Policy Settings for Mandatory Updates

This is the second post in a three-part series on topics surrounding Windows Intune client update behavior. The first post covered the overall client update process; this post will detail the available Updates policy settings and what effect these policy settings have on the client behavior.

First, let’s be clear on some terminology:

Term/Phrase	Definition
Mandatory update for Windows Intune client software	As I explained in my previous post these mandatory updates are to upgrade the Windows Intune client software (or dependent features) on your computers, and the updates behave a little differently than other software updates. For simplicity I’ll just refer to them as “mandatory updates.”
Scheduled update	A scheduled update is one that has a deadline defined with the deployment action.
Request a restart	The properties of every update have Behaviors such as “Can request restart.” In order for the update to complete installation it signals that it needs Windows to restart. If a user is logged on, Windows will not automatically restart.
Require a restart	If the administrator defines a deadline for an update deployment, when that deadline passes the computer will require or enforce a restart when requested by the update. Regardless of whether a user is logged on or not, Windows will automatically restart.

By default no policies are applied to clients, so the behavior is based upon the current settings state for the operating system that is installed on the computer. These settings could be the default for the operating system, manually configured, or applied via another policy mechanism such as Active Directory Group Policy. So the Windows Intune administrator cannot be confident in the state of these settings until configuring and deploying a policy. (Note: if you are applying both Windows Intune and Active Directory policies be sure to read the Windows Intune Online Help article for Planning Around Group Policy.)

The Updates Policy Settings are contained in the Windows Intune Agent Settings policy template, amongst settings for other features. The Windows Intune Online Help has a policy reference article that details the seven current policy settings in the Updates category, including the description, possible values, and the default/recommended value. I highly recommend reading this article first to understand these policy settings; I’m not going to rehash what’s already well documented there.

However, I do want to describe the relationship between these policy settings and the mandatory updates. As I mentioned in my previous post these updates are processed slightly differently from other software updates.

Updates Policy Setting	Effect on Mandatory Updates
Update and application detection frequency (hours)	None. A separate process, Agent Sync, checks every 24 hours. This is not configurable.
Automated or prompted installation of updates and applications	None. When a new mandatory update is available, Agent Sync automatically downloads and installs the update, regardless of the date or time configured with this setting.
Allow immediate installation of updates that do not interrupt Windows	None. As described above the installation occurs immediately following detection and download.
Delay to restart Windows after installation of scheduled updates and applications (minutes)	A mandatory update can request a restart but will not require it. Only a scheduled software update or application deployment can require a restart. So this setting can indirectly affect a mandatory update if there is also a deployed software update or application with a deadline that has passed.
Delay following Windows restart to begin installing missed scheduled updates and applications (minutes)	None. Mandatory updates currently cannot be scheduled, so this setting does not apply.
Allow logged on user to control Windows restart after installation of scheduled updates and applications	Similarly as the above description regarding a scheduled update (in other words, with a passed deployment deadline) this can indirectly impact mandatory updates.
Delay between prompts to restart Windows after installation of scheduled updates and applications (minutes)	If a mandatory update requests a restart this setting directly impacts the delay between notifications when the user clicks the Restart Later button.

A few key points to emphasize:

A mandatory update by itself can request a restart but not require it.
Only a scheduled update (deployment with a deadline) can require a restart.
If no user is logged on when either a scheduled update or mandatory update installation is completed, Windows is automatically restarted when requested.

So what’s the outcome behavior that your end users will see? The following examples assume a user is logged on. Remember, if no user is logged on the restart is automatic.

If no other updates or applications are deployed (in other words, no schedules come into play), regardless of the Updates policy settings, when a mandatory update is installed and requests a restart end users will currently see a notification similar to the following:
If you have enabled and configured the policy setting “Delay between prompts to restart Windows after installation of scheduled updates and applications (minutes)” that value will be used when the user clicks the Restart Later button.
If a scheduled update requires a restart (the deadline has passed), and you have enabled the policy setting “Allow logged on user to control Windows restart after installation of scheduled updates and applications” and configured it to “No” then the logged on user will receive a five minute countdown similar to the following:

Note the Restart Later button is not available. This notification will always appear in the foreground.
If a scheduled update requires a restart (the deadline has passed), and you have enabled the policy setting “Allow logged on user to control Windows restart after installation of scheduled updates and applications” and configured it to “Yes” then the logged on user will receive notification similar to the above, except the countdown timer as specified by the policy setting “Delay to restart Windows after installation of scheduled updates and applications (minutes).”

Coming Soon to Updates Policy…

With the Windows Intune December 2012 Release we are introducing a new Updates policy setting as well as some improvements to the client behavior.

The following new policy setting will reside with the other Updates policy settings in the Windows Intune Agent Settings template:

Policy Setting	Description
Prompt user to restart Windows during Windows Intune client agent mandatory updates	This policy setting determines whether the logged on user is prompted to restart Windows when the Windows Intune client agent mandatory update requires Windows to restart. This only applies to Windows Intune client agent mandatory updates. Yes notifies the logged on user to restart Windows when required. No does not prompt the logged on user to restart Windows when required. This only applies to Windows Intune client agent mandatory updates. Windows Intune may not function properly until Windows is restarted. Recommended Value: Yes

Policy Setting

Description

Prompt user to restart Windows during Windows Intune client agent mandatory updates

This policy setting determines whether the logged on user is prompted to restart Windows when the Windows Intune client agent mandatory update requires Windows to restart. This only applies to Windows Intune client agent mandatory updates.

Yes notifies the logged on user to restart Windows when required.
No does not prompt the logged on user to restart Windows when required. This only applies to Windows Intune client agent mandatory updates. Windows Intune may not function properly until Windows is restarted.

Recommended Value: Yes

This new setting does not change any existing or default behavior; following the upgrade to our next release there will be no default change to client notification behavior. If you require a greater level of control over the notifications that your end users receive this setting can be deployed to silence the notifications due to mandatory updates. If you remember from my previous post in this series, WISDM signals WI-AU when a mandatory update requests a restart. This setting basically controls that signal; the process is the same otherwise (Agent Sync still runs on its schedule and mandatory updates are still downloaded and installed). So configuring this setting to “No” will result in no prompt displaying to users when a mandatory update requests a restart, but that also means the updated Windows Intune feature may not be available until Windows is restarted. You then need to trigger that necessary restart via some other mechanism (for example, by a scheduled update or remote task).

A few key points regarding this new setting:

This setting is only for mandatory updates; it has no effect on other update deployment notifications. You should continue to use the other policies as described above and deployment schedules to control notifications for other updates and applications.

If a scheduled update requires a restart then the user will always be prompted. (There are no blind countdown timers or blind restarts.)

If this setting is enabled and configured to “No” it shouldn’t affect notifications during enrollment (initial installation of the Windows Intune client software).
This setting currently does not affect also applies to updates to the Common Anti-Malware Platform (CAMP), the underlying component of Windows Intune Endpoint Protection. (2013-03-12 Edit: we confirmed that this policy also applies to CAMP updates.)

We also made some changes to the client notification behavior in general. Now the primary notifications will occur in the Windows taskbar notification area with the Windows Intune Center icon. Here is an example flow of how this will look.

An update is installed and requests a restart. The Windows Intune Center icon is overlaid with a warning icon. It displays the following tooltip when the user hovers the mouse pointer over it:
On Windows 7 and prior clients the following balloon will appear at the interval specified by the policy setting “Delay between prompts to restart Windows after installation of scheduled updates and applications (minutes)”:
The traditional notification appears when the user clicks the balloon or the Windows Intune Center icon:

On Windows 8 clients the Windows Intune Center icon will change to reflect the need to restart, but there is no active notification like the balloon. Clicking the icon will bring up the notification window.

I hope this post impressed upon you the importance of reviewing the configuration of your policy settings and understanding how they will change the behavior of updates deployed in your organization. So now that you understand why mandatory updates need to happen, how they are affected by policies, and what happens when they request a restart, in the third and final post of this series I will delve into the when. Or at least what sort of notifications we provide so that you can receive advanced warning when mandatory updates are released.

Windows Intune

Follow Us on Twitter!

The Windows Team Blog

The Windows Intune site

Windows Intune Technet Discussion Forums

Submit Feedback on Windows Intune

Windows Intune Help

Windows Intune Partners Get to Strut their Stuff

Baltimore Certificate Update

About Service Notifications

New TechNet Radio Edition: Cloud-Based Management with Windows Intune

Policy Settings for Mandatory Updates