Windows Server 2008 R2, like many Windows systems, defaults to automatic download and installation of updates. This presents challenges in server environments where controlled deployment is crucial. The automatic installation can cause unexpected reboots and service interruptions.
When you need to:
1. Maintain update availability (download)
2. Prevent automatic installation
3. Manage this remotely without RDP access
The command line becomes essential.
For modern systems with PowerShell access:
# Set Windows Update to download only
$serviceManager = New-Object -ComObject "Microsoft.Update.ServiceManager"
$serviceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d", 7, "")
$autoUpdate = New-Object -ComObject "Microsoft.Update.AutoUpdate"
$autoUpdate.Settings.NotificationLevel = 3 # 3 = Download only
$autoUpdate.Settings.Save()
For systems limited to cmd.exe:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 3 /f net stop wuauserv net start wuauserv
To confirm your settings took effect:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions
Expected output should show value 0x3 (or simply 3)
For domain-joined servers, you can push this setting via GPO:
# GPO equivalent registry setting reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions /t REG_DWORD /d 3 /f
- These commands require administrative privileges
- Server 2008 R2 may need .NET Framework 3.5 for PowerShell COM objects
- Consider creating a scheduled task if you need to reverse this later
- Test in a non-production environment first
To maintain control while ensuring updates are available when needed:
schtasks /create /tn "WSUS Check" /tr "wuauclt /detectnow" /sc weekly /d MON /st 02:00
When deploying Windows Server 2008 R2 systems, the default Windows Update configuration automatically downloads and installs updates. This becomes problematic in production environments where you need to:
- Control the timing of installations
- Test updates before deployment
- Maintain change management protocols
Since RDP isn't available in your scenario, we'll modify the registry directly through command-line operations. The key settings we need to change are in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Create a batch file (update_config.bat) with the following commands:
@echo off
:: Set to download but not install updates
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 3 /f
:: Optional: Set notification level (1 = never check, 2 = notify download, 3 = automatic download)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NotificationLevel /t REG_DWORD /d 2 /f
:: Set scheduled install day (0 = every day)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v ScheduledInstallDay /t REG_DWORD /d 0 /f
:: Set scheduled install time (0-23 hours)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v ScheduledInstallTime /t REG_DWORD /d 3 /f
:: Enable these settings
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v EnableFeaturedSoftware /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v IncludeRecommendedUpdates /t REG_DWORD /d 0 /f
For more modern systems (though PowerShell 2.0 exists on Server 2008 R2):
# Set Windows Update to download only
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" -Name "AUOptions" -Value 3
# Additional configuration examples
$wuPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update"
Set-ItemProperty -Path $wuPath -Name "NotificationLevel" -Value 2
Set-ItemProperty -Path $wuPath -Name "ScheduledInstallDay" -Value 0
Set-ItemProperty -Path $wuPath -Name "ScheduledInstallTime" -Value 3
After applying these changes:
- Check the registry values manually:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions
Should return 0x3
- Trigger a manual update check to verify behavior:
wuauclt /detectnow
- Check Windows Update log for confirmation:
C:\Windows\WindowsUpdate.log
- These changes require administrative privileges
- Consider creating a System Restore point before making changes
- For domain environments, Group Policy might override these settings
- The changes take effect after the Windows Update service restarts