locked
Update notifications for Windows 10 v1703 RRS feed

  • Question

  • Hi,

    We are having trouble with Windows 10 computers rebooting to apply updates without allowing users to delay, even when the deadline is still days away.

    I really appreciate anyone who reads all this and has a suggestion.

    We have WSUS working via GPO for our Windows 10 Pro systems from v1511 through 1703. We can update features, patch, and everything. But what has never worked is the notifications to users that updates are waiting to be installed.

    I'm talking specifically about the dialog which pops up after updates have been downloaded which says "We've got an update for you", and allows the users to pick a time. This message should appear around the same time as when the options under "Restart options" are no longer grayed out in the Update & Security screen.

    Until recently we had never seen this message. But we built one “virgin” test  machine, updated to 1703, blocked it from other GPO's, and it does present the notification “"We've got an update for you". Brilliant.

    But we can't make it happen on any other machine. So we link enabled all the other GPO's we use but still no change. We can’t seem to break the working testing machine. So I start thinking the problem is not a GPO but something else.

    One thing about the working test machine: it has never had Deadlines forced from WSUS, while all other machines have.

    We finally broke down and used one of our vouchers for support with Microsoft but they cannot figure it out. For a week we went in a circle and I finally convinced them to escalate. The new rep is a little better but still no joy. 

    Microsoft has suggested no changes to our existing policy settings but they did have us add one: “Specify Engaged restart transition and notification schedule for updates”, and the values 2 (transition), 3 (snooze) and 0 (deadline). But this has not helped.

     More info:

    • RSOP proves the policies are being applied successfully.
    • This GPO was setup for Windows 7/8 and works perfectly for those systems.
    • Our WSUS is configured to automatically approve definition updates for SCEP.

     

    Our GPO settings:

    =======================

    Allow Automatic Updates immediate installation: Enabled

     Automatic Updates detection frequency: Enabled, Interval = 1 hour

     Configure automatic updates: 4, Disabled, 0 - Every day, 03:00, Disabled

     Delay Restart for scheduled installations: Disabled

     Enable client-side targeting (GPO name)

     Enable Windows Update power management to automatically wake up the system to install scheduled updates: Enabled.

     No auto-restart with logged on users for scheduled automatic updates installations: Enabled

     Re-prompt for restart with scheduled installations: Enabed, restart = 60 minutes

     Specify active hours range for auto-restarts: max range 12 hours

     Specify Engaged restart transition and notification schedule for updates: 2, 1, 0

     Specify intranet Microsoft udpate service location: Enabled, (URL to WSUS)

     Thank you very much for your time and any suggestions!

    Thursday, September 14, 2017 11:11 PM

All replies

  • Hello,

    Can you try the following GPO policies? It works in my environment.

    No auto-restart with logged on users for scheduled automatic updates installations: Disabled

    Turn off auto-restart for updates during active hours: Enabled

    Allow non-administrators to receive update notifications: Enabled

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 15, 2017 10:05 AM
  • Hello,

    Can you try the following GPO policies? It works in my environment.

    No auto-restart with logged on users for scheduled automatic updates installations: Disabled

    Turn off auto-restart for updates during active hours: Enabled

    Allow non-administrators to receive update notifications: Enabled

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hello, Thanks for the reply. The second two sound like they could help and I'm going to test them. I am hesitant to enable the first, "No auto-restart with logged on users for scheduled automatic updates installations: Disabled"

    I'll let you know how I make out.

    Thanks again,

    -Bob

     
    Sunday, September 17, 2017 6:01 PM
  • The biggest thing is the deadline - I bet you there's a deadline in the mix (past or present) that's got an older date set than today's date. If this is the case, all updates will force the reboot (this is what I've seen). If you use a deadline, unset the deadline after you've confirmed all machines have the patch. Better yet, don't use deadlines and set the scheduled install for daily at a time that's good for MOST of your users. This way every day if there are any available (read approved) updates, they will be installed on systems.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, September 18, 2017 1:54 AM
  • The biggest thing is the deadline - I bet you there's a deadline in the mix (past or present) that's got an older date set than today's date. If this is the case, all updates will force the reboot (this is what I've seen). If you use a deadline, unset the deadline after you've confirmed all machines have the patch. Better yet, don't use deadlines and set the scheduled install for daily at a time that's good for MOST of your users. This way every day if there are any available (read approved) updates, they will be installed on systems.

    Adam Marshall, MCSE: Security
    http://www.adamj.org


    How do I "unset" a deadline?

    Monday, September 18, 2017 2:51 AM
  • Go back and approve the update again, remove the deadline.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, September 18, 2017 2:59 AM
  • Another thing that i noticed about your settings is that Specify Engaged restart transition and notification schedule for updates: 2, 1, 0 setting. This setting is enabled but within the GPO it states that:

    If any of the following policies are configured, this policy has no effect:
        1. No auto-restart with logged on users for scheduled automatic updates installations
        2. Always automatically restart at scheduled time
        3. Specify deadline before auto-restart for update installation

    I am guessing that the policy that is doing the Engaged restart is being bypassed if i am understanding this correctly. 

    Funny thing is that i am trying to figure out how to Get rid of the following messages to allow the Group Policies to restart the machines without having any user interaction whatsoever.  The less the users see, the less phone calls are generated by end users who click restart now and are down for 15 - 20 minutes during the peek time of the day.

    

    Tuesday, October 10, 2017 6:54 PM