locked
Win10 and WSUS RRS feed

  • Question

  • I noticed that when MS applies it's updates, my machine as well as other's, MS likes to reboot the machines within active hrs regardless if a user is logged on or not.

    I have my WSUS server set with a 7 day deadline. Today I automatically clicked install updates (since MS released updated yesterday, but the deadline did not get applied yet).

    I see that the PC is showing that it will reboot at 11:00am. Please see pics below.

    My machine has active hrs set from 8-5pm. Please see pics below.

    As you can see, my machine has active hrs set, but MS seems to override the setting every

    time a update comes out.

    My Reg settings:

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

    Anyone have any insight as to what is happening here?

    Thanks


    • Edited by vs2017sv Wednesday, September 13, 2017 12:52 PM typo
    Wednesday, September 13, 2017 12:28 PM

All replies

  • Hello,

    It seems like that your computer is point to WSUS server for updates. Please check below explanation about registry keys for windows update. 

    AUOptions Reg_DWORD Range = 2|3|4|5

    - 2 = Notify before download.
    - 3 = Automatically download and notify of installation.
    - 4 = Automatically download and schedule installation. Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.
    - 5 = Automatic Updates is required and users can configure it.

    ScheduledInstallDay Reg_DWORD Range = 0|1|2|3|4|5|6|7

    - 0 = Every day.
    - 1 through 7 = the days of the week from Sunday (1) to Saturday (7).
    (Only valid if AUOptions = 4.)
    ScheduledInstallTime Reg_DWORD Range = n, where n = the time of day in 24-hour format (0–23).
    UseWUServer Reg_DWORD Range = 0|1

    - 1 = The computer gets its updates from a WSUS server.
    - 0 = The computer gets its updates from Microsoft Update.
    - The WUServer value is not respected unless this key is set.

    So the restart time is controlled by your system admin, everyday 11 AM, it will need to restart for update installation. 

    Regards,

    Yan


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 14, 2017 5:21 AM
  • So why are we not seeing the forcefull reboot on win 7/ win8.1 machines?

    We are only seeing this behavior on window 10.

    Is the NoAutoRebootWithLoggedOnUser being overridden?

    If I removed the "ShcheduledInstallTime" key, would the machine's then follow the default active hrs and/ or the 7 day deadline we have set on our automatic approvals in WSUS?

    Please advise.

    Thank you!

    • Edited by vs2017sv Thursday, September 14, 2017 12:19 PM
    Thursday, September 14, 2017 11:55 AM
  • Post a screenshot of your GPOs and/or the result page from gpresult /h gpo.htm

    Something is conflicting. Mine works as advertised - Install every day at 4pm and reboot outside of active hours if needed. Mind you if they are still logged in it forces the reboot outside of active hours, which is what I want as people keep failing to sign out or reboot every day.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    • Edited by AJTek.caMVP Thursday, September 14, 2017 5:37 PM
    • Proposed as answer by Yan Li_ Monday, September 18, 2017 9:28 AM
    Thursday, September 14, 2017 5:33 PM
  • Hello,

    The following table shows the resulting behaviors when NoAutoRebootWithLoggedOnUsers is enabled (set to 1), or disabled or not configured (not set to 1).

    Scenario following a scheduled installation

    With NoAutoRebootWithLoggedOnUsers enabled

    With NoAutoRebootWithLoggedOnUsersdisabled or not configured

    No users logged on

    Automatic restart immediately after installation.

    Automatic restart immediately after installation.

    Single user with administrative privileges

    Restart notification allows user to initiate the restart or postpone restart. This notification does not have a countdown timer. The user must initiate the system restart.

    Restart notification allows user to initiate the restart or postpone restart. This notification has a five-minute countdown timer. When the timer expires, the automatic restart begins.

    Single user with restart privileges but no other administrative privileges

    Restart notification allows user to initiate, but not postpone, the restart. This notification does not have a countdown timer. The user must initiate the system restart.

    Restart notification allows user to initiate, but not postpone, the restart. This notification has a five-minute countdown timer. When the timer expires, the automatic restart begins.

    Single non-administrator without restart privilege

    Restart notification does not allow the user to initiate or postpone the restart. This notification does not have a countdown timer. The user must wait for an authorized user to initiate the system restart.

    Restart notification does not allow the user to initiate or postpone the restart. This notification has a five-minute countdown timer. When the timer expires, the automatic restart begins.

    Administrator while other users are logged on

    Restart notification does not allow the user to initiate the restart, but it allows the user to postpone the restart. This notification does not have a countdown timer. The user must initiate the system restart.

    Restart notification allows the user to initiate or postpone the restart. This notification has a five-minute countdown timer. When the timer expires, the automatic restart begins.

    Non-administrator with restart privilege while other users are logged on

    Restart notification does not allow the user to initiate or postpone the restart. This notification does not have a countdown timer. The user must initiate the system restart.

    Restart notification does not allow the user to initiate or postpone the restart. This notification has a five-minute countdown timer. When the timer expires, the automatic restart begins.

    Non-administrator without restart privilege while other users are logged on

    Restart notification does not allow the user to initiate or postpone the restart. This notification does not have a countdown timer. The user must wait for an authorized user to initiate the system restart.

    Restart notification does not allow the user to initiate or postpone the restart. This notification has a five-minute countdown timer. When the timer expires, the automatic restart begins.


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 18, 2017 9:33 AM
  • Post a screenshot of your GPOs and/or the result page from gpresult /h gpo.htm

    Something is conflicting. Mine works as advertised - Install every day at 4pm and reboot outside of active hours if needed. Mind you if they are still logged in it forces the reboot outside of active hours, which is what I want as people keep failing to sign out or reboot every day.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    We are not on a domain, so we set the keys via a script on all machines, which sets the reg keys as seen above.

    Monday, September 18, 2017 2:49 PM
  • Whether the logged on user belong to administrators group?

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 19, 2017 8:29 AM
  • Whether the logged on user belong to administrators group?

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Logged on user is a non-administrator account.
    Tuesday, September 19, 2017 8:04 PM
  • Hello,

    With NoAutoRebootWithLoggedOnUsers enabled

    When the logged on user is a Single user with restart privileges but no other administrative privileges

    Restart notification allows user to initiate, but not postpone, the restart. This notification does not have a countdown timer. The user must initiate the system restart.

    When logged on user is a Single non-administrator user without restart privilege:

    Restart notification does not allow the user to initiate or postpone the restart. This notification does not have a countdown timer. The user must wait for an authorized user to initiate the system restart.


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 20, 2017 2:12 AM
  • Hello,

    With NoAutoRebootWithLoggedOnUsers enabled

    When the logged on user is a Single user with restart privileges but no other administrative privileges

    Restart notification allows user to initiate, but not postpone, the restart. This notification does not have a countdown timer. The user must initiate the system restart.

    When logged on user is a Single non-administrator user without restart privilege:

    Restart notification does not allow the user to initiate or postpone the restart. This notification does not have a countdown timer. The user must wait for an authorized user to initiate the system restart.


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Would changing the "AUOPTION" to 3 prevent the machines from rebooting during active hours?

    Overall, the machine's get rebooted manually every night.

    I am confused as to why this worked fine in all other OS's excluding Windows 10.

    We have our WSUS server set to auto approve updates with a 7 day/ 7am deadline.

    Overall, I am trying to accomplish having updated download and install without any user interaction and follow the 7 day deadline (No reboots when user is logged on or inside of active hours) unless the user initiates the reboot.

    Please advise and thanks for the help!

    Wednesday, September 20, 2017 7:03 PM
  • Hello,

    With NoAutoRebootWithLoggedOnUsers enabled

    When the logged on user is a Single user with restart privileges but no other administrative privileges

    Restart notification allows user to initiate, but not postpone, the restart. This notification does not have a countdown timer. The user must initiate the system restart.

    When logged on user is a Single non-administrator user without restart privilege:

    Restart notification does not allow the user to initiate or postpone the restart. This notification does not have a countdown timer. The user must wait for an authorized user to initiate the system restart.


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Would changing the "AUOPTION" to 3 prevent the machines from rebooting during active hours?

    Overall, the machine's get rebooted manually every night.

    I am confused as to why this worked fine in all other OS's excluding Windows 10.

    We have our WSUS server set to auto approve updates with a 7 day/ 7am deadline.

    Overall, I am trying to accomplish having updated download and install without any user interaction and follow the 7 day deadline (No reboots when user is logged on or inside of active hours) unless the user initiates the reboot.

    Please advise and thanks for the help!

    Well that did not do the trick.

    Today the update applied and my PC randomly went down for a reboot again!

    Tuesday, September 26, 2017 1:33 PM
  • Post a screenshot of your GPOs and/or the result page from gpresult /h gpo.htm

    Something is conflicting. Mine works as advertised - Install every day at 4pm and reboot outside of active hours if needed. Mind you if they are still logged in it forces the reboot outside of active hours, which is what I want as people keep failing to sign out or reboot every day.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    AdamJ,

    Can you please provide me with a screenshot of your computer's AU reg keys?

    Also GPO?


    Tuesday, October 17, 2017 7:45 PM
  • Post a screenshot of your GPOs and/or the result page from gpresult /h gpo.htm

    Something is conflicting. Mine works as advertised - Install every day at 4pm and reboot outside of active hours if needed. Mind you if they are still logged in it forces the reboot outside of active hours, which is what I want as people keep failing to sign out or reboot every day.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    AdamJ,

    Can you please provide me with a screenshot of your computer's AU reg keys?

    Also GPO?



    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    Class Name:        <NO CLASS>
    Last Write Time:   2017-10-17 - 9:00 AM
    Value 0
      Name:            WUServer
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 1
      Name:            WUStatusServer
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 2
      Name:            UpdateServiceUrlAlternate
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 3
      Name:            TargetGroupEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 4
      Name:            TargetGroup
      Type:            REG_SZ
      Data:            Workstations; Test - Workstations
    
    Value 5
      Name:            SetActiveHours
      Type:            REG_DWORD
      Data:            0x1
    
    Value 6
      Name:            ActiveHoursStart
      Type:            REG_DWORD
      Data:            0x8
    
    Value 7
      Name:            ActiveHoursEnd
      Type:            REG_DWORD
      Data:            0x12
    
    Value 8
      Name:            SetAutoRestartDeadline
      Type:            REG_DWORD
      Data:            0x1
    
    Value 9
      Name:            AutoRestartDeadlinePeriodInDays
      Type:            REG_DWORD
      Data:            0x7
    
    Value 10
      Name:            SetAutoRestartNotificationConfig
      Type:            REG_DWORD
      Data:            0x1
    
    Value 11
      Name:            AutoRestartNotificationSchedule
      Type:            REG_DWORD
      Data:            0x3c
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    Class Name:        <NO CLASS>
    Last Write Time:   2017-10-17 - 9:00 AM
    Value 0
      Name:            UseWUServer
      Type:            REG_DWORD
      Data:            0x1
    
    Value 1
      Name:            DetectionFrequencyEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 2
      Name:            DetectionFrequency
      Type:            REG_DWORD
      Data:            0x14
    
    Value 3
      Name:            NoAutoUpdate
      Type:            REG_DWORD
      Data:            0
    
    Value 4
      Name:            AUOptions
      Type:            REG_DWORD
      Data:            0x4
    
    Value 5
      Name:            AutomaticMaintenanceEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 6
      Name:            ScheduledInstallDay
      Type:            REG_DWORD
      Data:            0
    
    Value 7
      Name:            ScheduledInstallTime
      Type:            REG_DWORD
      Data:            0x10
    
    Value 8
      Name:            NoAutoRebootWithLoggedOnUsers
      Type:            REG_DWORD
      Data:            0
    
    
    

    There's the Registry info.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Thursday, October 19, 2017 4:56 PM
  • Post a screenshot of your GPOs and/or the result page from gpresult /h gpo.htm

    Something is conflicting. Mine works as advertised - Install every day at 4pm and reboot outside of active hours if needed. Mind you if they are still logged in it forces the reboot outside of active hours, which is what I want as people keep failing to sign out or reboot every day.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    AdamJ,

    Can you please provide me with a screenshot of your computer's AU reg keys?

    Also GPO?



    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    Class Name:        <NO CLASS>
    Last Write Time:   2017-10-17 - 9:00 AM
    Value 0
      Name:            WUServer
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 1
      Name:            WUStatusServer
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 2
      Name:            UpdateServiceUrlAlternate
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 3
      Name:            TargetGroupEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 4
      Name:            TargetGroup
      Type:            REG_SZ
      Data:            Workstations; Test - Workstations
    
    Value 5
      Name:            SetActiveHours
      Type:            REG_DWORD
      Data:            0x1
    
    Value 6
      Name:            ActiveHoursStart
      Type:            REG_DWORD
      Data:            0x8
    
    Value 7
      Name:            ActiveHoursEnd
      Type:            REG_DWORD
      Data:            0x12
    
    Value 8
      Name:            SetAutoRestartDeadline
      Type:            REG_DWORD
      Data:            0x1
    
    Value 9
      Name:            AutoRestartDeadlinePeriodInDays
      Type:            REG_DWORD
      Data:            0x7
    
    Value 10
      Name:            SetAutoRestartNotificationConfig
      Type:            REG_DWORD
      Data:            0x1
    
    Value 11
      Name:            AutoRestartNotificationSchedule
      Type:            REG_DWORD
      Data:            0x3c
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    Class Name:        <NO CLASS>
    Last Write Time:   2017-10-17 - 9:00 AM
    Value 0
      Name:            UseWUServer
      Type:            REG_DWORD
      Data:            0x1
    
    Value 1
      Name:            DetectionFrequencyEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 2
      Name:            DetectionFrequency
      Type:            REG_DWORD
      Data:            0x14
    
    Value 3
      Name:            NoAutoUpdate
      Type:            REG_DWORD
      Data:            0
    
    Value 4
      Name:            AUOptions
      Type:            REG_DWORD
      Data:            0x4
    
    Value 5
      Name:            AutomaticMaintenanceEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 6
      Name:            ScheduledInstallDay
      Type:            REG_DWORD
      Data:            0
    
    Value 7
      Name:            ScheduledInstallTime
      Type:            REG_DWORD
      Data:            0x10
    
    Value 8
      Name:            NoAutoRebootWithLoggedOnUsers
      Type:            REG_DWORD
      Data:            0
    
    

    There's the Registry info.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    AdamJ,

    Do you set a dealine on your windows 10 updates?

    For example, today I approved the win10 1709 update for a PC.

    The update did have a deadline on it (7 days after update was approved). My co-worker was working on his PC (He was in the middle of typing) and the PC went down for a reboot.

    My thoughts are....

    1) The deadline forced the reboot

    2) He was typing and must have hit a key that told the win10 notification to reboot now?

    I am not 100% sure.

    The following reg key is set to "RestartNotificationsAllowed" (0).

    I am thinking that I should possibly create a "win10 upgrade" group and just move machines into that group when we are ready to go to a new build. Also do not set a deadline as that will not force the reboot... (if the deadline is what caused this behavior).

    Please advise. Thanks

    Thursday, November 2, 2017 8:42 PM
  • Post a screenshot of your GPOs and/or the result page from gpresult /h gpo.htm

    Something is conflicting. Mine works as advertised - Install every day at 4pm and reboot outside of active hours if needed. Mind you if they are still logged in it forces the reboot outside of active hours, which is what I want as people keep failing to sign out or reboot every day.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    AdamJ,

    Can you please provide me with a screenshot of your computer's AU reg keys?

    Also GPO?



    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    Class Name:        <NO CLASS>
    Last Write Time:   2017-10-17 - 9:00 AM
    Value 0
      Name:            WUServer
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 1
      Name:            WUStatusServer
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 2
      Name:            UpdateServiceUrlAlternate
      Type:            REG_SZ
      Data:            https://server.domain.local:8531
    
    Value 3
      Name:            TargetGroupEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 4
      Name:            TargetGroup
      Type:            REG_SZ
      Data:            Workstations; Test - Workstations
    
    Value 5
      Name:            SetActiveHours
      Type:            REG_DWORD
      Data:            0x1
    
    Value 6
      Name:            ActiveHoursStart
      Type:            REG_DWORD
      Data:            0x8
    
    Value 7
      Name:            ActiveHoursEnd
      Type:            REG_DWORD
      Data:            0x12
    
    Value 8
      Name:            SetAutoRestartDeadline
      Type:            REG_DWORD
      Data:            0x1
    
    Value 9
      Name:            AutoRestartDeadlinePeriodInDays
      Type:            REG_DWORD
      Data:            0x7
    
    Value 10
      Name:            SetAutoRestartNotificationConfig
      Type:            REG_DWORD
      Data:            0x1
    
    Value 11
      Name:            AutoRestartNotificationSchedule
      Type:            REG_DWORD
      Data:            0x3c
    
    
    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    Class Name:        <NO CLASS>
    Last Write Time:   2017-10-17 - 9:00 AM
    Value 0
      Name:            UseWUServer
      Type:            REG_DWORD
      Data:            0x1
    
    Value 1
      Name:            DetectionFrequencyEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 2
      Name:            DetectionFrequency
      Type:            REG_DWORD
      Data:            0x14
    
    Value 3
      Name:            NoAutoUpdate
      Type:            REG_DWORD
      Data:            0
    
    Value 4
      Name:            AUOptions
      Type:            REG_DWORD
      Data:            0x4
    
    Value 5
      Name:            AutomaticMaintenanceEnabled
      Type:            REG_DWORD
      Data:            0x1
    
    Value 6
      Name:            ScheduledInstallDay
      Type:            REG_DWORD
      Data:            0
    
    Value 7
      Name:            ScheduledInstallTime
      Type:            REG_DWORD
      Data:            0x10
    
    Value 8
      Name:            NoAutoRebootWithLoggedOnUsers
      Type:            REG_DWORD
      Data:            0
    

    There's the Registry info.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    AdamJ,

    Do you set a dealine on your windows 10 updates?

    For example, today I approved the win10 1709 update for a PC.

    The update did have a deadline on it (7 days after update was approved). My co-worker was working on his PC (He was in the middle of typing) and the PC went down for a reboot.

    My thoughts are....

    1) The deadline forced the reboot

    2) He was typing and must have hit a key that told the win10 notification to reboot now?

    I am not 100% sure.

    The following reg key is set to "RestartNotificationsAllowed" (0).

    I am thinking that I should possibly create a "win10 upgrade" group and just move machines into that group when we are ready to go to a new build. Also do not set a deadline as that will not force the reboot... (if the deadline is what caused this behavior).

    Please advise. Thanks

    Deadlines are your issue.

    I do not set deadlines. All my systems check for updates daily and will install daily too.

    When I did set deadlines, I had random reboots in the middle of the day.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Thursday, November 2, 2017 11:45 PM
  • So I removed my win10 deadlines, now my computer's show they will reboot outside of active hours.

    I have waited several days and the machine never reboots on it's own.

    Monday, November 13, 2017 6:52 PM
  •   Name:            NoAutoRebootWithLoggedOnUsers
      Type:            REG_DWORD
      Data:            0
    Is yours set this way? Was a user logged on?

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, November 13, 2017 7:03 PM
  •   Name:            NoAutoRebootWithLoggedOnUsers
      Type:            REG_DWORD
      Data:            0
    Is yours set this way? Was a user logged on?

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    "NoAutoRebootWithLoggedOnUsers"=dword:00000001

    A user was logged on and the screen was locked.

    Tuesday, November 14, 2017 1:38 PM
  •   Name:            NoAutoRebootWithLoggedOnUsers
      Type:            REG_DWORD
      Data:            0
    Is yours set this way? Was a user logged on?

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    "NoAutoRebootWithLoggedOnUsers"=dword:00000001

    A user was logged on and the screen was locked.

    Well that's your reason. A user was logged in, and your policy is setup to not reboot with logged on users.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Tuesday, November 14, 2017 2:22 PM