How to Disable “Restart to Install Updates” Popup via GPO for Kiosk Systems


5 views

Many administrators managing kiosk systems or always-on workstations face this exact scenario: Windows keeps pestering users with the "Restart your computer to finish installing updates" notification despite having configured No auto-restart with logged on users in Group Policy. This becomes particularly problematic for:

  • Digital signage displays
  • Public access terminals
  • 24/7 monitoring stations
  • Automated production systems

The No auto-restart with logged on users for scheduled automatic updates installations policy (Computer Configuration > Administrative Templates > Windows Components > Windows Update) only prevents automatic reboots - it doesn't suppress notifications. The popup still appears because:

  1. It's considered a critical system notification
  2. WSUS requires acknowledgment of pending updates
  3. The UX is hardcoded in modern Windows versions

Here's the complete policy combination that actually works:

# Computer Configuration > Administrative Templates > Windows Components > Windows Update
1. Configure Automatic Updates: Enabled (Option 4 - Auto download and schedule install)
2. No auto-restart with logged on users: Enabled
3. Re-prompt for restart with scheduled installations: Disabled
4. Delay Restart for scheduled installations: Enabled (60 minutes)
5. Allow non-administrators to receive update notifications: Disabled

For systems where GPO can't be applied, use this PowerShell script to modify the registry directly:

# Disable restart notifications
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoRebootWithLoggedOnUsers" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "RebootRelaunchTimeoutEnabled" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "RebootWarningTimeoutEnabled" -Value 0

# Optional: Disable toast notifications completely
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "NoToastApplicationNotification" -Value 1

For enterprises using WSUS, add these settings to your update approval rules:

  • Never approve "Update for Windows (Restart Required)" classifications
  • Create separate computer groups for kiosk systems
  • Configure deadline behavior to "Auto install but don't restart"

After applying these changes, verify with:

# Check effective policies
gpresult /h gpreport.html

# Check registry values
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" | Select-Object NoAutoRebootWithLoggedOnUsers,RebootRelaunchTimeoutEnabled

When managing kiosk systems in a domain environment with WSUS updates, the "Restart your computer to finish installing updates" notification can be particularly disruptive. Despite enabling the No auto-restart with logged on users GPO setting (Computer Configuration > Administrative Templates > Windows Components > Windows Update), the notifications still appear for Windows Defender/FEP updates.

The standard auto-restart policy only affects Windows Update behavior - not the notification system. You need to combine multiple GPO settings for complete control:

Computer Configuration
│
└── Administrative Templates
    ├── Windows Components
    │   ├── Windows Update
    │   │   ├── Configure Automatic Updates: Enabled (3 - Auto download and notify for install)
    │   │   ├── No auto-restart with logged on users: Enabled
    │   │   └── Turn off all notifications: Enabled
    │   └── Maintenance Scheduler
    │       └── Automatic Maintenance Activation Boundary: Disabled
    └── System
        └── Logon
            └── Always wait for the network at computer startup and logon: Enabled

If GPO isn't immediately available, you can push this registry change via PowerShell:

# Disable update notifications and auto-restart
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
$RegProps = @{
    'NoAutoRebootWithLoggedOnUsers' = 1
    'NoAutoUpdate' = 0
    'AUOptions' = 3
}

New-ItemProperty -Path $RegPath -Name $RegProps.Keys -Value $RegProps.Values -PropertyType DWORD -Force

For systems receiving definition updates through WSUS, add these registry tweaks to prevent Defender-specific prompts:

# Disable Defender notifications
$DefenderPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
New-Item -Path $DefenderPath -Force | Out-Null
New-ItemProperty -Path $DefenderPath -Name 'DisableRestorePoint' -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path $DefenderPath -Name 'ServiceKeepAlive' -Value 0 -PropertyType DWORD -Force

After applying these changes:

  1. Run gpupdate /force on target systems
  2. Check effective policies with rsop.msc
  3. Trigger a test update through WSUS console
  4. Monitor for 24 hours using PowerShell: Get-WindowsUpdateLog -Online

For large kiosk deployments, consider these enterprise methods:

# SCCM Compliance Baseline
$DetectionScript = {
    (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoRebootWithLoggedOnUsers").NoAutoRebootWithLoggedOnUsers -eq 1
}

# Intune Configuration Profile (JSON)
{
    "@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
    "windowsUpdateInstallSchedule": {
        "scheduledInstallDay": "everyday",
        "scheduledInstallTime": "03:00:00"
    },
    "updateNotificationLevel": "notConfigured"
}