Managing Updates with Deadlines in an era of Automatic Maintenance

  • Article

Until Windows 8, Windows Update used to manage its own internal scheduling for checking for, downloading, and installing updates. It required that the Windows Update Agent was always running in the background, consuming memory and other system resources. In an effort to increase battery life on portable devices, Windows 8 introduced a new feature called Automatic Maintenance, which runs nightly and performs various tasks such as lightly defragmenting hard drives (or TRIMming SSDs if necessary), checking, repairing, and optimizing the system component store, running anti-virus scans, installing updates, and more. This consolidation allows for all these components to use far less system resources, work consistently, respect the new Connected Standby state for new device types, and consume less battery on portable devices.

 

What this also means is that on Windows 8 and Windows Server 2012, the setting for when to download and install updates doesn't work in the same way. While you can still set Windows Update to download updates and install them automatically or not, the day-of-the-week setting is not effective on Windows 8. Indeed, Automatic Maintenance runs once a day by default, and due to the consolidation of maintenance tasks there isn't a way to individually specify which maintenance tasks run on which days.

 

WSUS provides administrators with a way to control when patches get installed and PCs get rebooted. I'll explain one possible strategy for doing this:

 

Taking Control of Update Installation

What to do:

  • Using Group Policy, set your target machines to check for updates but do not automatically install them.
  • When you want to deploy an update at a particular time, set the deadline for when you want the machine to install updates and restart.
  • You can use groups in WSUS to set different approvals and different deadlines for different groups of machines.

 

Here's how it works:

This works because if you have set a deadline, WUA will enforce that deadline even outside of the Automatic Maintenance window, and even if updates are set not to install automatically. The computer will be rebooted (if needed) at the end of the installation process.

 

Every day, the Windows Update agent contacts WSUS and downloads information about which updates are to be offered to that PC, along with the deadline for each update as specified by the administrator. If an update is overdue, Windows Update will force that update to be installed automatically, even though WUA is configured to NOT generally install every update automatically. Otherwise, the update is offered to the user for manual installation until the deadline is reached. When the deadline is reached or passed, the update is forcibly installed and the machine is rebooted after a 15-minute countdown. If no users are signed in, the machine is rebooted immediately.

 

If you are running a server and you want to make sure it doesn't reboot until a certain date, then this is the option for you. Your server won't install any updates automatically until one of the updates reaches its deadline, and then the server will be rebooted immediately upon passing of the deadline, assuming that no users are signed in. If there are users signed in, the standard 15 minute timeout applies.

 

You can limit reboots to "service time" windows if you approve all updates with deadlines during your desired service windows. Machines that are powered off during the service window will be automatically updated when they are powered on once again.

 

Note: You need to make sure that all the updates you care about have deadlines assigned to them. If you neglect to assign a deadline and you've instructed Automatic Updates to not be automatically installed otherwise, you could be leaving your network in a less secure state if your users don't manually install those updates.

 

A note about time zones

In WSUS, when you set a deadline, it is interpreted in the time zone of the WSUS server, not the time of the target computer. Be sure to keep this in mind when setting your deadlines to avoid unexpected reboots. Remember, if a reboot is needed, it will occur no more than 15 minutes after the completion of the installation of the update.

 

 

Additional reading:

 

Comments

  • Anonymous
    January 01, 2003
    We need a way to manage schedules for different computer groups - via GPO or WSUS its doesnt matter. And schedule settings should be far more flexible than time window. We need to set based on day, time, week and all possible fine tuning within month. I would love to have dynamic things like - install updates on second week of the month, or each 4th Friday or something like this

  • Anonymous
    January 01, 2003
    Thank you for the feedback, I will talk with the WUA client team to see if there is something we can do to address this problem.

  • Anonymous
    January 01, 2003
    FYI social.technet.microsoft.com/.../handling-windows-updates-for-windows-server-2012-using-wsus-30-and-deadlines

  • Anonymous
    January 01, 2003
    We've run into a similar issue..I've added this blog to my feed list as I hadn't heard about this change until we had a handful of production servers reboot mid-afternoon. For what it's worth, we are NOT seeing this behavior when updates are managed by our SCCM server. We have recently upgraded to CM12 and are managing Windows Updates through there for about 30 2012 servers. These servers are part of new migration path for us, which is why they are different from the ones that rebooted mid-day. Those servers were brought online before we had decided to use CM12 to manage updates, so they get updates from our regular on-site WSUS server. After reading the related links it sounds like a second option is also possible for those with the means. This would be an over-simplification but:

  1. Setup System Center Orchestrator (this is the ouch point here)
  2. Disable Auto-Updates for your servers (or OU)
  3. Create a runbook that does the following    a. Check for updates    b. Download and install udpates    c. Reboot if required We've been exploring that solution quite a bit here as we have servers that need to reboot prior to other servers and to validate that required services are running before the next batch of updates happens. Also, shame on us for not reading the what's new in 2012 link and then complaining about it. technet.microsoft.com/.../hh994618.aspx Published: April 28, 2012 Updated: July 24, 2013 Applies To: Windows Server 2012