none
Server 2012 Windows Update Group Policy

    Question

  • I've deployed a few 2012 Servers using the same Group Policies that I have been using on our 2008 R2 SP1 servers for Windows Update.  On the 2008 R2 SP1 servers the boxes install updates at 2:00am and restart.  The 2012 servers install the updates at 3:00am and display a prompt that they will restart in a couple days.  It is now 14 days later and they still have not rebooted.  This is the only Group Policy applied to the OU these servers are in.  When looking at the UI for Windows Update > Change Settings, it says "Some settings are managed by your system administrator" but you cannot see the details like you used to so I know that Group Policy is at least trying to control Windows Update.  I've looked in the registry on the 2012 servers and the Group Policy settings are there but not all of them appear to be working.  Why is this occurring and what do I need to do to fix it?  Thanks.

    Friday, December 28, 2012 6:31 PM

Answers

  • Well, I ended up opening a case with Microsoft about this and the answer I got was disappointing. 

    I was able to set the time for automatic installation of the updates by setting the Group Policy located here: Computer Configuration->Administrative Templates->Windows Components->Maintenance Scheduler->Maintenance Activation Boundary

    Windows 8 and Server 2012 will reboot after the updates have installed IF no one is logged onto the computer.  However, it still will not force a reboot with a user logged on like it used to in previous versions of Windows.  That is still a big problem for us especially with our Servers.  We have hundreds of servers and it is impossible to ensure that all of them don’t have anyone logged into them when patches are set to install.  Many of these provide services that can’t randomly reboot during the day when they are being used referring to the technician's response below: “If a user is signed in to the computer and there is a potential of loss of state or data when Windows is ready to restart, the restart will be delayed to the next time the user unlocks the computer.”

    I responded that this was not good and a horrible problem that many people will encounter.  The Microsoft Technician's answer was "At this time the reboot behavior for Windows 8 & Windows Server 2012 does in fact have to be controlled solely via setting deadlines on the approved updates."  I followed up again trying to find out why this has changed and what the future plans are to fix this.  And then finally this was the last response I got.  "At this time I do not have any information that I can share as to why this was changed or the future plans."

    So we have been left high and dry on this issue.  I plan to continue pursuing the issue to see if I can get someone to listen.

    • Marked as answer by WSUAL2 Tuesday, February 26, 2013 3:00 PM
    Thursday, February 21, 2013 2:05 PM
  • Here's the latest update from my Microsoft Support case.  The automatic reboot behavior for Windows 8/Server 2012 will be changed on the next Windows update scheduled in April.  The GDR will enable the use of a new registry key.  When the key is enabled, the machine will still notify users for 3 days using the login screen before rebooting but at the end of those 3 days, a 15 minute countdown will fire regardless if a user has logged on or not, at the time you specified in GP for the machines to reboot.
    • Marked as answer by WSUAL2 Monday, April 08, 2013 1:29 PM
    Thursday, April 04, 2013 7:22 PM
  • The fix for this was rolled out to the world on 4/9/13.  It is included as a part of this cumulative update: http://support.microsoft.com/kb/2822241

    The KB specific to this new behavior can be found here: http://support.microsoft.com/kb/2835627

    • Marked as answer by WSUAL2 Thursday, April 11, 2013 4:58 PM
    Thursday, April 11, 2013 4:52 PM
  • Thanks for the response. 

    As you mentioned in the response. If you set the time for automatic installation in the Computer Configuration->Administrative Templates->Windows Components->Maintenance Scheduler->Maintenance Activation Boundary, as far as my understanding we can control the time for update installation, the reboot of the server is still a big question mark, because if any one logged in the system, then it wont reboot automatically. 

    Also I have noticed one more thing, in 2008 R2 and previous versions if you disable '' No-auto-restart with logged on users for scheduled automatic updates installations'' in GPO settings then the servers will just reboot irrespective of users logged in or not.  But in 2012 its not happening the same way, after the installation it says the server will reboot with in 2 days, if you don't restart it now. 

    From your initial thread, I understood that even after 14 days, your system didn't reboot. But in my case the system is rebooting after 2 days if no one logged in to the server at that time. If anyone logged in then it wont reboot and if that person unlock the server in the 3rd day, he will be notified that the system will reboot with in 15 minutes, please save all your work and the worst part is you don't have any option to snooze or postponed the reboot. 

    Now I am thinking how to control the reboot or reboot in a specific time after the update installation. 

    Please share me you thoughts/ideas if you have anything.

    • Marked as answer by WSUAL2 Tuesday, February 26, 2013 3:00 PM
    Friday, February 22, 2013 9:07 AM

All replies

  • Hi,

    I would like to suggest you use create and manage the Group Policies on Windows Server 2012 to check the result. As you know, Windows Server 2012 is the last version of Windows Server and it includes all newest Group Policy settings.

    For more information regarding Group Policy in Windows Server 2012, you may refer to the following TechNet blog:

    Windows Server 2012 and Windows 8 Group Policy spreadsheets - now available for download

    http://blogs.technet.com/b/keithcombs/archive/2012/09/17/windows-server-2012-and-windows-8-group-policy-spreadsheets-now-available-for-download.aspx

    Regards,


    Arthur Li

    TechNet Community Support

    Monday, December 31, 2012 3:42 AM
    Moderator
  • Hello,

    Please try to compare the registry settings in this registry key:

    HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

    Please also run a gpresult /h report.html on both systems.


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Monday, December 31, 2012 2:09 PM
  • Hi,

    Is this issue resolved for you? I am facing this same problem.

    Thursday, February 21, 2013 1:23 PM
  • Well, I ended up opening a case with Microsoft about this and the answer I got was disappointing. 

    I was able to set the time for automatic installation of the updates by setting the Group Policy located here: Computer Configuration->Administrative Templates->Windows Components->Maintenance Scheduler->Maintenance Activation Boundary

    Windows 8 and Server 2012 will reboot after the updates have installed IF no one is logged onto the computer.  However, it still will not force a reboot with a user logged on like it used to in previous versions of Windows.  That is still a big problem for us especially with our Servers.  We have hundreds of servers and it is impossible to ensure that all of them don’t have anyone logged into them when patches are set to install.  Many of these provide services that can’t randomly reboot during the day when they are being used referring to the technician's response below: “If a user is signed in to the computer and there is a potential of loss of state or data when Windows is ready to restart, the restart will be delayed to the next time the user unlocks the computer.”

    I responded that this was not good and a horrible problem that many people will encounter.  The Microsoft Technician's answer was "At this time the reboot behavior for Windows 8 & Windows Server 2012 does in fact have to be controlled solely via setting deadlines on the approved updates."  I followed up again trying to find out why this has changed and what the future plans are to fix this.  And then finally this was the last response I got.  "At this time I do not have any information that I can share as to why this was changed or the future plans."

    So we have been left high and dry on this issue.  I plan to continue pursuing the issue to see if I can get someone to listen.

    • Marked as answer by WSUAL2 Tuesday, February 26, 2013 3:00 PM
    Thursday, February 21, 2013 2:05 PM
  • Thanks for the response. 

    As you mentioned in the response. If you set the time for automatic installation in the Computer Configuration->Administrative Templates->Windows Components->Maintenance Scheduler->Maintenance Activation Boundary, as far as my understanding we can control the time for update installation, the reboot of the server is still a big question mark, because if any one logged in the system, then it wont reboot automatically. 

    Also I have noticed one more thing, in 2008 R2 and previous versions if you disable '' No-auto-restart with logged on users for scheduled automatic updates installations'' in GPO settings then the servers will just reboot irrespective of users logged in or not.  But in 2012 its not happening the same way, after the installation it says the server will reboot with in 2 days, if you don't restart it now. 

    From your initial thread, I understood that even after 14 days, your system didn't reboot. But in my case the system is rebooting after 2 days if no one logged in to the server at that time. If anyone logged in then it wont reboot and if that person unlock the server in the 3rd day, he will be notified that the system will reboot with in 15 minutes, please save all your work and the worst part is you don't have any option to snooze or postponed the reboot. 

    Now I am thinking how to control the reboot or reboot in a specific time after the update installation. 

    Please share me you thoughts/ideas if you have anything.

    • Marked as answer by WSUAL2 Tuesday, February 26, 2013 3:00 PM
    Friday, February 22, 2013 9:07 AM
  • The only option that Microsoft support gave me was to set deadlines on the updates, which I consider not acceptable.  I am pursuing the issue further with Microsoft and requesting that the group policy setting be returned to Server 2012 and Windows 8.  This group policy change was an undocumented, deprecated feature that needs to be returned.  I will post what happens when I hear back from my business impact statement that I submitted to my Microsoft Technical Account Manager upon his request.

    Monday, February 25, 2013 2:35 PM
  • Here's the latest update from my Microsoft Support case.  The automatic reboot behavior for Windows 8/Server 2012 will be changed on the next Windows update scheduled in April.  The GDR will enable the use of a new registry key.  When the key is enabled, the machine will still notify users for 3 days using the login screen before rebooting but at the end of those 3 days, a 15 minute countdown will fire regardless if a user has logged on or not, at the time you specified in GP for the machines to reboot.
    • Marked as answer by WSUAL2 Monday, April 08, 2013 1:29 PM
    Thursday, April 04, 2013 7:22 PM
  • This is great news! But why the 3 days delay? Microsofts new way to handle updates in Windows 8/Server 2012, controlled by WSUS makes no sense to me at all.


    KentAs

    Friday, April 05, 2013 5:37 AM
  • We have also opened a case with Microsoft after our new 2012 production servers rebooted overnight. As far as I am concerned, this is absolute nonsense and inacceptible mistake in Microsoft software development procedures. I hope they come out with a fix in a matter of days.
    • Marked as answer by WSUAL2 Monday, April 08, 2013 1:30 PM
    • Unmarked as answer by WSUAL2 Monday, April 08, 2013 1:30 PM
    Friday, April 05, 2013 9:38 PM
  • I would have preferred that Microsoft returned to Group Policy the option to force a reboot at the time updates were set to install when users were logged on too, however, the three day delay was the best I could get.  What I find interesting is that when using group policy on previous version of Windows, you used to have a choice to force the reboot with users logged in or not.  So specifically why the option was removed I do not know.  The explanation that I got for the change was that the functionality was changed due to customer feedback, though there was also an internal business decision for that change also.  Here's an additional link about the change... http://blogs.msdn.com/b/b8/archive/2011/11/14/minimizing-restarts-after-automatic-updating-in-windows-update.aspx 
    Monday, April 08, 2013 1:43 PM
  • The fix for this was rolled out to the world on 4/9/13.  It is included as a part of this cumulative update: http://support.microsoft.com/kb/2822241

    The KB specific to this new behavior can be found here: http://support.microsoft.com/kb/2835627

    • Marked as answer by WSUAL2 Thursday, April 11, 2013 4:58 PM
    Thursday, April 11, 2013 4:52 PM
  • The fix for this was rolled out to the world on 4/9/13.  It is included as a part of this cumulative update: http://support.microsoft.com/kb/2822241

    The KB specific to this new behavior can be found here: http://support.microsoft.com/kb/2835627

    If I understand this correctly (which I might not), this means the machine won't restart until the 3 days are up? So if we've scheduled updates for Saturday at 23h the machine will restart at Tuesday 23h?
    Monday, April 15, 2013 12:08 PM
  • It may restart (depending on circumstances). The update (if enabled) just ensures that it will restart once the three days are up. 

    Andreas Hultgren
    MCTS, MCITP
    http://ahultgren.blogspot.com/

    Monday, April 15, 2013 12:20 PM
  • If there isn't anyone logged on when the updates are scheduled to install, the computer will reboot at the scheduled time.  If there are users logged on it, it will force a reboot 3 days later at the scheduled reboot time.
    Monday, April 15, 2013 12:49 PM
  • Is that time according to your GPO or the scheduled Automatic Maintenance?  I have this issue as well but the servers ALSO ignore the the set time in the GPO to install updates/reboot and run according to their Automatic Maintenance schedule which as far as I can tell, can't be controlled on non Server 2012 GPOs.
    Wednesday, May 01, 2013 2:40 PM
  • In my GPO I have the time set in two places. 

    For 2008 R2 and earlier: Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Updates/Configure Automatic Updates/Scheduled install time

    For 2012: Computer Configuration/Policies/Administrative Templates/Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary

    With it set in both places all the servers install updates at the time I want.

    Wednesday, May 01, 2013 3:07 PM
  • Maybe I'm not understanding it clearly, but with 2012, it still looks as if Automatic Maintenance must run every day and you can only specify the time.  I don't have the option of managing GPOs on a 2012 server.  Is there still no way to force 2012 servers to check for updates once a week?

    Thanks.






    • Edited by NickNSP Wednesday, May 01, 2013 5:37 PM
    Wednesday, May 01, 2013 5:07 PM
  • Automatic Maintenance in 2012 is set to run everyday by design and the only designated option is to set the time of day to run it.  We control when patches are released to our servers with our WSUS server so unless I release patches, nothing will install during Automatic Maintenance.  The only variation to this for us is that we use System Center Endpoint Protection which gets its definition updates from WSUS and we have those set to auto-approve in WSUS so they install automatically when new ones are available. 

    It would appear that if you set the "Regular Maintenance" task to run once a week they should only install once a week, otherwise there is no documented procedure that I am aware of.

    Wednesday, May 01, 2013 6:38 PM
  • Typically I approve updates via my WSUS server on Thursdays before a patching weekend where most of the reboots are staggered between 12 - 6 AM Sunday.  Unless I approve updates the day before, it seems I'll have to live with the issue for now.  I hope making the tweaks to Regular Maintenance works so the server will only check once a week.

    Thanks again.

    Wednesday, May 01, 2013 6:58 PM
  • just so i'm clear: this registry "fix" is Not

    "install updates and reboot at the specific time I choose in group policy, just like it's been in every previous version of windows."

    it's

    "install updates and reboot Three.Days. after the time I specify whether or not a user is logged on."

    so if I approve patch Tuesday updates for my DEV environment on patch Tuesday, the soonest my DEV 2012 servers will automatically install them and reboot is that Friday?

    Monday, May 20, 2013 3:03 PM
  • If no one is logged into the server the patches will install and reboot on Tuesday.

    If someone is logged into the server the patches will install on Tuesday and then reboot on Friday.

    Monday, May 20, 2013 3:18 PM
  • and if I want the server to install and reboot on Tuesday night even if a user is logged in, I'm just out of luck?
    Sunday, June 02, 2013 2:21 AM
  • yep, unfortunately so. 
    Monday, June 03, 2013 1:42 PM
  • Hi,

    Thanks to WSUAL2 for raising this issue and to everyone else for their questions and comments. The feedback has been shared with the Windows product team and they are investigating options for improving the behavior. In the meantime, we have written some content to help explain the issue and the current options for configuring restart behavior. This appears in the section titled "Automatic Maintenance and changes to restart behavior after updates are applied by Windows Update" at http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_WhatsNewEight. I expect this issue to also be covered in some more discoverable locations in the TechNet Library and in the Microsoft Knowledge Base soon.  

    Thanks,

    Justin [MSFT]

    Thursday, June 06, 2013 11:29 PM
  • @Justin Hall MSFT

    The article you link has some good information and it seems that using WSUS deadlines is the current workaround, but it's a real pain for us.  We can't set deadlines because we have many groups of servers that are set to different install/reboot times on different days controlled by GPO, but they are all in the same group in WSUS.  I suppose we could replicate all the different policies and use GPO to put computers into the groups, but that's a ton of administrative overhead, not to mention that when approving all the updates we have to make sure we set the appropriate WSUS deadline differently for every group.

    This is a terrible new feature.  One more registry key value for that recent hotfix would solve this: A value of '2' could, for example, mean no delay and reboot immediately when done installing updates.


    Friday, June 14, 2013 5:58 PM
  • I agree!  An additional registry key to allow the option to force a reboot when done installing updates would be great.  WSUS deadlines just aren't a practical option for us either.

    Monday, June 17, 2013 3:48 PM
  • my vote is for a new DWORD called:

    "AllowAdministratorsToControlTheirOwnEnvironmentsAgainSorryAboutThatGuys"

    Monday, June 17, 2013 4:22 PM
  • One could also schedule a (forced) remote restart task through powershell running on the head server:

    $Servers = Get-ADComputer -Filter {OperatingSystemVersion -ge "6.2"} | ForEach-Object {$_.Name}
    Restart-Computer $Servers -Force
    Monday, August 19, 2013 9:44 PM
  • That might work for some, but it's not a practical solution for us because that script is not aware what the update status is of the computer.  What if the update is running long and you reboot in the middle of the update process?  Sure, you could space it out, run updates at, say, 1AM and reboot at 5AM, but then your update window is huge and the system is in a possibly not consistent state all that time after the update, but before the reboot.  Having the update agent on the target machine manage its own updates is a far better solution.

    We're using deadlines, begrudgingly.  It's been a lot of work to set up and WSUS certainly doesn't make it easy in the GUI since for every batch of approvals you have to set the deadlines again (ugh), but it's better than nothing.

    Tuesday, August 20, 2013 12:27 AM
  • We set the WSUS policy to download and manual install. Then we have a GPO who create a Schedule task on every Windows 2012 server who run a script that installs the downloaded patches and reboot the server if needed.

     
    Tuesday, August 20, 2013 6:38 AM
  • Can you share the script you use to install the downloaded patches and reboot?
    Tuesday, August 20, 2013 5:31 PM
  • is this addressed at all in R2?

    Wednesday, August 21, 2013 2:31 PM
  • is this addressed at all in R2?

    I have been looking for information about that
    but can´t find any information about it. Microsoft Support say that they are
    working on a solution to fix the problem for 2012R2 and then later in 2012.

    My colleague will post the script that we use to patch the servers

    Wednesday, August 21, 2013 2:38 PM
  • I've posted the script here: 
    Install Windows Updates using a PowerShell Script

    Use it at your own risk, and suggestions for improvement are always welcome! 


    Andreas Hultgren
    MCTS, MCITP
    http://ahultgren.blogspot.com/


    • Edited by A.Hultgren Thursday, August 22, 2013 2:23 PM Made the link work
    Thursday, August 22, 2013 2:22 PM
  • Microsoft has finally released an update to fix this issue.  Windows 8.1 and 2012 R2 will work this way as well.  The update isn't in WSUS yet, but they say it will be soon.

    http://blogs.technet.com/b/wsus/archive/2013/10/08/enabling-a-more-predictable-windows-update-experience-for-windows-8-and-windows-server-2012-kb-2885694.aspx

    EDIT: The October update rollup that contains the above hotfix is in the Windows Catalog, so it can be imported into WSUS.  http://catalog.update.microsoft.com/v7/site/Search.aspx?q=2883201
    Wednesday, October 09, 2013 4:05 PM
  • I think I came up with a semi-unique solution,

    For 2012 servers I'm configuring the updates to download and install updates automatically every Saturday at 12:00am, BUT I'm configuring the "No auto-restart with logged on users for scheduled automatic updates installations" to "enable"  (we always have users logged into these servers, so this will prevent a auto-restart during business hours - {our current issue with 2012 servers})

    Then I configured a scheduled task to reboot the server at 3:00am every Saturday (to ensure sufficient time for the updates to install). 

    (I also disabled Automatic Maintenance from Action Center)

    So my thought is, Windows Updates will only install at 12:00am on Saturday, the server will reboot every Saturday at 3:00am and allow the updates to finish, and should no longer reboot when ever it feels like it.

    thoughts?


    • Edited by JoeFri Tuesday, July 12, 2016 2:52 PM
    Tuesday, July 12, 2016 2:51 PM
  • How many of your servers *need* people logged in to them in the middle of the night? We disconnect idle rdp sessions after three hours on all our servers, except under very special circumstances. Makes it much easier to avoid the "I won't reboot after updates if somebody's logged on" issue. There are also other reasons to not let rdp sessions live forever. 
    Tuesday, July 12, 2016 3:12 PM
  • That's not a necessity for us, just a way to prevent the server from randomly rebooting during production hours.  I'm testing the newer GPO to "Always automatically restart at the scheduled time" to see if this remedies our issue before I move forward with the plan I mentioned above. (our Exchange server (2012) decided to reboot at 8:27am this morning, because it had windows updates that required a reboot), even though it's set to install updates Saturday at 12:00am and reboot immediately if required.

    Here's the best article I found explaining 2012 updates:

    https://vnetwise.wordpress.com/2014/03/20/howto-dealing-with-windows-2012-and-2012-r2-windows-update-behavior-and-the-3-day-delay/

    Tuesday, July 12, 2016 3:45 PM
  • "Always automatically restart at the scheduled time" is the correct way to do this. It forces a reboot 15 minutes (unless you specify a higher value) after the updates have been installed. 


    Andreas Hultgren<br/> MCTS, MCITP<br/> <a href="http://ahultgren.blogspot.com/">http://ahultgren.blogspot.com/</a>

    Wednesday, July 13, 2016 8:06 PM