by Josh Tafoya, Technical Trainer
I get the reason why Microsoft forces Windows automatic updates to be enabled. I get it. Unpatched workstations and servers face potentially catastrophic weaknesses which, if left unpatched, could allow viruses or other malicious activity to spread. Let’s face it… a large percentage of the ONE BILLION Windows machines throughout the world would not get updated on a regular basis if Microsoft didn’t default them to automatically update. So few people do updates on their own (and I include consumers and IT people alike) that Microsoft had to force the settings for automatic updates to be done.
So yes…I get it.
But the big problem for most of us is that we are in the life safety business. We specifically have processes in place to make sure our systems are never down. We would make sure we were up and running all the time, even if the UL didn’t require it, because our Manitou systems are the heart of our business.
In Windows 2012 and 2008, it was simple enough to stop automatic updates. You could simply go into the Control Panel, locate the icon for Windows Update, click on the advanced settings, and change it so the option was manual instead of automatic. (For the record, I’m not discussing operating systems prior to Windows 2008 because they are no longer supported.) However, because Microsoft is now doing everything they can to keep everyone updating automatically, if you have a Manitou system, you MUST disable Windows automatic updates or you risk a reboot of your servers in the middle of the night.
In Windows 2016, we can no longer simply go to the control panel to turn off the setting; the process is a little different. It is necessary to change the group policy. If you don’t know what the group policy is, please enlist the help of your IT professional. Any IT professional should be able to navigate through the Group Policy Editor to find {Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update} and disable the setting for “Configure Automatic Updates.”
Please understand, this is not a recommendation to never update your servers. Far from it. You should still be failing between servers at least monthly, and each of those failovers is an opportunity to install Windows updates. And this can’t be stated clearly enough: MAKE SURE YOU CHECK THE ABOVE SETTING EVERY TIME YOU RUN WINDOWS UPDATES! It works right now, but there is nothing saying that Microsoft won’t change it when you manually apply the updates.
We want you to be protected. We want your servers to be protected. What we don’t want is for your business to be affected and you to be awakened by your operators when Microsoft reboots your servers for automatic updates.