WSUS Product Team Blog

WSUS Product Team thoughts, information, tips and tricks and beyond :-)

Enabling a more predictable Windows Update experience for Windows 8 and Windows Server 2012 (KB 2885694)

Enabling a more predictable Windows Update experience for Windows 8 and Windows Server 2012 (KB 2885694)

  • Comments 43
  • Likes

On computers running the RTM release of Windows 8 and Windows Server 2012, Windows Update no longer defined when to install updates. Instead, Automatic Maintenance is used for that purpose, minimizing activity during active computer use. Windows Update on Windows 8 and Windows Server 2012 computers also has new restart logic that defaults to forcing a restart 3 days after the installation of updates instead of 15 minutes. To avoid unintended data loss, forced restarts also no longer occur if a user is not actively using the machine, able to see the restart notice, and save their work.

While these changes have proven to be beneficial to many end users, the lack of discrete control over Windows Update installations and system restarts disrupted some management scenarios. This update returns the ability to discretely control when Windows Update installs updates, and adds the capability to force a restart soon after those installations regardless of whether there might be an active user session.

Microsoft has updated the documentation to more fully explain how you can use these new group policy settings. This documentation is available here: http://support.microsoft.com/kb/2885694

KB2885694, included in update rollup KB2883201, is available today (October 8th, 2013) on Windows Update and the Microsoft Update Catalog, and will be available soon on WSUS. We believe that this update will result in significantly improved uptime, reliability, and manageability; we hope you’ll agree.

In order for the below changes to take effect, this update must be installed on all client computers receiving the desired configuration. It should also be installed on the computers configuring the policy to expose the new and updated group policies.

Finally, these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 R2, so if you are already planning to upgrade, there aren’t any additional updates you need to install.

Thank you for sharing your feedback with Microsoft!

The Windows Update and WSUS teams

 

Changes introduced by this update

KB 2885694 introduces two main changes that define how Windows Update on Windows 8 and Windows Server 2012 computers can be configured using group policy. All policies mentioned are located at this path:

Computer Configuration / Administrative Templates / Windows Components / Windows Update

When enabled with a value of 4…

The Configure Automatic Updates group policy works identically to the Windows 7 / Windows Server 2008 R2 and earlier behavior.

On Windows 8 and Windows Server 2012 without KB 2885694 installed, that policy could configure the main automatic updating setting, but configuring the scheduled install day and time had no effect. After installing KB 2885694, the policy will enable you to configure machines to:

  • Install updates during automatic maintenance, the default behavior, or
  • Install updates at the scheduled day and time defined in the policy

A new group policy called Always automatically restart at the scheduled time enables restarts soon after updates are installed, instead of 3 days later

By default in Windows 8 and Windows Server 2012, if the installation of important updates requires a system restart, one will be forced 3 days after their installation. The restart timer begins counting down only when a user is able to see it, helping prevent unintentional data loss in the middle of the night. More details about this default behavior are discussed in this blog post.

If you would instead like to force restarts following update installation, similar to Windows 7 / Windows Server 2008 R2 and earlier, you can enable the new “Always automatically restart…” policy. When the policy is enabled, a restart timer will always begin immediately after Windows Update installs important updates, instead of multiple days later.

The restart timer cannot be postponed once started, but the policy lets you configure the countdown timer to any value between 15 and 180 minutes. When the timer runs out, the restart will proceed even if the machine has signed-in users.

Note: If the group policy No auto-restart with logged on users for scheduled automatic updates installations is enabled, then the new “Always automatically restart…” policy has no effect.

Note: In Windows 8 and Windows Server 2012, the Delay Restart for scheduled installations continues to have no effect.

 

Example configurations

Scenario

Recommended configuration

Force updates and restarts at a specific time. For example:

  • Install updates on Friday nights at 11PM
  • Force a restart soon after installation

Use the Configure Automatic Updates policy:

  • Enable the policy
  • Use option #4 – Auto download and schedule the install
  • Deselect “Install during automatic maintenance”
  • Set “6 – Every Friday” for the scheduled install day
  • Set “23:00” for the scheduled install time

 Use the Always automatically restart at the scheduled time policy:

  • Enable the policy
  • Configure the timer to the desired value (default is 15 minutes)

Stagger installs and restarts across different hours and days on different machines.

Start with the same configuration as the above scenario.

Set different scheduled install days and times for different groups which you don’t want rebooting at the same time.

Force updates at a specific day and time, but preserve the default Windows 8 restart behavior

Start with the same configuration as the above scenarios, but do not enable the Always automatically restart at the scheduled time policy.

 

This post was written by Jordan Cohen on behalf of the Windows Update team.

Comments
  • Did you mean "these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 *R2*"?

  • Thank you so much! This has been a real pain point for controlling the patching of critical systems!

    Good work!

  • @

    Robert.

    Q.>Did you mean "these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 *R2*"?

    A.>yes. Those fixes are already in 8.1 and W S2012 R2 RTM. KB2883201 backports this change to Windows 8 / Windows Server 2012. Adjust policy knobs as required.

  • Yes, I've updated the post accordingly. Thank you for pointing out the typo!

  • From looking at the new windowsupdate.admx, I suppose that the one option that is really new is the "AutomaticMaintenanceEnabled" value under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU, setting which to 0 should restore the traditional scheduled install behavior of the Windows Update service?

    And the "Always automatically restart at the scheduled time" policy was apparently added earlier — it is documented in KB2835627 and included in the KB2822241 update rollup (April 2013), but the ability to change the 15 minute timeout before reboot is not mentioned in those articles.

  • Nice to see that some semblance of sanity has been returned in that existing Group Policy is no longer ignored, but I'd still like a way to completely disable that automatic restart counter. Even if you think some server admins need hand-holding with automatic restarts, some of us know what we're doing and don't like control being taken away.

  • I'm still beside myself that someone in Redmond thought it was a good idea in the first place to take away control over the update deployment process and to have SERVERS with 15 minute, unstoppable reboot countdowns that are prompted by a login.

    Microsoft is really getting out of touch, taking a "we know what's best for you" attitude with Windows 8 and Server 2012.  The many good features of these operating systems our overshadowed by the mind boggling self-inflicted issues created by Microsoft.

    We appreciate these fixes, but it should have been that way in the first place.

  • "We know what's good for you, you don't. We will not negotiate on this or anything else while you are wearing suicide vests."

    That sounds just about how Microsoft is acting like these days.

    The fifteen minute reboot is a total job buster around here and I am taking all kinds of harassment for not being able to do anything about it.

    Thanks a lot, you've done it again Microsoft.

  • Good thing I use ConfigMgr. So much more control, maintence windows? We've had those for years!

  • What about if your DC is a 2008 server?  You have to upgrade the DC just so you can use this roll up?

  • @Steve, we are using config man as well but recently had 5 of our HyperV 2012 boxes reboot automatically...these boxes don't have a maintenance window set in SCCM since we manually reboot... they all decided to go down as they felt necessary during the middle of the workday

  • | and will be available soon on WSUS

    How soon is soon?

  • Who knows where to find updated ADMX files for GPO in domain?

  • @Phil - the fix is available as part the cumulative rollup KB 2883201 which is on the windows catalog now.

  • This is great news - I've had 2012 servers sitting here for months not getting updates because I couldn't control restarts.  Thank you Microsoft.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment