locked
WSUS vs. Win 10. Getting updates to install RRS feed

  • Question

  • Hi folks,

    Are any extra GPO changes required to get Win 10 to actually install updates?

    I've reimaged several hundred PCs with 1803 and from what I can see Windows Update on a client PC is showing updates are there, but it doesn't seem to install them. I know that there's this concept of "Active Hours" with a Win 10 PC, which seem to be set to 8am - 5pm, but having left the PCs overnight the updates are still pending. I've manually rebooted the PCs as well.

    In terms of GPOs, I have the following set under Computer Config > Policies > Administrative Templates > Windows Components > Windows Update

    Allow Automatic Updates immediate installation = Enabled
    Configure Automatic Updates
    Configure Automatic Updating = 4 - Auto download and schedule the install
    Schedule install day = 0 - Every day
    Scheduled install time = 15:00
    Do not connect to any Windows Update Internet locations = Enabled
    Enable client-side targeting = Enabled
    No auto-restart with logged on users for schedule automatic updates installations = Enabled
    Specify intranet Microsoft update service location = WSUS server is defined here
    Turn on Software Notifications = Disabled

    I'm not really that fussed when the updates get installed, just that it doesn't reboot the PC or otherwise interfere with the user on the PC.

    Any advice appreciated!

    Thanks
    • Edited by Testing72 Tuesday, August 14, 2018 10:05 AM
    Tuesday, August 14, 2018 10:05 AM

All replies

  • Hello,
     
    I am glad to provide my suggestion and hope they are helpful.
     
    Note that "Allow Automatic Updates immediate installation" only works for minor updates. If you want all updates to be installed immediately at scheduler time, the best practice is setting a deadline for them. Refer to following article:
     
    Client Behavior with Update Deadlines
    https://docs.microsoft.com/pt-br/security-updates/windowsupdateservices/18139485

    Hope above information could help you and look forward to your feedback.
     
    Best Regards,

    Ray Jia

    Wednesday, August 15, 2018 12:52 AM
  • Take  a peek at my guide:

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/

    • No auto-restart with logged on users for schedule automatic updates installations = DISABLED
    • Specify the alternative update server
    • Specify Active Hours

    Those are the ones I can quickly remember to do for your instance - confirm with my guide for the details.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Wednesday, August 15, 2018 3:39 AM
  • Thanks both for the replies. It looks like I might have been impatient though as I logged on to a PC just after 3pm and opened Windows Updates to spot them installing.

    "No auto-restart with logged on users for schedule automatic updates installations = DISABLED"

    According to GPO "If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation." I wouldn't want that to happen, I'd only want them installed when the user is not on the PC. "If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer."

    Wednesday, August 15, 2018 7:36 AM
  • Set Active Hours and it will not restart during them.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Wednesday, August 15, 2018 2:00 PM
  • What I would actually like to achieve is for updates to be checked for, and installed, at any time. I just don't want the PC to reboot with a user logged in. Is there a way to achieve that via a GPO?
    Thursday, August 16, 2018 10:44 AM
  • And risk never having the PC restart to actually apply the updates? Remember, users love to push you to the limits. They may tell you that they'll restart but actually doing it - those are the rarity ones. It always becomes the age old tale of ... 'I'll do it tomorrow' or 'not now' or 'now's not a good time'.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, August 20, 2018 1:34 AM
  • Hello,

     

    To achieve your goal, your setting for Group Policy should enough.

     

    If you want more control to the restart behavior, refer to following link:

     

    Manage device restarts after updates
    https://docs.microsoft.com/en-us/windows/deployment/update/waas-restart

     

    Hope my answer could help you and look forward to your feedback.

     

    Best Regards
    Ray Jia


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 20, 2018 3:17 AM
  • This is a school, and we have some additional software that shuts PCs down after an hour of no usage. So the PCs are definitely shut down on a frequent basis.
    Monday, August 20, 2018 7:17 AM
  • This is a school, and we have some additional software that shuts PCs down after an hour of no usage. So the PCs are definitely shut down on a frequent basis.
    Shutting down and restarting are 2 very different things (other than the obvious power off). Since Windows 8 introduced Fast Startup Mode, shutting down the system doesn't actually 'shut down' Windows... It logs off the user and then hibernates the system. Sure, it then powers off the computer but when the computer starts back up again, it loads back from the hibernated state so the Windows Services don't actually 'restart' thereby not applying any Windows updates.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, August 20, 2018 2:33 PM
  • Oh, and Fast Startup Mode is a good thing. It makes the user experience FASTER and better. As long as you're aware of it and that it actually doesn't restart the Windows ecosystem, you can adjust how you work and restart once a week, once every couple of weeks, etc.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, August 20, 2018 2:35 PM
  • We have disabled Fast Startup because it caused issues with some older hardware (NIC failed to come back up after turning back on).
    Monday, August 20, 2018 2:39 PM