locked
SOLVED: Group policies to make restarts happen when users are not logged in RRS feed

  • Question

  • This should be a simple solution but if someone could please give me a quick sanity check I'd really appreciate it...

    We're running exclusively Windows 10 1803 clients, I have the following policies set:

    1. Allow Automatic Updates immediate installation = Disabled (because my supervisor says so)
    2. Allow signed updates from an intranet Microsoft update service location = Enabled (because I'm pushing 3rd party updates, ie Java)
    3. Always automatically restart at the scheduled time = Disabled (I want the client to restart after the 3am updates are installed but we've had cases where the updates restart at 8am when users login)
    4. Do not allow update deferral policies to cause scans against Windows Update = Enable (this disables dual-scan)
    5. Do not connect to any Windows Update Internet locations = Enabled (this was intended as a second level protection against dual-scan)
    6. Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box = Enabled (this does not seem to work in Win 10 but I've left it set anyway)
    7. Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates = Enabled (this does not seem to work in Win 10 but I've left it set anyway)
    8. Reschedule Automatic Updates scheduled installations = Disabled (I want the client to wait until the next scheduled day)
    9. Specify intranet Microsoft update service location = Enabled (and I've pointed this to my WSUS)
    10. Turn off auto-restart during active hours = Enabled (and I've set this to 5am - 9pm)

    You're probably asking why I'm not setting 'Configure Automatic Updates', and the answer is I'm setting this with Group Policy Preferences > Registry items so that I can have 1 WSUS policy for my domain and have each of my physical locations install updates on different days of the week.  Using item-level targeting as shown in the screenshot below I can set 'Configure Automatic Updates' to a different value for each of my location, and this is working.

    Should my clients wake from sleep at 3am to install their updates?  I've found this not to be the case, so to accomplish this I've a scheduled task setup (delivered via group policy Preferences > Scheduled Tasks) on our clients to initiate a restart at 1:30am, with a 30 min countdown, so the actual restart occurs at 2am.  This task DOES wake the client from sleep at 1:30am, they restart (and kick out any user who is logged in which was another requirement I was given) at 2am and the client is then awake at 3am to install its updates.

    The reason I'm looking for a sanity check is I'm getting a popup message (with 'Restart Now', 'Pick a Time' and 'Snooze' buttons) telling me the client needs to be restarted to complete the updates.  I don't want this to happen, and ultimately I want the clients to restart after the 3am updates, or at least restart when users are not using the computer, this is why I've set Active Hours 5am-9pm.

    Am I missing a policy setting that I need to make this happen?


    • Edited by J. Wall Friday, November 9, 2018 2:22 PM Marked issus solved
    Monday, October 29, 2018 7:40 PM

Answers

  • Hello,
     
    Glad to answer your question.
     
    Based on your description, you set your policy to install updates at 3am, and want to  restart immediately after the installation, right? If I misunderstand something, please let me know.
     
    To achieve your goal, you should enable  "Always automatically restart at the scheduled time", it means "If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days." And there would be at least 15 mins left before the restart.
     
    If this policy don't work as expected, then we should figure out why. But if you disable it, there are not other policies to automatically start a restart.
     
    Another method is setting a deadline for installation. The deadline should be outside of the working hours, and it could ensure the installation (including the restart) is completed when deadline arrives.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray 

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by J. Wall Friday, November 9, 2018 2:22 PM
    Tuesday, October 30, 2018 1:04 AM

All replies

  • Hello,
     
    Glad to answer your question.
     
    Based on your description, you set your policy to install updates at 3am, and want to  restart immediately after the installation, right? If I misunderstand something, please let me know.
     
    To achieve your goal, you should enable  "Always automatically restart at the scheduled time", it means "If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days." And there would be at least 15 mins left before the restart.
     
    If this policy don't work as expected, then we should figure out why. But if you disable it, there are not other policies to automatically start a restart.
     
    Another method is setting a deadline for installation. The deadline should be outside of the working hours, and it could ensure the installation (including the restart) is completed when deadline arrives.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray 

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by J. Wall Friday, November 9, 2018 2:22 PM
    Tuesday, October 30, 2018 1:04 AM
  • Thanks very much for the reply Ray.  I've now re-enabled the "Always automatically restart at the scheduled time" policy.  Like I said I did have this enabled previously and users were still being prompted to restart, but I'm happy to follow your advice and give it another try.   I'll let you know how this works.

    Can you confirm whether clients should wake at 3am to install updates?

    Tuesday, October 30, 2018 1:47 PM
  • Hello,
     
    It should works. At least, it works well in my lab.
     
    Note that this policy is supported on at least Windows Server 2012, Windows 8 or Windows RT.
     
    Best Regards,
    Ray

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 31, 2018 1:49 AM
  • Hello,
     
    I noticed that you have not updated the post for a while. Have your issue or question been resolved now? Or is there any update? Please feel free to feedback.
     
    Best Regards,
    Ray

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 9, 2018 3:02 AM
  • Thanks for checking in Ray. Since re-enabling "Always automatically restart at the scheduled time"  I haven't had any complaints about the machines restarting when a user logs in.  I'll mark this issue solved, if anything changes I'll let you know.
    Friday, November 9, 2018 2:22 PM