I run a dedicated Windows VM that has no interactive logons, and is running a Jenkins agent as a service. Jenkins automatically generates a bug report when a build fails and assigns it to the people who changed the source code since the last build.
When Windows Update decides to reboot the machine, it just kills the current build, which leads to a "failed" status and a spurious bug report.
Is there a way to somehow coordinate between WU and a service so that the agent can be shut down gracefully before the update?
You can try to call Windows Update from command line - we are using WuInstall to automate our server patches and also control reboot behavior. Basically, you can disalbe automatic install of updates and handle updates with batch-scripts using WuInstall to check for pending updates when it fits.
Check http://www.wuinstall.com - it is a commercial tool aimed at bigger infrastructures at the moment though, but they used to have a freeware version that might still be available for download somewhere.