locked
Server 2016 ignoring WSUS updates RRS feed

  • Question

  • Hi all,

    We've recently started looking into Server 2016, and I'm having some problems getting it to work in line with the rest of our WSUS controlled servers (a mix of 2008, 2008 R2, and 2012 R2).

    On the older OSs, updates are approved, and then have a deadline set, according to their WSUS group. They then reboot either on this deadline, or straight away if the deadline has expired. 

    With the 2016 machines, this doesn't happen. I've deployed a test 2016 server from ISO (so no patches applied), joined it to our domain, and once hitting WSUS, it's detected the updates (with an expired deadline) and immediately downloaded them, and installed them. It's now sitting there, waiting for the active hours to end, at which point it says it'll install them. This isn't what we want to happen - we want them to adhere to deadlines, as per the rest of the servers. 

    Any ideas?

    Cheers!

    Joe

    Here's the GPO:

    Here's the update, with an expired deadline (it's 21st August today):

    And here's the Server, just waiting...

    Monday, August 21, 2017 9:15 AM

Answers

  • Well, I've managed to fix my own problem here, and here's the solution, in case others are struggling with this one...

    Scenario/outcome: we wanted to control updates using automatic approval rules, and assign deadlines automatically to trigger installations at a certain date (as worked fine with 2008/2008 R2/2012 R2). Added bonus requirement: if an update had an expired deadline when it was detected (for whatever reason), don't reboot during the working day (now possible thanks to active hours).

    I've now got this working as desired. Updates get assigned a deadline, and if that is in the future, then the update is downloaded. Installation and reboot are started at the time in the deadline. Perfect.

    If the deadline is in the past (say, a client was shutdown/crashed or something) then it will download/install as soon as it's detected, and restart at a random time that's outside of the active hours. So if we have active hours of 0700-2300 for our server estate, then the restart will begin at 2301 or later.

    Gotchas: in Server 2016, 'check for updates' seems to be synonymous with 'check, download, install, and schedule a reboot for 15minutes time'! To prevent people from accidentally restarting the server with this, I've had to disable the 'check for updates' button. I think you can still kick it off with PowerShell though, although I've not yet tested this.

    GPO settings are like so: 

    The key, I think, was changing 'always restart at the scheduled time' to disabled, and relying on active hours instead.

    Hopefully someone else finds this useful! :)

    Joe 

    • Marked as answer by TriggerFish91 Friday, February 9, 2018 10:16 AM
    Friday, February 9, 2018 10:16 AM

All replies

  • Hello,

    Active Hours is a new feature introduced in Windows 10 and Windows Server 2016. 

    You can configure the Active Hours through GPO or registry.

    Moreover, there are some policies that pertain to restart behavior. These policies apply to Windows 10 and Windows server 2016 only. 

    More details about Active Hours and policies for Windows 10 and Windows Server 2016, you can see the following article.

    https://docs.microsoft.com/en-us/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart

    In my opinion, you can either modify the settings for Active Hours, or try the policy "Always automatically restart at the scheduled time".

    Best regards,
    Andy Liu 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, August 22, 2017 8:15 AM
  • Hi Andy,

    Thanks for that. I've changed the active hours to something more suitable, but as we're using deadlines, don't really see that they should come into play.

    I've added the 'Always automatically restart at the scheduled time' rule to my test GPO (with a 15 minute grace period). The new settings are being picked up, but the server is now just sat there with a 'will restart outside of active hours' message still.

    The installation is happening as it should do, but it's the reboot that's not getting triggered. For an update with an expired deadline, previous versions of Windows would install/reboot immediately, but this only seems to be doing half the job.

    We use the deadlines and staggered reboots across our server estate to ensure that things go down in the correct order, so this is fairly important to get working without a rejig of all of WSUS.

    Thanks,

    Joe

    Wednesday, August 23, 2017 9:33 AM
  • Have you tried removing the active hours entirely? I think if you delete them entirely, it might actually restart when you want it to.
    Wednesday, August 23, 2017 10:07 AM
  • No dice, sadly.

    I set them to disabled in the GPO, and with the 'IsActiveHoursEnabled:0' reg key at 

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings

    As soon as it had installed updates, it reverted back to the default 0800-1700 active hours.

    Wednesday, August 23, 2017 12:22 PM
  • Same behavior on our side. WSUS Deadline ignored by Windows 2016 Servers. We have opened a case at MS and it's confirmed as bug. Maybe there should be a fix soon.

    Best Regards

    Thomas

    • Proposed as answer by AJTek.caMVP Sunday, October 22, 2017 4:14 AM
    Friday, October 20, 2017 8:39 AM
  • Thanks - hopefully they'll fix it soon then...

    With updates being handled like this (two different reboot times, neither the time which was configured!) it's a management nightmare, and I daren't deploy it.

    Monday, October 23, 2017 9:45 AM
  • Same behavior on our side. WSUS Deadline ignored by Windows 2016 Servers. We have opened a case at MS and it's confirmed as bug. Maybe there should be a fix soon.

    Best Regards

    Thomas

    Hi,

    could you please give the case id as reference? I might have to open a case also.


    • Edited by tkomulai Thursday, January 4, 2018 6:03 AM
    Thursday, January 4, 2018 6:03 AM
  • Well, I've managed to fix my own problem here, and here's the solution, in case others are struggling with this one...

    Scenario/outcome: we wanted to control updates using automatic approval rules, and assign deadlines automatically to trigger installations at a certain date (as worked fine with 2008/2008 R2/2012 R2). Added bonus requirement: if an update had an expired deadline when it was detected (for whatever reason), don't reboot during the working day (now possible thanks to active hours).

    I've now got this working as desired. Updates get assigned a deadline, and if that is in the future, then the update is downloaded. Installation and reboot are started at the time in the deadline. Perfect.

    If the deadline is in the past (say, a client was shutdown/crashed or something) then it will download/install as soon as it's detected, and restart at a random time that's outside of the active hours. So if we have active hours of 0700-2300 for our server estate, then the restart will begin at 2301 or later.

    Gotchas: in Server 2016, 'check for updates' seems to be synonymous with 'check, download, install, and schedule a reboot for 15minutes time'! To prevent people from accidentally restarting the server with this, I've had to disable the 'check for updates' button. I think you can still kick it off with PowerShell though, although I've not yet tested this.

    GPO settings are like so: 

    The key, I think, was changing 'always restart at the scheduled time' to disabled, and relying on active hours instead.

    Hopefully someone else finds this useful! :)

    Joe 

    • Marked as answer by TriggerFish91 Friday, February 9, 2018 10:16 AM
    Friday, February 9, 2018 10:16 AM