Group Policy

 

To automatically update Windows Server 2019 and reboot, configure Group Policy (gpedit.msc) to "Auto download and schedule the install" (Option 4), set a specific time, and enable "No auto-restart with logged on users" to manage uptime. Alternatively, use sconfig for quick command-line configuration or Action1 for automated patching. 

Steps to Automate Updates and Reboot (Group Policy):

1. Open Policy Editor: Press Win + R, type gpedit.msc, and hit Enter.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows Update.
3. Configure Automatic Updates: Double-click "Configure Automatic Updates," set to Enabled, and select 4 - Auto download and schedule the install.
4. Schedule Time: Set the install day and time (e.g., Every Sunday at 3:00 AM).
5. Enable Auto-Reboot: In the same list, find and enable No auto-restart with logged on users (if you want to avoid abrupt reboots) or enable Always automatically restart at scheduled time for strict automation.
6. Apply Policy: Open Command Prompt as Administrator and run gpupdate /force. 

Alternative Methods:

• sconfig: Run sconfig in CMD, select option 5, and choose 'A' for Automatic.
• Registry: Set HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > AUOptions to 4. 

Key Considerations:

• Active Hours: Set active hours in Settings > Update & Security to prevent reboots during business hours.
• Active Directory: If domain-joined, use gpmc.msc on the Domain Controller to apply these settings via Group Policy Object (GPO) to multiple servers.
• Action1: A third-party, free-tier option for patching.

 

 

 

To create a group policy for all servers at once, create a new GPO in the Group Policy Management Console (GPMC) and link it to the "Domain Controllers" Organizational Unit (OU) or the root of the domain, ensuring it covers all server objects. For targeted application, use security filtering to apply the policy to a specific AD group containing all target servers. 

Steps to Create and Apply a GPO to All Servers:

1. Open Management Tools: On a domain controller, open gpmc.msc via the Start Menu or Run dialog (Windows + R).
2. Create GPO: Right-click Group Policy Objects and select New. Name it (e.g., "All Servers Policy").
3. Edit Policy: Right-click the new GPO and select Edit to configure settings under Computer Configuration.
4. Link to Domain Root (For All Servers): Right-click your domain name (e.g., contoso.com) and select Link an Existing GPO to apply to all computers, including servers.
5. Link to Domain Controllers (For DCs Only): Alternatively, right-click the "Domain Controllers" OU and link the GPO to only affect DC servers.
6. Apply Security Filtering (Optional): To refine targeting, in the GPO's Scope tab, remove "Authenticated Users" and add a security group containing the desired servers.
7. Update Policy: Run gpupdate /force on servers to apply immediately, or wait for the automatic refresh (roughly 90 minutes).