WSUS Product Team Blog

WSUS Product Team thoughts, information, tips and tricks and beyond :-)

Managing Updates with Deadlines in an era of Automatic Maintenance

Managing Updates with Deadlines in an era of Automatic Maintenance

  • Comments 17
  • Likes

Until Windows 8, Windows Update used to manage its own internal scheduling for checking for, downloading, and installing updates. It required that the Windows Update Agent was always running in the background, consuming memory and other system resources. In an effort to increase battery life on portable devices, Windows 8 introduced a new feature called Automatic Maintenance, which runs nightly and performs various tasks such as lightly defragmenting hard drives (or TRIMming SSDs if necessary), checking, repairing, and optimizing the system component store, running anti-virus scans, installing updates, and more. This consolidation allows for all these components to use far less system resources, work consistently, respect the new Connected Standby state for new device types, and consume less battery on portable devices.

 

What this also means is that on Windows 8 and Windows Server 2012, the setting for when to download and install updates doesn't work in the same way. While you can still set Windows Update to download updates and install them automatically or not, the day-of-the-week setting is not effective on Windows 8. Indeed, Automatic Maintenance runs once a day by default, and due to the consolidation of maintenance tasks there isn't a way to individually specify which maintenance tasks run on which days.

 

WSUS provides administrators with a way to control when patches get installed and PCs get rebooted. I'll explain one possible strategy for doing this:

 

Taking Control of Update Installation

What to do:

  • Using Group Policy, set your target machines to check for updates but do not automatically install them.
  • When you want to deploy an update at a particular time, set the deadline for when you want the machine to install updates and restart.
  • You can use groups in WSUS to set different approvals and different deadlines for different groups of machines.

 

Here's how it works:

This works because if you have set a deadline, WUA will enforce that deadline even outside of the Automatic Maintenance window, and even if updates are set not to install automatically. The computer will be rebooted (if needed) at the end of the installation process.

 

Every day, the Windows Update agent contacts WSUS and downloads information about which updates are to be offered to that PC, along with the deadline for each update as specified by the administrator. If an update is overdue, Windows Update will force that update to be installed automatically, even though WUA is configured to NOT generally install every update automatically. Otherwise, the update is offered to the user for manual installation until the deadline is reached. When the deadline is reached or passed, the update is forcibly installed and the machine is rebooted after a 15-minute countdown. If no users are signed in, the machine is rebooted immediately.

 

If you are running a server and you want to make sure it doesn't reboot until a certain date, then this is the option for you. Your server won't install any updates automatically until one of the updates reaches its deadline, and then the server will be rebooted immediately upon passing of the deadline, assuming that no users are signed in. If there are users signed in, the standard 15 minute timeout applies.

 

You can limit reboots to "service time" windows if you approve all updates with deadlines during your desired service windows. Machines that are powered off during the service window will be automatically updated when they are powered on once again.

 

Note: You need to make sure that all the updates you care about have deadlines assigned to them. If you neglect to assign a deadline and you've instructed Automatic Updates to not be automatically installed otherwise, you could be leaving your network in a less secure state if your users don't manually install those updates.

 

A note about time zones

In WSUS, when you set a deadline, it is interpreted in the time zone of the WSUS server, not the time of the target computer. Be sure to keep this in mind when setting your deadlines to avoid unexpected reboots. Remember, if a reboot is needed, it will occur no more than 15 minutes after the completion of the installation of the update.

 

 

Additional reading:

 

Comments
  • Microsoft really screwed us all by changing the behavior and then not offering a way to fallback to the original update behavior.  I have 20 groups of servers that update on a staggered schedule across the week starting on the Wednesday after Patch Tuesday.  Before, I relied on group policy to automatically install and reboot.  So I just approve updates that are tested and I'm done.  NOW I have to go into WSUS and individually and manually set deadlines on 20 different computer groups every single month.  So patch maintenance has gone from a five minute affair to a 20 minute affair and I need to make sure I double and triple check that I set the right dates and times so I don't mess up and, say, accidentally reboot a server dependency in the wrong order.  This is an amazing step backwards.

  • I completely agree with Timothy's comment and share his problem.

  • Thank you for the feedback, I will talk with the WUA client team to see if there is something we can do to address this problem.

  • Just thought of another issue.  With deadlines, I have no way to tell the server to delay installation of updates until the next (or future) maintenance window if it was powered down during the deadline period.  This is very problematic since updates can take quite some time to apply if it's a busy month.  Forcing an additional 30 minutes to an hour of updates to apply when you may be in a time critical situation to get a service up and running is very problematic.  This is definitely an edge case, but it could really happen.

  • What Timothy said.  This new behavior is completely unacceptable and makes Windows 8/Server 2012 impractical to use in the enterprise.

  • Hmm, read the links, seems do-able.

    So I have to change my maintenance period to the general time I want them all to reboot by GPO - OK

    Set the deadline in WSUS console to the time/date I want for each staggered target group - ok fine-ish

    Try that for all 128 updates this month... hang on a minute, I can only set the deadlines for one update at a time - oh bugger!

    Am I missing a trick here?

  • Indeed I was, deadlines can be set once you have approved the updates, phew!

  • I still, even with updates approved, can't "Deadline" more than 1 update at a time.  When I multi-select updates, Deadline is "Grayed' out.   Am I missing something?

  • @Michael - You are probably inheriting approval at some level.  You have to explicitly set approval for each computer group that you want to set a deadline.

  • We need a way to manage schedules for different computer groups - via GPO or WSUS its doesnt matter. And schedule settings should be far more flexible than time window. We need to set based on day, time, week and all possible fine tuning within month. I would love to have dynamic things like - install updates on second week of the month, or each 4th Friday or something like this

  • +1 to say that using WSUS Deadlines isn't really an acceptable alternative, especially for servers, where we have a number of carefully designed update schedules set up via GPO for different groups of servers. It also renders useless any automatic approval settings in WSUS, since it forces us to touch each and every update.

    For PCs, by and large a daily install by Automatic Maintenance is probably fine; using deadlines for them would be a problem when it comes to machines that are offline between approval of an update and its deadline arriving, as the user could be subjected to a reboot shortly after booting up, or as soon as the update is downloaded.

    I'm also not happy if we lose the ability to set the frequency of update checks - ours are set to check every 4 hours so that machines should catch updates by the end of the day on which they are approved.

  • We've run into a similar issue..I've added this blog to my feed list as I hadn't heard about this change until we had a handful of production servers reboot mid-afternoon.

    For what it's worth, we are NOT seeing this behavior when updates are managed by our SCCM server. We have recently upgraded to CM12 and are managing Windows Updates through there for about 30 2012 servers. These servers are part of new migration path for us, which is why they are different from the ones that rebooted mid-day. Those servers were brought online before we had decided to use CM12 to manage updates, so they get updates from our regular on-site WSUS server.

    After reading the related links it sounds like a second option is also possible for those with the means. This would be an over-simplification but:

    1. Setup System Center Orchestrator (this is the ouch point here)

    2. Disable Auto-Updates for your servers (or OU)

    3. Create a runbook that does the following

       a. Check for updates

       b. Download and install udpates

       c. Reboot if required

    We've been exploring that solution quite a bit here as we have servers that need to reboot prior to other servers and to validate that required services are running before the next batch of updates happens.

    Also, shame on us for not reading the what's new in 2012 link and then complaining about it.

    technet.microsoft.com/.../hh994618.aspx

    Published: April 28, 2012

    Updated: July 24, 2013

    Applies To: Windows Server 2012

  • FYI

    social.technet.microsoft.com/.../handling-windows-updates-for-windows-server-2012-using-wsus-30-and-deadlines

  • See new fixes documented in MSKB 2885684 and distributed in cumulative rollup KB 2883201.

    More Details can be found in

    blogs.technet.com/.../enabling-a-more-predictable-windows-update-experience-for-windows-8-and-windows-server-2012-kb-2885694.aspx

    Windows 8.1 + WS 2012 R2 RTM also contain this update.

  • This setting is very risky, I just had reboots on some critical servers. still investigating who put some patches with a deadline..

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment