- Send emails in Exchange Online using an alias address: Configuration with PowerShell and admin center - Tue, Jun 29 2021
- Deactivate update notifications on Windows Server - Wed, Jun 3 2020
- Remove unneeded settings from Group Policy Objects - Thu, Apr 23 2020
Depending on the configuration, even standard users can install updates and thus prompt the server to restart. This is especially true for RD Session Hosts, where an unplanned reboot may affect several users with data loss.
Update notification on Windows Server 2019
The notifications are intrusive and cannot be closed by clicking on the X in the upper right corner. Therefore, the remaining options are to hit the ESC key or to click on the corresponding button to view the updates. This will open the Windows Update section in the Settings app. If the current user is authorized to initiate the installation of the updates, then this process will take its usual course and will usually result in a restart.
Clicking the notification leads to the Settings app, where users can start the update installation
To prevent this, there is a Group Policy setting under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Allow non-administrators to receive update notifications. However, it only applies up to Windows 8.1 and Server 2012 R2. The following sections explain what to do with higher versions.
The GPO setting to hide the update notification doesn't affect newer versions of Windows Server
Turning off notifications with the task scheduler ^
Notifications of available updates are triggered by scheduled tasks. If you disable or delete these tasks, you will also get rid of the notifications.
Scheduled tasks that are responsible for displaying the update notification
You can find them in the task scheduler under Microsoft > Windows > UpdateOrchestrator. These are:
- MusUx_UpdateInterval
- USO_UxBroker_Display
- USO_UxBroker_ReadyToReboot
Disable notifications using a batch script ^
Instead of scheduling the tasks interactively, you can deactivate them with a batch file. To do this, execute the following commands in an administrative command prompt:
schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval" schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display" schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot" schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Reboot" /DISABLE schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display" /DISABLE schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot" /DISABLE
The problem with this solution is that even within the same version of Windows Server, Microsoft uses different names for the tasks. If not all the scheduled tasks are on a system, the above script will display an error message. On the other hand, it ignores tasks with a different name.
Disabling notifications via PowerShell ^
Another approach is to identify the tasks in question regardless of their name. Their common feature seems to be that they execute MusNotification.exe with different parameters. This can be used in PowerShell to delete the tasks.
Get-ScheduledTask -TaskPath "\Microsoft\Windows\UpdateOrchestrator\"|
where {$_.Actions.execute -like "*MusNotification*" -and $_.state -eq "Ready"} |
Unregister-ScheduledTask
Removing scheduled tasks for update notification using PowerShell
If you want to safeguard yourself against this relatively radical measure, you can save the tasks as an administrator in a file beforehand with Export-ScheduledTask:
Get-ScheduledTask -TaskPath "\Microsoft\Windows\UpdateOrchestrator\" |
where { $_.Actions.execute -like "*MusNotification*" -and $_.state -eq "Ready"} |
foreach {Export-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName > `
($_.TaskName + ".xml")}If necessary, the tasks could then be restored using Register-ScheduledTask and the parameter XML.
Another alternative would be to delete the scheduled tasks via Group Policy Preferences. However, this requires that you know the exact names of the tasks.
Conclusion ^
Basically, you should make use of the possibilities offered by Group Policies to implement your own concept of update distribution and the timing of the restart. This can be a classic regular maintenance window, which the administrator supervises.
Subscribe to 4sysops newsletter!
The server can also update itself and restart outside office hours. However, this is not recommended for critical systems. Microsoft offers further information in this article.
Thanks for the help! I was getting annoyed with Windows 10 and decided to swap my host machine to Windows Server and have been liking it much better. This helped me get rid of the annoying pop ups.
In my experience with Windows 2019 Server, non-admins also get update pop-ups out of the box.
On Windows 10 20H2 I needed to run the task scheduler program as LOCALSYSTEM before I was able to disable the aforementioned scheduled tasks. To do that required following the instructions here - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/#psexec - and using Sysinternals psexec64.
I could not run tasksched.msc directly using the -sid parameter described, so I launched psexec64 -sid mmc.exe, and then added the Task Scheduler snap-in through that interface. Then I could disable the scheduled tasks that the author laid out.