WSUS Product Team Blog

WSUS Product Team thoughts, information, tips and tricks and beyond :-)

Enabling a more predictable Windows Update experience for Windows 8 and Windows Server 2012 (KB 2885694)

Enabling a more predictable Windows Update experience for Windows 8 and Windows Server 2012 (KB 2885694)

  • Comments 43
  • Likes

On computers running the RTM release of Windows 8 and Windows Server 2012, Windows Update no longer defined when to install updates. Instead, Automatic Maintenance is used for that purpose, minimizing activity during active computer use. Windows Update on Windows 8 and Windows Server 2012 computers also has new restart logic that defaults to forcing a restart 3 days after the installation of updates instead of 15 minutes. To avoid unintended data loss, forced restarts also no longer occur if a user is not actively using the machine, able to see the restart notice, and save their work.

While these changes have proven to be beneficial to many end users, the lack of discrete control over Windows Update installations and system restarts disrupted some management scenarios. This update returns the ability to discretely control when Windows Update installs updates, and adds the capability to force a restart soon after those installations regardless of whether there might be an active user session.

Microsoft has updated the documentation to more fully explain how you can use these new group policy settings. This documentation is available here: http://support.microsoft.com/kb/2885694

KB2885694, included in update rollup KB2883201, is available today (October 8th, 2013) on Windows Update and the Microsoft Update Catalog, and will be available soon on WSUS. We believe that this update will result in significantly improved uptime, reliability, and manageability; we hope you’ll agree.

In order for the below changes to take effect, this update must be installed on all client computers receiving the desired configuration. It should also be installed on the computers configuring the policy to expose the new and updated group policies.

Finally, these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 R2, so if you are already planning to upgrade, there aren’t any additional updates you need to install.

Thank you for sharing your feedback with Microsoft!

The Windows Update and WSUS teams

 

Changes introduced by this update

KB 2885694 introduces two main changes that define how Windows Update on Windows 8 and Windows Server 2012 computers can be configured using group policy. All policies mentioned are located at this path:

Computer Configuration / Administrative Templates / Windows Components / Windows Update

When enabled with a value of 4…

The Configure Automatic Updates group policy works identically to the Windows 7 / Windows Server 2008 R2 and earlier behavior.

On Windows 8 and Windows Server 2012 without KB 2885694 installed, that policy could configure the main automatic updating setting, but configuring the scheduled install day and time had no effect. After installing KB 2885694, the policy will enable you to configure machines to:

  • Install updates during automatic maintenance, the default behavior, or
  • Install updates at the scheduled day and time defined in the policy

A new group policy called Always automatically restart at the scheduled time enables restarts soon after updates are installed, instead of 3 days later

By default in Windows 8 and Windows Server 2012, if the installation of important updates requires a system restart, one will be forced 3 days after their installation. The restart timer begins counting down only when a user is able to see it, helping prevent unintentional data loss in the middle of the night. More details about this default behavior are discussed in this blog post.

If you would instead like to force restarts following update installation, similar to Windows 7 / Windows Server 2008 R2 and earlier, you can enable the new “Always automatically restart…” policy. When the policy is enabled, a restart timer will always begin immediately after Windows Update installs important updates, instead of multiple days later.

The restart timer cannot be postponed once started, but the policy lets you configure the countdown timer to any value between 15 and 180 minutes. When the timer runs out, the restart will proceed even if the machine has signed-in users.

Note: If the group policy No auto-restart with logged on users for scheduled automatic updates installations is enabled, then the new “Always automatically restart…” policy has no effect.

Note: In Windows 8 and Windows Server 2012, the Delay Restart for scheduled installations continues to have no effect.

 

Example configurations

Scenario

Recommended configuration

Force updates and restarts at a specific time. For example:

  • Install updates on Friday nights at 11PM
  • Force a restart soon after installation

Use the Configure Automatic Updates policy:

  • Enable the policy
  • Use option #4 – Auto download and schedule the install
  • Deselect “Install during automatic maintenance”
  • Set “6 – Every Friday” for the scheduled install day
  • Set “23:00” for the scheduled install time

 Use the Always automatically restart at the scheduled time policy:

  • Enable the policy
  • Configure the timer to the desired value (default is 15 minutes)

Stagger installs and restarts across different hours and days on different machines.

Start with the same configuration as the above scenario.

Set different scheduled install days and times for different groups which you don’t want rebooting at the same time.

Force updates at a specific day and time, but preserve the default Windows 8 restart behavior

Start with the same configuration as the above scenarios, but do not enable the Always automatically restart at the scheduled time policy.

 

This post was written by Jordan Cohen on behalf of the Windows Update team.

Comments
  • Currently running our DC's with 2008R2, also wondering how to roll this out through a Domain GPO.

  • ->

    Currently running our DC's with 2008R2, also wondering how to roll this out through a Domain GPO.

    <-

    I'm also in the same boat. How do we put the new admin template in place on a 2008R2 domain?

  • @ Sergey, Matt and Johnny. looking for updated ADMX files to configure "uplevel" policy from down-level clients and servers.

    The Windows Server 2012 R2 / Windows 8.1 version of the ADMX download package is undergoing package signing. Once you get access to the 8.1 / WS 2012 R2 ADMX files either through the download package (once available) or via Win8.1 / 2012 R2 media / install, then either copy them to the local policy template directory or into the central store. Related content include:

    KB 929841  How to create the Central Store for Group Policy Administrative Template files in Windows Vista

    blogs.technet.com/.../windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx

    technet.microsoft.com/.../02633470-396c-4e34-971a-0c5b090dc4fd

  • I just found the newer files here:

    C:\Windows\PolicyDefinitions\Windows.admx

    C:\Windows\PolicyDefinitions\en-US\WindowsUpdate.adml

    I have copied them to:

    C:\Windows\SYSVOL\sysvol\mydomain.local\Policies\PolicyDefinitions

    C:\Windows\SYSVOL\sysvol\mydomain.local\Policies\PolicyDefinitions\en-US

    I ran a gpupdate /force (not sure if it was needed) and I now see the 'Always automatically restart at the scheduled time' in my domain GPOs

  • This was on my Windows Server 2012 DC after I had installed KB2883201

  • Would this update apply to SBS2003?

    In fact the rollup (KB2883201) which contains this update is only available for Windows 8/Server 2012 based systems.

  • OK, I got the two files from a 2012 R2 member server. I created the following folders:

    C:\Windows\SYSVOL\sysvol\mydomain.org\Policies\PolicyDefinitions

    and

    C:\Windows\SYSVOL\sysvol\mydomain.org\Policies\PolicyDefinitions\en-US

    I put the following both files (Windows.admx and WindowsUpdate.adml) in both directories on our Windows 2008 R2 DC's and forced replication. Now I get the following error when I try to edit GPO's:

    Encountered an error while parsing

    An appropriate resource file could not be found for the file \\mydomain.org\Sysvol\mydomain.org\Polices\PolicyDefin...\Windows.admx

    (error = 2): The system cannot find the file specified.

    Where is the correct place to put these two files?

  • I had the same issue when I copied the Windows.admx and WindowsUpdate.adml to the locations Paul mentions. So instead I did the following:-

    Copy WindowsUpdate.admx from

    C:\Windows\PolicyDefinitions

    to

    \\<domain name>\sysvol\<domain name>\Policies\PolicyDefinitions

    then I copied WindowsUpdate.adml from

    C:\Windows\PolicyDefinitions\en-US

    to

    \\<domain name>\sysvol\<domain name>\Policies\PolicyDefinitions\en-us

  • Thanks DaveB, that worked.

  • I've managed to set a GPO to install updates via my WSUS server, AND with a day of week and time (Saturdays at 5am), AND find out how to set the new "Always automatically restart at the scheduled time" GPO option while still only having a 2008-R2 domain controller. However, one last hurdle... is there a setting to force installation of updates if you've left and admin user logged in (with a disconnected RDP session)? From my testing it appears Server 2012 and Server 2012-R2 only install updates on the scheduled day and time if no users are logged in. I'd like to override that setting in case one of the techs forgets and just disconnects. Thanks -Tim

  • Hi, I am seeing the same issue on 2012 R2 - are you sure this has been fixed in 2012 r2? I still get "Restart to finish updating your PC - Save your work, restart your PC now to finish installing important udpates. If you choose later, your pc will automatically restart in 1 day" - this is obviously not acceptable for a production file server!!!!! FAIL FAIL MICROSOFT!

  • Scott Struzik - you really nailed it. Why is MS so hell bent on change for the sake of change and not change for the sake of making things better or easier. We all know where the update schedule was - now just put back the schedule and make it include 15 minute increments and EVERYONE (except the idiots at MS who made this stupid change) will be happy. Sure keep the ability to do it with a GP but why remove something that has worked well (except the limit of on the hour) feature for a decade? WTF is wrong with you MS?

  • I faced the same problem and I got solution from: http://www.microsoftsupportchat.com/blog/post/windows-update-problems/

  • is this update required for 2012 R2? I can't get a reliable automatic update. Seems completely random - I set it for 1AM and it happens whenever it feels like it days later. Why would MS do this?

  • I have a number of 2012 R2 servers - still has eratic updates even though it says "Finally, these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 R2, so if you are already planning to upgrade, there aren't any additional updates you need to install." 2003, 2003R2, 2008, 2008R2 all updates working fine.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment