Поделиться через


Enabling a more predictable Windows Update experience for Windows 8 and Windows Server 2012 (KB 2885694)

On computers running the RTM release of Windows 8 and Windows Server 2012, Windows Update no longer defined when to install updates. Instead, Automatic Maintenance is used for that purpose, minimizing activity during active computer use. Windows Update on Windows 8 and Windows Server 2012 computers also has new restart logic that defaults to forcing a restart 3 days after the installation of updates instead of 15 minutes. To avoid unintended data loss, forced restarts also no longer occur if a user is not actively using the machine, able to see the restart notice, and save their work.

While these changes have proven to be beneficial to many end users, the lack of discrete control over Windows Update installations and system restarts disrupted some management scenarios. This update returns the ability to discretely control when Windows Update installs updates, and adds the capability to force a restart soon after those installations regardless of whether there might be an active user session.

Microsoft has updated the documentation to more fully explain how you can use these new group policy settings. This documentation is available here: https://support.microsoft.com/kb/2885694

KB2885694, included in update rollup KB2883201, is available today (October 8th, 2013) on Windows Update and the Microsoft Update Catalog, and will be available soon on WSUS. We believe that this update will result in significantly improved uptime, reliability, and manageability; we hope you’ll agree.

In order for the below changes to take effect, this update must be installed on all client computers receiving the desired configuration. It should also be installed on the computers configuring the policy to expose the new and updated group policies.

Finally, these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 R2, so if you are already planning to upgrade, there aren’t any additional updates you need to install.

Thank you for sharing your feedback with Microsoft!

The Windows Update and WSUS teams

 

Changes introduced by this update

KB 2885694 introduces two main changes that define how Windows Update on Windows 8 and Windows Server 2012 computers can be configured using group policy. All policies mentioned are located at this path:

Computer Configuration / Administrative Templates / Windows Components / Windows Update

When enabled with a value of 4…

The Configure Automatic Updates group policy works identically to the Windows 7 / Windows Server 2008 R2 and earlier behavior.

On Windows 8 and Windows Server 2012 without KB 2885694 installed, that policy could configure the main automatic updating setting, but configuring the scheduled install day and time had no effect. After installing KB 2885694, the policy will enable you to configure machines to:

  • Install updates during automatic maintenance, the default behavior, or
  • Install updates at the scheduled day and time defined in the policy

A new group policy called Always automatically restart at the scheduled time enables restarts soon after updates are installed, instead of 3 days later

By default in Windows 8 and Windows Server 2012, if the installation of important updates requires a system restart, one will be forced 3 days after their installation. The restart timer begins counting down only when a user is able to see it, helping prevent unintentional data loss in the middle of the night. More details about this default behavior are discussed in this blog post.

If you would instead like to force restarts following update installation, similar to Windows 7 / Windows Server 2008 R2 and earlier, you can enable the new “Always automatically restart…” policy. When the policy is enabled, a restart timer will always begin immediately after Windows Update installs important updates, instead of multiple days later.

The restart timer cannot be postponed once started, but the policy lets you configure the countdown timer to any value between 15 and 180 minutes. When the timer runs out, the restart will proceed even if the machine has signed-in users.

Note: If the group policy No auto-restart with logged on users for scheduled automatic updates installations is enabled, then the new “Always automatically restart…” policy has no effect.

Note: In Windows 8 and Windows Server 2012, the Delay Restart for scheduled installations continues to have no effect.

 

Example configurations

Scenario

Recommended configuration

Force updates and restarts at a specific time. For example:

  • Install updates on Friday nights at 11PM
  • Force a restart soon after installation

Use the Configure Automatic Updates policy:

  • Enable the policy
  • Use option #4 – Auto download and schedule the install
  • Deselect “Install during automatic maintenance”
  • Set “6 – Every Friday” for the scheduled install day
  • Set “23:00” for the scheduled install time

 Use the Always automatically restart at the scheduled time policy:

  • Enable the policy
  • Configure the timer to the desired value (default is 15 minutes)

Stagger installs and restarts across different hours and days on different machines.

Start with the same configuration as the above scenario.

Set different scheduled install days and times for different groups which you don’t want rebooting at the same time.

Force updates at a specific day and time, but preserve the default Windows 8 restart behavior

Start with the same configuration as the above scenarios, but do not enable the Always automatically restart at the scheduled time policy.

 

This post was written by Jordan Cohen on behalf of the Windows Update team.

Comments

  • Anonymous
    January 01, 2003
    Yes, I've updated the post accordingly. Thank you for pointing out the typo!

  • Anonymous
    January 01, 2003
    Thank you so much! This has been a real pain point for controlling the patching of critical systems! Good work!

  • Anonymous
    January 01, 2003
    Similar problems here with Server 2012 R2 Essentials, I set up the "configure automatic updates" policy and nothing happens. Updates are pending but they don't get installed. It's a waste of time.
    Before wasting my time with the group policy I had the default "automatic maintenance" but it did whatever it wants whenever it wants - I had set automatic maintenance to 5 o'clock on the server, then around 8:45 (!) when users were already connected to the server it suddenly restarted because updates got installed at that time. It's russian roulette. There must be some idiots programming Windows 8.x. I have never been that disappointed with any Windows version before. Incredible how many annoying bugs there are and how they never get fixed, or reappear...
    Any open source is better supported, documented and more predictable than this stupid product we pay so much for...

  • Anonymous
    January 01, 2003
    From looking at the new windowsupdate.admx, I suppose that the one option that is really new is the "AutomaticMaintenanceEnabled" value under HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU, setting which to 0 should restore the traditional scheduled install behavior of the Windows Update service? And the "Always automatically restart at the scheduled time" policy was apparently added earlier — it is documented in KB2835627 and included in the KB2822241 update rollup (April 2013), but the ability to change the 15 minute timeout before reboot is not mentioned in those articles.

  • Anonymous
    January 01, 2003
    Nice to see that some semblance of sanity has been returned in that existing Group Policy is no longer ignored, but I'd still like a way to completely disable that automatic restart counter. Even if you think some server admins need hand-holding with automatic restarts, some of us know what we're doing and don't like control being taken away.

  • Anonymous
    January 01, 2003
    There's no question this patch fixes reboot behavior on Win 8 / 2012, but despite it supposedly being included in 8.1 / 2012R2, we're not getting the expected behavior. Updates will install, but the servers will not auto-reboot after installation. In other words we're seeing behavior on 2012R2 that matches what 2012 did PRE-patch. Thoughts?

  • Anonymous
    January 01, 2003
    I've managed to set a GPO to install updates via my WSUS server, AND with a day of week and time (Saturdays at 5am), AND find out how to set the new "Always automatically restart at the scheduled time" GPO option while still only having a 2008-R2 domain controller.However, one last hurdle... is there a setting to force installation of updates if you've left and admin user logged in (with a disconnected RDP session)?From my testing it appears Server 2012 and Server 2012-R2 only install updates on the scheduled day and time if no users are logged in. I'd like to override that setting in case one of the techs forgets and just disconnects.Thanks -Tim

  • Anonymous
    October 08, 2013
    Did you mean "these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 R2"?

  • Anonymous
    October 08, 2013
    The comment has been removed

  • Anonymous
    October 09, 2013
    I'm still beside myself that someone in Redmond thought it was a good idea in the first place to take away control over the update deployment process and to have SERVERS with 15 minute, unstoppable reboot countdowns that are prompted by a login. Microsoft is really getting out of touch, taking a "we know what's best for you" attitude with Windows 8 and Server 2012.  The many good features of these operating systems our overshadowed by the mind boggling self-inflicted issues created by Microsoft. We appreciate these fixes, but it should have been that way in the first place.

  • Anonymous
    October 17, 2013
    The comment has been removed

  • Anonymous
    October 17, 2013
    Good thing I use ConfigMgr. So much more control, maintence windows? We've had those for years!

  • Anonymous
    October 25, 2013
    What about if your DC is a 2008 server?  You have to upgrade the DC just so you can use this roll up?

  • Anonymous
    October 28, 2013
    @Steve, we are using config man as well but recently had 5 of our HyperV 2012 boxes reboot automatically...these boxes don't have a maintenance window set in SCCM since we manually reboot... they all decided to go down as they felt necessary during the middle of the workday

  • Anonymous
    October 28, 2013
    | and will be available soon on WSUS How soon is soon?

  • Anonymous
    October 30, 2013
    Who knows where to find updated ADMX files for GPO in domain?

  • Anonymous
    November 04, 2013
    @Phil - the fix is available as part the cumulative rollup KB 2883201 which is on the windows catalog now.

  • Anonymous
    November 05, 2013
    This is great news - I've had 2012 servers sitting here for months not getting updates because I couldn't control restarts.  Thank you Microsoft.

  • Anonymous
    November 09, 2013
    Currently running our DC's with 2008R2, also wondering how to roll this out through a Domain GPO.

  • Anonymous
    November 11, 2013
    -> Currently running our DC's with 2008R2, also wondering how to roll this out through a Domain GPO. <- I'm also in the same boat. How do we put the new admin template in place on a 2008R2 domain?

  • Anonymous
    November 12, 2013
    The comment has been removed

  • Anonymous
    November 13, 2013
    I just found the newer files here: C:WindowsPolicyDefinitionsWindows.admx C:WindowsPolicyDefinitionsen-USWindowsUpdate.adml I have copied them to: C:WindowsSYSVOLsysvolmydomain.localPoliciesPolicyDefinitions C:WindowsSYSVOLsysvolmydomain.localPoliciesPolicyDefinitionsen-US I ran a gpupdate /force (not sure if it was needed) and I now see the 'Always automatically restart at the scheduled time' in my domain GPOs

  • Anonymous
    November 13, 2013
    This was on my Windows Server 2012 DC after I had installed KB2883201

  • Anonymous
    November 18, 2013
    Would this update apply to SBS2003? In fact the rollup (KB2883201) which contains this update is only available for Windows 8/Server 2012 based systems.

  • Anonymous
    November 22, 2013
    OK, I got the two files from a 2012 R2 member server. I created the following folders: C:WindowsSYSVOLsysvolmydomain.orgPoliciesPolicyDefinitions and C:WindowsSYSVOLsysvolmydomain.orgPoliciesPolicyDefinitionsen-US I put the following both files (Windows.admx and WindowsUpdate.adml) in both directories on our Windows 2008 R2 DC's and forced replication. Now I get the following error when I try to edit GPO's: Encountered an error while parsing An appropriate resource file could not be found for the file \mydomain.orgSysvolmydomain.orgPolicesPolicyDefin...Windows.admx (error = 2): The system cannot find the file specified. Where is the correct place to put these two files?

  • Anonymous
    December 03, 2013
    I had the same issue when I copied the Windows.admx and WindowsUpdate.adml to the locations Paul mentions. So instead I did the following:- Copy WindowsUpdate.admx from C:WindowsPolicyDefinitions to &lt;domain name>sysvol<domain name>PoliciesPolicyDefinitions then I copied WindowsUpdate.adml from C:WindowsPolicyDefinitionsen-US to &lt;domain name>sysvol<domain name>PoliciesPolicyDefinitionsen-us

  • Anonymous
    December 06, 2013
    Thanks DaveB, that worked.

  • Anonymous
    March 19, 2014
    Hi, I am seeing the same issue on 2012 R2 - are you sure this has been fixed in 2012 r2? I still get "Restart to finish updating your PC - Save your work, restart your PC now to finish installing important udpates. If you choose later, your pc will automatically restart in 1 day" - this is obviously not acceptable for a production file server!!!!! FAIL FAIL MICROSOFT!

  • Anonymous
    March 25, 2014
    Currently, Windows 8 and Windows Server 2012 RTM computers check for updates from Windows Update or Windows

  • Anonymous
    April 16, 2014
    The comment has been removed

  • Anonymous
    April 17, 2014
    I faced the same problem and I got solution from: http://www.microsoftsupportchat.com/blog/post/windows-update-problems/

  • Anonymous
    May 14, 2014
    is this update required for 2012 R2? I can't get a reliable automatic update. Seems completely random - I set it for 1AM and it happens whenever it feels like it days later. Why would MS do this?

  • Anonymous
    May 18, 2014
    I have a number of 2012 R2 servers - still has eratic updates even though it says "Finally, these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 R2, so if you are already planning to upgrade, there aren't any additional updates you need to install." 2003, 2003R2, 2008, 2008R2 all updates working fine.

  • Anonymous
    June 20, 2014
    So what happened to option 5 in the group policy, "Allow local administrators to select..."? See:

    http://technet.microsoft.com/en-us/library/dd939933(v=ws.10).aspx

    I no longer have the ability to set the day and time on each server; this worked in 2008 and 2008R2. I do have KB2883201 installed on my Windows Server 2012 servers.

  • Anonymous
    June 25, 2014
    unfortunally Win8.x Systems seems not to obey the deadline you can set in WSUS.
    So if you set the Deadline to e.g 4 weeks in future, above Settings seems only make you able to force users to reboot on weekly shedule, and if you do not set the weekly forced reboot mentioned above the W8.x sys will not be forced to reboot when Deadline set by wsus is reached.
    If you want to give users some weeks time to install+reboot but want to force after a specific Deadline is reached, like it worked with XP and W7 it seems you cannot do this with W8.x anymore. This is very annoying if you have some users which never want to reboot.

  • Anonymous
    June 25, 2014
    The comment has been removed

  • Anonymous
    August 13, 2014
    it's like the WinME staff was all promoted and running the show at MS...I used to wait for SP1....now I want nothing to do with their new products 'caus I am not sure what stupid changes will be made.....ooops I mean what new features will be available

  • Anonymous
    September 01, 2014
    *** YOU MICROSOFT!!

  • Anonymous
    October 28, 2014
    On a WORKGROUP 2012 R2 Server I tried manually setting this via the registry (no GPO), it failed.
    I then configured the local group policy settings (resulting in the same REG keys!), and it worked.
    So it seems that settings configured in the registry alone won't work.

  • Anonymous
    October 29, 2014
    Ignore my notes above, REG settings do work by themselves - WSUS does not work well when playing with the system time.

  • Anonymous
    November 25, 2014
    Do we have fix for this ?

  • Anonymous
    December 08, 2014
    The quick fix is as follows.

    NET STOP WUAUSERV
    SHUTDOWN -A

    Then disable "windows updates" in services.msc or via SC.

    Turn it on and manually update when you need to, or configure a script to run as a scheduled task to turn windows update on after hours and off during production hours.

    Absolutely disappointing Microsoft would take a political stance on software updates that is so out of touch with windows server admins or basic business operations. I love telling my boss the following:

    "The server patched itself mid-day without telling me then failed to come back up because the patches botched the machine. I configured the server not to do this through group policy, that did not work. Checking around with other admins, there's no way to configure it to not do this and Microsoft does not document this behavior in any of their material so I can't prove it out as an issue to you."

    In some environments that is a resume' generating event, in others, the admins work free overtime to deal with this. Either way, nobody is happy.

    There's a lot of "nudging" going on lately from Microsoft caused by the "we can grow and keep growing forever" mentality is killing the company and really needs to stop. We're seeing more Graphics and Systems API's being integrated into Linux, and now Linux Containers are becoming popular. Software development in MS's platforms is slowing down and on foreign platforms is picking up. Hopefully the next version of windows server will be built to our traditional expectations and we will get a proper "This is windows server, it's awesome, all our legacy stuff, run it on a VM over [here] and remoteapp it, and be done with it" method.

  • Anonymous
    December 15, 2014
    You cannot abort the reboot with shutdown /a, but you can stop the windows update service to abort the reboot. It saved my skin yesterday as ik saw a pending reboot within a minute on 1 of our hyper-v servers.

    I agree with most opinions that this fix is great, but shouldn't be needed in the first place.

  • Anonymous
    June 05, 2015
    I also ran into the problem of Windows Server 2012 R2 not restarting after installing updates. "Always automatically restart at the scheduled time" is enabled on our systems. What I found was that the setting only works if there are no logged in users. If an administrator leaves a disconnected RDP session active, the server will not reboot. What's worse is that if the administrator later reconnects to the session and logs off, the server will reboot soon after that. I once accidentally rebooted a production file server during business hours because of this.

    This is a really bad design. Who thought implementing client update semantics on servers was a good idea?

    The work around I implemented is as follows. All of our Server 2012 systems now run a scheduled task each night. The task is a custom EXE. What it does is check for the existence of "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequired" This key only exists if a reboot is required to complete the installation of updates. If the key exists, the EXE calls InitiateSystemShutdownEx. If not, it exists without doing anything.

  • Anonymous
    August 13, 2015
    The comment has been removed

  • Anonymous
    September 07, 2015
    Hi - this had been driving me mad. You do need a GPUDATE /FORCE or a reboot of the DC's in order to get these policy changes (once you have installed the new GPO's).

  • Anonymous
    September 11, 2015
    The comment has been removed

  • Anonymous
    September 22, 2015
    The comment has been removed

  • Anonymous
    December 10, 2015
    Thank you!
    I've set exactly WSUS and GPO like you said.
    I've got servers that reboot in production ... It's awful for us!

  • Anonymous
    January 13, 2016
    Can we have a little bit more Professional Help from MS , after 2 Years that artikel has been released it is still a Problem on Produktion Server even with the w2012 R2 Version , why can we not have the mechanism like it worked on the 2008R2 ... Consider that it a real Pain in the A%& and that Problem excedes the 5Mio Dollar Busniss Impact Hurdle to Fix Bugs by FAR ....

  • Anonymous
    January 14, 2016
    Is it correct that the option to install updates at shutdown is not available since Windows 8 anymore? I have skipped Windows 8 and am testing with Windows 10 Pro now. I have set the WSUS GPO to Download and Notify. Windows 10 1511 actually informs me about new updates and doesn't install them automatically. However, with this setting I need to select and install the updates manually and they are not offered for Installation during shutdown anymore (which works great in Windows 7).

  • Anonymous
    February 01, 2016
    Hi All,

    Ive read the above and quite a few other forums on this subject but Im still experiencing the same issue, I have a Windows Server 2012 R2 server that won`t restart during the maintenance schedule, I receive a message saying that the server will restart in 1 day but I want it to install ASAP.

    I know the GPO is working as the same policy installs, downloads and restarts a Windows 2008 R2 Server.

    Could someone please advise?

    Thanks in Advance,
    Scott

  • Anonymous
    February 01, 2016
    *Restart ASAP not install :)

  • Anonymous
    March 03, 2016
    It looks like the restart problem may be fixed by KB3138615 (released Feb 2016). It lists the fix item "Windows Update would sometimes not restart the computer as expected when the “Always automatically restart at the scheduled time” policy was set.".

    • Anonymous
      May 05, 2016
      It appears KB3138615 has not fixed the problem as I thought. We had half a dozen 2012 R2 systems not reboot last patch cycle because disconnected RDP sessions were present.
      • Anonymous
        July 17, 2017
        I tested this again on both Windows Server 2012 R2 and Windows Server 2016 and both restarted, as desired, after updates were installed even though there was a disconnected RDP session active. So, it looks like the bug has been fixed by one of the cumulative updates. Thanks for resolving this.
  • Anonymous
    September 19, 2016
    The comment has been removed

  • Anonymous
    April 19, 2017
    My pc is running windows 8 OS. Even though I got Microsoft update messages and downloaded both important and optional updates for months it has not worked. Seems like fake. The Microsoft store doesn't open despite the fact that I have an account. I exhausted all available options from Microsoft support and gave up any hope.

  • Anonymous
    August 01, 2017
    The comment has been removed

    • Anonymous
      August 01, 2017
      I can't tell you exactly why the server did not reboot after installing the patches, but I agree that this would have been preferable. Does this happen every month? If so, then it might be worth filing a bug so that we can investigate what sounds like errant behavior.
    • Anonymous
      August 04, 2017
      I have had this happen to me in the past with Server 2012 R2. My repro steps are:- An administrator logs on to the server and notices the Windows Update icon in the notification area.- The administrator opens Windows Update and manually installs the updates declining the request to reboot with the intention to have t he server rebooted off hours.- Administrator logs off the server and it reboots immediately. or- An administrator logs on to the server and installs a hotfix declining the request to reboot.- Administrator logs off the server and it reboots immediately.Now, if our admins log in to a server to install updates or a hotfix, they disconnect from the RDP session instead of logging off. T his prevents Windows from thinking "Oh, no one is logged in. This is a good time to reboot this production server."