maintenance window

Create a script for controlled updates:

powershell
# Save as C:\scripts\windows-update.ps1
Import-Module PSWindowsUpdate
$updates = Get-WindowsUpdate
if ($updates) {
    Install-WindowsUpdate -AcceptAll -IgnoreReboot
    # Log results
    Get-WUHistory -MaxDate (Get-Date) -Last 10 | Export-Csv "C:\logs\update-history.csv"
}

Schedule with Task Scheduler to run weekly at 3 AM.

View update history

powershell
Get-WUHistory | Select-Object -First 20 Date, Title, Result

Pause updates (temporary)

powershell
# Pause for 7 days
$pause = (Get-Date).AddDays(7).ToString("yyyy-MM-dd")
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "PauseUpdatesExpiryTime" -Value $pause

Tip

For production servers on Baires Host, schedule updates during low-traffic hours and always have a recent backup before applying major updates. Test updates on a staging VPS first if possible.

Was this guide helpful?
← Back to Windows Server