Managing Updates with Deadlines in an era of Automatic Maintenance

Until Windows 8, Windows Update used to manage its own internal scheduling for checking for, downloading, and installing updates. It required that the Windows Update Agent was always running in the background, consuming memory and other system resources. In an effort to increase battery life on portable devices, Windows 8 introduced a new feature called Automatic Maintenance, which runs nightly and performs various tasks such as lightly defragmenting hard drives (or TRIMming SSDs if necessary), checking, repairing, and optimizing the system component store, running anti-virus scans, installing updates, and more. This consolidation allows for all these components to use far less system resources, work consistently, respect the new Connected Standby state for new device types, and consume less battery on portable devices.

 

What this also means is that on Windows 8 and Windows Server 2012, the setting for when to download and install updates doesn’t work in the same way. While you can still set Windows Update to download updates and install them automatically or not, the day-of-the-week setting is not effective on Windows 8. Indeed, Automatic Maintenance runs once a day by default, and due to the consolidation of maintenance tasks there isn’t a way to individually specify which maintenance tasks run on which days.

 

WSUS provides administrators with a way to control when patches get installed and PCs get rebooted. I’ll explain one possible strategy for doing this:

 

Taking Control of Update Installation

What to do:

  • Using Group Policy, set your target machines to check for updates but do not automatically install them.
  • When you want to deploy an update at a particular time, set the deadline for when you want the machine to install updates and restart.
  • You can use groups in WSUS to set different approvals and different deadlines for different groups of machines.

 

Here’s how it works:

This works because if you have set a deadline, WUA will enforce that deadline even outside of the Automatic Maintenance window, and even if updates are set not to install automatically. The computer will be rebooted (if needed) at the end of the installation process.

 

Every day, the Windows Update agent contacts WSUS and downloads information about which updates are to be offered to that PC, along with the deadline for each update as specified by the administrator. If an update is overdue, Windows Update will force that update to be installed automatically, even though WUA is configured to NOT generally install every update automatically. Otherwise, the update is offered to the user for manual installation until the deadline is reached. When the deadline is reached or passed, the update is forcibly installed and the machine is rebooted after a 15-minute countdown. If no users are signed in, the machine is rebooted immediately.

 

If you are running a server and you want to make sure it doesn’t reboot until a certain date, then this is the option for you. Your server won’t install any updates automatically until one of the updates reaches its deadline, and then the server will be rebooted immediately upon passing of the deadline, assuming that no users are signed in. If there are users signed in, the standard 15 minute timeout applies.

 

You can limit reboots to “service time” windows if you approve all updates with deadlines during your desired service windows. Machines that are powered off during the service window will be automatically updated when they are powered on once again.

 

Note: You need to make sure that all the updates you care about have deadlines assigned to them. If you neglect to assign a deadline and you’ve instructed Automatic Updates to not be automatically installed otherwise, you could be leaving your network in a less secure state if your users don’t manually install those updates.

 

A note about time zones

In WSUS, when you set a deadline, it is interpreted in the time zone of the target computer, not the time zone of the server. Be sure to keep this in mind when setting your deadlines to avoid unexpected reboots. Remember, if a reboot is needed, it will occur no more than 15 minutes after the completion of the installation of the update.

 

 

Additional reading: