none
Server 2016,1607, How to prevent and disable - auto restart after windows update instalation RRS feed

  • Question

  • Good afternoon colleagues!

    There are Windows Server 2016, 1607, 10.0.14393

    On several servers, there are 2 Group Policy update settings for these servers:

    1. configure Automatic Updates - option 4 is selected, every day - download, at 5 am - installation

    2. No Auto-restart with logged on users ....... instalations - enable

    Nevertheless, the update is installed at different times. The default time from 8 a.m. to 5 p.m. should not - if I am not mistaken, but the active hours do not work - if the option "No auto-restart with logged on users for scheduled automatic updates installations" is enabled - and it is turned on (If any of the following two policies are enabled, this policy has no effect: 1. No auto-restart with logged on users for scheduled automatic updates installations. 2. Always automatically restart at scheduled time. - these are the active clock parameter rules)

    And on July 1 there was a reboot at 20-00, the update was 16 hours of the day. (this info was issued by viewing of events)

    It turns out that the server is updated when it wants - and reboots when it wants))))

    How to deal with this?

    Plus, as I understand it - the Group Policy setting, "No auto-restart with logged on users for scheduled automatic updates installations" - implies a connected session, and if the administrator closed RDP - but the session is not completed = then Windows considers it to be inaction by the user and no active connection - and naturally reboots
    Auto installation of updates at the appointed 5 am is required - but without a reboot, you need to do a reboot with your hands.

    How to setup
    Thursday, July 2, 2020 11:05 AM

All replies

  • Hi,

    Thanks for posting on this forum.

    As you mentioned, there are two group policies: Always automatically restart at the scheduled time and Always s automatically at the time. There is a conflict between the two policies. It is recommended to select one of them. For an enterprise environment, if you do not want the working hours to restart, I recommend that you enable the following Group Policy: Always automatically restart at the scheduled time. After this Group Policy is applied, the client automatically restarts at a specified time after installing the update.

    Here is a link about policy setting on windows 10 client for your reference:

    https://docs.microsoft.com/en-us/windows/deployment/update/waas-restart

    In addition, if the client automatic installation for some reason does not have a normal automatic installation, we could add an additional automatic installation cycle to start a new round of automatic installation. Please refer to the image below for this feature settings:




    If you have any issues about this case, please keep us in touch. Hope you have a nice weekend.

    Regards,
    Rita  


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 3, 2020 1:59 AM
  • Good day !

    Thank you for reply. 

    I read this article before writing here.
    If not everything is clear in the text - I write through a Google translator
    Windows Server is used as an application server and there are several of them.
    1. As I understand it, the option - which I would like to:
    Installation at the scheduled time of 5 am and manual reboot, can not be configured - Do I understand you correctly?

    2. Your screen is different from mine. I am using GP managemnt editor Windows Server 2016 1607, 10.0.14393.
    You advise to use - installation and reboot according to the schedule, indicating the active hours and time of service.
    Based on my screen, the service will be every day, for example, at 2 a.m., and active hours are indicated from 8 a.m. to 10 p.m.
    Did I understand you correctly ?
    Friday, July 3, 2020 4:00 AM
  • Hi,

    Thanks for your response.

    Installation at the scheduled time of 5 am and manual reboot, can not be configured - Do I understand you correctly?

    The client which enabled this policy will restart automatically by default after updates installed. However, if the client is logged in when the client restarts, the client will notify the user to restart. Please refer to the screenshot below:



    For the second question, this may be related to the policy template. As for activation time, the client can set itself. Please refer the following picture to set activation hours on the client:



    Note that if the above Group Policy is enabled, there is a conflict with the following two policies:
     1. No auto-restart with logged on users for scheduled automatic updates installations.
     2. Always automatically restart at scheduled time.

    Regards,
    Rita 


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 3, 2020 10:23 AM
  • parameter:
    No auto-restart with logged on users for scheduled automatic updates installations
    Conflicts with our other policies:
    Session time limits:

    Set time limit for active but idle RDS sessions = enabled 1 day

    Set time limit for disconnected sessions = enabled 5 days

    For users - developers, this rule is created, usually they do not end the session - they just close the RDP window

    The same rule should work for the administrator user.


    "Turn off auto-restart for updates during active hours" - I know that it does not work with the following policy, which applies:
    No auto-restart with logged on users for scheduled automatic updates installations
    So what have we come to?
    Manual reboot cannot be configured, right?
    These are very critical application servers, so this is important to us. For example, a cumulative package is released once a month - therefore, I would like to manually reboot on a day off when there is time in case something goes wrong.

    Then your recommendations and best practice, advise.
    Friday, July 3, 2020 12:54 PM
  • Hi Ddos-davai_do_svidaniya(MCP),
     
    Thanks for your time.
     
    Because the actual environment is more complex, it is difficult for me to give you a definitive reply. In my opinion, this feature is difficult to configure. 
     
    I will do further analysis on this issue. If there is any follow-up, I will contact you first.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 6, 2020 10:15 AM
  • Hello Rita Hu!

    Thanks for reply.

    Here is a question

    1.
    There are policies Set time limits - which has 2 scopes of objects, for computers and for users. 


    If for computers - then everything is clear.
    I tried to use this policy for users - and apply for authenticated users.
    Will this work for domain users?

    So far, it does not apply to me. = (((
    Maybe I misconfigured.

    2.
    The domain group does not include "authenticated users" - the local administrator (the local windows server administrator user) is not included, right?
    If you configure "Session Time limits" for "authenticated users \ domain users", the local administrator will always be connected, right?
    He will not be dumped?


    Wednesday, July 8, 2020 9:24 AM
  • Hi Ddos-davai_do_svidaniya(MCP),
     
    Thanks for your sharing.
     
    These policies are associated with User Policies. I may need more time to research. If there are any updates, I will confirm you first. 
     
    Thanks for your patience and cooperation.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 9, 2020 5:28 AM
  • I checked it works.
    It is necessary to apply on OU containing the necessary users.
    If the local admin session is not reset, the computer will wait for a manual reboot. That is, manual reboot is configured in this way in my case, right?
    I think that the topic can be closed, because it needs to be tested already for installing updates, it will take a lot of time.
    Thursday, July 9, 2020 10:02 AM
  • Hi Ddos-davai_do_svidaniya(MCP),
     
    Thanks for your sharing.
     
    Apply this policy-[No auto-restart with logged on users for scheduled automatic updates installations] to set up a client manual restart. Theoretically, restarting manually occurs when RDP sessions are active. Whether this feature can be implemented is mainly depends on the application of other Group policies forces the remote session to be activated. 
     
    It's an idealized situation. Whether it can be achieved or not depends on the actual situation. It's hard to give a definitive answer. I think it can only be verified through specific experiments.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 10, 2020 6:11 AM