Enabling a more predictable Windows Update experience for Windows 8 and Windows Server 2012 (KB 2885694)

On computers running the RTM release of Windows 8 and Windows Server 2012, Windows Update no longer defined when to install updates. Instead, Automatic Maintenance is used for that purpose, minimizing activity during active computer use. Windows Update on Windows 8 and Windows Server 2012 computers also has new restart logic that defaults to forcing a restart 3 days after the installation of updates instead of 15 minutes. To avoid unintended data loss, forced restarts also no longer occur if a user is not actively using the machine, able to see the restart notice, and save their work.

While these changes have proven to be beneficial to many end users, the lack of discrete control over Windows Update installations and system restarts disrupted some management scenarios. This update returns the ability to discretely control when Windows Update installs updates, and adds the capability to force a restart soon after those installations regardless of whether there might be an active user session.

Microsoft has updated the documentation to more fully explain how you can use these new group policy settings. This documentation is available here: http://support.microsoft.com/kb/2885694

KB2885694, included in update rollup KB2883201, is available today (October 8th, 2013) on Windows Update and the Microsoft Update Catalog, and will be available soon on WSUS. We believe that this update will result in significantly improved uptime, reliability, and manageability; we hope you’ll agree.

In order for the below changes to take effect, this update must be installed on all client computers receiving the desired configuration. It should also be installed on the computers configuring the policy to expose the new and updated group policies.

Finally, these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 R2, so if you are already planning to upgrade, there aren’t any additional updates you need to install.

Thank you for sharing your feedback with Microsoft!

The Windows Update and WSUS teams


Changes introduced by this update

KB 2885694 introduces two main changes that define how Windows Update on Windows 8 and Windows Server 2012 computers can be configured using group policy. All policies mentioned are located at this path:

Computer Configuration / Administrative Templates / Windows Components / Windows Update

When enabled with a value of 4…

The Configure Automatic Updates group policy works identically to the Windows 7 / Windows Server 2008 R2 and earlier behavior.

On Windows 8 and Windows Server 2012 without KB 2885694 installed, that policy could configure the main automatic updating setting, but configuring the scheduled install day and time had no effect. After installing KB 2885694, the policy will enable you to configure machines to:

  • Install updates during automatic maintenance, the default behavior, or
  • Install updates at the scheduled day and time defined in the policy

A new group policy called Always automatically restart at the scheduled time enables restarts soon after updates are installed, instead of 3 days later

By default in Windows 8 and Windows Server 2012, if the installation of important updates requires a system restart, one will be forced 3 days after their installation. The restart timer begins counting down only when a user is able to see it, helping prevent unintentional data loss in the middle of the night. More details about this default behavior are discussed in this blog post.

If you would instead like to force restarts following update installation, similar to Windows 7 / Windows Server 2008 R2 and earlier, you can enable the new “Always automatically restart…” policy. When the policy is enabled, a restart timer will always begin immediately after Windows Update installs important updates, instead of multiple days later.

The restart timer cannot be postponed once started, but the policy lets you configure the countdown timer to any value between 15 and 180 minutes. When the timer runs out, the restart will proceed even if the machine has signed-in users.

Note: If the group policy No auto-restart with logged on users for scheduled automatic updates installations is enabled, then the new “Always automatically restart…” policy has no effect.

Note: In Windows 8 and Windows Server 2012, the Delay Restart for scheduled installations continues to have no effect.


Example configurations


Recommended configuration

Force updates and restarts at a specific time. For example:

  • Install updates on Friday nights at 11PM
  • Force a restart soon after installation

Use the Configure Automatic Updates policy:

  • Enable the policy
  • Use option #4 – Auto download and schedule the install
  • Deselect “Install during automatic maintenance”
  • Set “6 – Every Friday” for the scheduled install day
  • Set “23:00” for the scheduled install time

 Use the Always automatically restart at the scheduled time policy:

  • Enable the policy
  • Configure the timer to the desired value (default is 15 minutes)

Stagger installs and restarts across different hours and days on different machines.

Start with the same configuration as the above scenario.

Set different scheduled install days and times for different groups which you don’t want rebooting at the same time.

Force updates at a specific day and time, but preserve the default Windows 8 restart behavior

Start with the same configuration as the above scenarios, but do not enable the Always automatically restart at the scheduled time policy.


This post was written by Jordan Cohen on behalf of the Windows Update team.

Comments (61)

  1. Yes, I've updated the post accordingly. Thank you for pointing out the typo!

  2. Thank you so much! This has been a real pain point for controlling the patching of critical systems!

    Good work!

  3. AnguelS says:

    Similar problems here with Server 2012 R2 Essentials, I set up the "configure automatic updates" policy and nothing happens. Updates are pending but they don’t get installed. It’s a waste of time.
    Before wasting my time with the group policy I had the default "automatic maintenance" but it did whatever it wants whenever it wants – I had set automatic maintenance to 5 o’clock on the server, then around 8:45 (!) when users were already connected to the
    server it suddenly restarted because updates got installed at that time. It’s russian roulette. There must be some idiots programming Windows 8.x. I have never been that disappointed with any Windows version before. Incredible how many annoying bugs there
    are and how they never get fixed, or reappear…
    Any open source is better supported, documented and more predictable than this stupid product we pay so much for…

  4. Anonymous says:

    From looking at the new windowsupdate.admx, I suppose that the one option that is really new is the "AutomaticMaintenanceEnabled" value under HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU, setting which to 0 should restore the traditional scheduled install behavior of the Windows Update service?

    And the "Always automatically restart at the scheduled time" policy was apparently added earlier — it is documented in KB2835627 and included in the KB2822241 update rollup (April 2013), but the ability to change the 15 minute timeout before reboot is not mentioned in those articles.

  5. Anonymous says:

    Nice to see that some semblance of sanity has been returned in that existing Group Policy is no longer ignored, but I'd still like a way to completely disable that automatic restart counter. Even if you think some server admins need hand-holding with automatic restarts, some of us know what we're doing and don't like control being taken away.

  6. Endaar says:

    There’s no question this patch fixes reboot behavior on Win 8 / 2012, but despite it supposedly being included in 8.1 / 2012R2, we’re not getting the expected behavior. Updates will install, but the servers will not auto-reboot after installation. In other
    words we’re seeing behavior on 2012R2 that matches what 2012 did PRE-patch. Thoughts?

  7. TR808 says:

    I’ve managed to set a GPO to install updates via my WSUS server, AND with a day of week and time (Saturdays at 5am), AND find out how to set the new “Always automatically restart at the scheduled time” GPO option while still only having a 2008-R2 domain controller.

    However, one last hurdle… is there a setting to force installation of updates if you’ve left and admin user logged in (with a disconnected RDP session)?

    From my testing it appears Server 2012 and Server 2012-R2 only install updates on the scheduled day and time if no users are logged in. I’d like to override that setting in case one of the techs forgets and just disconnects.

    Thanks -Tim

  8. Robert says:

    Did you mean "these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 *R2*"?

  9. A. Conner says:



    Q.>Did you mean "these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 *R2*"?

    A.>yes. Those fixes are already in 8.1 and W S2012 R2 RTM. KB2883201 backports this change to Windows 8 / Windows Server 2012. Adjust policy knobs as required.

  10. Scott Struzik says:

    I'm still beside myself that someone in Redmond thought it was a good idea in the first place to take away control over the update deployment process and to have SERVERS with 15 minute, unstoppable reboot countdowns that are prompted by a login.

    Microsoft is really getting out of touch, taking a "we know what's best for you" attitude with Windows 8 and Server 2012.  The many good features of these operating systems our overshadowed by the mind boggling self-inflicted issues created by Microsoft.

    We appreciate these fixes, but it should have been that way in the first place.

  11. Fifteen Minutes says:

    "We know what's good for you, you don't. We will not negotiate on this or anything else while you are wearing suicide vests."

    That sounds just about how Microsoft is acting like these days.

    The fifteen minute reboot is a total job buster around here and I am taking all kinds of harassment for not being able to do anything about it.

    Thanks a lot, you've done it again Microsoft.

  12. Steve says:

    Good thing I use ConfigMgr. So much more control, maintence windows? We've had those for years!

  13. Josh says:

    What about if your DC is a 2008 server?  You have to upgrade the DC just so you can use this roll up?

  14. adam says:

    @Steve, we are using config man as well but recently had 5 of our HyperV 2012 boxes reboot automatically…these boxes don't have a maintenance window set in SCCM since we manually reboot… they all decided to go down as they felt necessary during the middle of the workday

  15. Phil says:

    | and will be available soon on WSUS

    How soon is soon?

  16. Sergey says:

    Who knows where to find updated ADMX files for GPO in domain?

  17. @Phil – the fix is available as part the cumulative rollup KB 2883201 which is on the windows catalog now.

  18. Ross says:

    This is great news – I've had 2012 servers sitting here for months not getting updates because I couldn't control restarts.  Thank you Microsoft.

  19. Matt says:

    Currently running our DC's with 2008R2, also wondering how to roll this out through a Domain GPO.

  20. johnny says:


    Currently running our DC's with 2008R2, also wondering how to roll this out through a Domain GPO.


    I'm also in the same boat. How do we put the new admin template in place on a 2008R2 domain?

  21. A. Conner says:

    @ Sergey, Matt and Johnny. looking for updated ADMX files to configure "uplevel" policy from down-level clients and servers.

    The Windows Server 2012 R2 / Windows 8.1 version of the ADMX download package is undergoing package signing. Once you get access to the 8.1 / WS 2012 R2 ADMX files either through the download package (once available) or via Win8.1 / 2012 R2 media / install, then either copy them to the local policy template directory or into the central store. Related content include:

    KB 929841  How to create the Central Store for Group Policy Administrative Template files in Windows Vista



  22. paul says:

    I just found the newer files here:



    I have copied them to:



    I ran a gpupdate /force (not sure if it was needed) and I now see the 'Always automatically restart at the scheduled time' in my domain GPOs

  23. paul says:

    This was on my Windows Server 2012 DC after I had installed KB2883201

  24. Anthony says:

    Would this update apply to SBS2003?

    In fact the rollup (KB2883201) which contains this update is only available for Windows 8/Server 2012 based systems.

  25. johnny says:

    OK, I got the two files from a 2012 R2 member server. I created the following folders:




    I put the following both files (Windows.admx and WindowsUpdate.adml) in both directories on our Windows 2008 R2 DC's and forced replication. Now I get the following error when I try to edit GPO's:

    Encountered an error while parsing

    An appropriate resource file could not be found for the file \mydomain.orgSysvolmydomain.orgPolicesPolicyDefin…Windows.admx

    (error = 2): The system cannot find the file specified.

    Where is the correct place to put these two files?

  26. daveb says:

    I had the same issue when I copied the Windows.admx and WindowsUpdate.adml to the locations Paul mentions. So instead I did the following:-

    Copy WindowsUpdate.admx from



    \<domain name>sysvol<domain name>PoliciesPolicyDefinitions

    then I copied WindowsUpdate.adml from



    \<domain name>sysvol<domain name>PoliciesPolicyDefinitionsen-us

  27. johnny says:

    Thanks DaveB, that worked.

  28. ML49448 says:

    Hi, I am seeing the same issue on 2012 R2 – are you sure this has been fixed in 2012 r2? I still get “Restart to finish updating your PC – Save your work, restart your PC now to finish installing important udpates. If you choose later, your pc will automatically restart in 1 day” – this is obviously not acceptable for a production file server!!!!! FAIL FAIL MICROSOFT!

  29. Anonymous says:

    Currently, Windows 8 and Windows Server 2012 RTM computers check for updates from Windows Update or Windows

  30. jim says:

    Scott Struzik – you really nailed it. Why is MS so hell bent on change for the sake of change and not change for the sake of making things better or easier. We all know where the update schedule was – now just put back the schedule and make it include 15 minute increments and EVERYONE (except the idiots at MS who made this stupid change) will be happy. Sure keep the ability to do it with a GP but why remove something that has worked well (except the limit of on the hour) feature for a decade? WTF is wrong with you MS?

  31. boe says:

    is this update required for 2012 R2? I can’t get a reliable automatic update. Seems completely random – I set it for 1AM and it happens whenever it feels like it days later. Why would MS do this?

  32. boe says:

    I have a number of 2012 R2 servers – still has eratic updates even though it says "Finally, these updates are already included in the final versions of Windows 8.1 and Windows Server 2012 R2, so if you are already planning to upgrade, there aren’t any
    additional updates you need to install." 2003, 2003R2, 2008, 2008R2 all updates working fine.

  33. JMAnderson says:

    So what happened to option 5 in the group policy, "Allow local administrators to select…"? See:


    I no longer have the ability to set the day and time on each server; this worked in 2008 and 2008R2. I do have KB2883201 installed on my Windows Server 2012 servers.

  34. 127 says:

    unfortunally Win8.x Systems seems not to obey the deadline you can set in WSUS.
    So if you set the Deadline to e.g 4 weeks in future, above Settings seems only make you able to force users to reboot on weekly shedule, and if you do not set the weekly forced reboot mentioned above the W8.x sys will not be forced to reboot when Deadline set
    by wsus is reached.
    If you want to give users some weeks time to install+reboot but want to force after a specific Deadline is reached, like it worked with XP and W7 it seems you cannot do this with W8.x anymore. This is very annoying if you have some users which never want to

  35. fuckumicrosoft says:

    Windows 8 SUCKS ASS. So frustrated it restarted for updates in the middle of installing a program now I cant uninstall it or finish the install. Thanks for wasting my time working on correcting this for something that should be so simple. *** YOU

  36. Chris says:

    it’s like the WinME staff was all promoted and running the show at MS…I used to wait for SP1….now I want nothing to do with their new products ‘caus I am not sure what stupid changes will be made…..ooops I mean what new features will be available

  37. renato says:


  38. Ed says:

    On a WORKGROUP 2012 R2 Server I tried manually setting this via the registry (no GPO), it failed.
    I then configured the local group policy settings (resulting in the same REG keys!), and it worked.
    So it seems that settings configured in the registry alone won’t work.

  39. Ed says:

    Ignore my notes above, REG settings do work by themselves – WSUS does not work well when playing with the system time.

  40. Kurkure says:

    Do we have fix for this ?

  41. Bob. says:

    The quick fix is as follows.


    Then disable "windows updates" in services.msc or via SC.

    Turn it on and manually update when you need to, or configure a script to run as a scheduled task to turn windows update on after hours and off during production hours.

    Absolutely disappointing Microsoft would take a political stance on software updates that is so out of touch with windows server admins or basic business operations. I love telling my boss the following:

    "The server patched itself mid-day without telling me then failed to come back up because the patches botched the machine. I configured the server not to do this through group policy, that did not work. Checking around with other admins, there’s no way to configure
    it to not do this and Microsoft does not document this behavior in any of their material so I can’t prove it out as an issue to you."

    In some environments that is a resume’ generating event, in others, the admins work free overtime to deal with this. Either way, nobody is happy.

    There’s a lot of "nudging" going on lately from Microsoft caused by the "we can grow and keep growing forever" mentality is killing the company and really needs to stop. We’re seeing more Graphics and Systems API’s being integrated into Linux, and now Linux
    Containers are becoming popular. Software development in MS’s platforms is slowing down and on foreign platforms is picking up. Hopefully the next version of windows server will be built to our traditional expectations and we will get a proper "This is windows
    server, it’s awesome, all our legacy stuff, run it on a VM over [here] and remoteapp it, and be done with it" method.

  42. dennis@360ict.nl says:

    You cannot abort the reboot with shutdown /a, but you can stop the windows update service to abort the reboot. It saved my skin yesterday as ik saw a pending reboot within a minute on 1 of our hyper-v servers.

    I agree with most opinions that this fix is great, but shouldn’t be needed in the first place.

  43. Marc K says:

    I also ran into the problem of Windows Server 2012 R2 not restarting after installing updates. "Always automatically restart at the scheduled time" is enabled on our systems. What I found was that the setting only works if there are no logged in users.
    If an administrator leaves a disconnected RDP session active, the server will not reboot. What’s worse is that if the administrator later reconnects to the session and logs off, the server will reboot soon after that. I once accidentally rebooted a production
    file server during business hours because of this.

    This is a really bad design. Who thought implementing client update semantics on servers was a good idea?

    The work around I implemented is as follows. All of our Server 2012 systems now run a scheduled task each night. The task is a custom EXE. What it does is check for the existence of "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto
    UpdateRebootRequired" This key only exists if a reboot is required to complete the installation of updates. If the key exists, the EXE calls InitiateSystemShutdownEx. If not, it exists without doing anything.

  44. LTTB says:

    It really just boils down to another case of Microsoft trying to sell to the masses and support only those with big money.

    Rebooting production servers in large businesses with replicated systems is fine, so Microsoft decides to automatically reboot servers without granting any control.

    Rebooting servers in any smaller organizations merely cripples the entire business for the duration of the reboot. If you happen to have a smaller business with a few servers using Hyper-V, then rebooting ALL OF THOSE SERVERS AT ONCE without ANY CONTROL because
    the host server has applied an update is fine with Microsoft because those businesses don’t have enough money to have a fully replicated server farm.

    Microsoft neither supports,… nor cares.

  45. Jon S says:

    Hi – this had been driving me mad. You do need a GPUDATE /FORCE or a reboot of the DC’s in order to get these policy changes (once you have installed the new GPO’s).

  46. Craig says:

    This is extremely frustrating! We have set the GPO as described but our 2012 R2 servers do not follow the schedule. This is causing us all sorts of issues, especially with our SharePoint server, the updates installs but the server waits to reboot, this
    breaks SharePoint completely most times and partially some of the time. But, it is almost as bad as when a production box reboots in the middle of the day!

  47. Frank says:

    Come On Microsoft – Fix this crap already! If I’m going to have to do everything manually I might as well switch to Linux servers!

  48. Siegfried says:

    Thank you!
    I’ve set exactly WSUS and GPO like you said.
    I’ve got servers that reboot in production … It’s awful for us!

  49. markus says:

    Can we have a little bit more Professional Help from MS , after 2 Years that artikel has been released it is still a Problem on Produktion Server even with the w2012 R2 Version , why can we not have the mechanism like it worked on the 2008R2 … Consider
    that it a real Pain in the A%& and that Problem excedes the 5Mio Dollar Busniss Impact Hurdle to Fix Bugs by FAR ….

  50. ML49448 says:

    Is it correct that the option to install updates at shutdown is not available since Windows 8 anymore? I have skipped Windows 8 and am testing with Windows 10 Pro now. I have set the WSUS GPO to Download and Notify. Windows 10 1511 actually informs me
    about new updates and doesn’t install them automatically. However, with this setting I need to select and install the updates manually and they are not offered for Installation during shutdown anymore (which works great in Windows 7).

  51. Scott Evans says:

    Hi All,

    I`ve read the above and quite a few other forums on this subject but I`m still experiencing the same issue, I have a Windows Server 2012 R2 server that won`t restart during the maintenance schedule, I receive a message saying that the server will restart in
    1 day but I want it to install ASAP.

    I know the GPO is working as the same policy installs, downloads and restarts a Windows 2008 R2 Server.

    Could someone please advise?

    Thanks in Advance,

  52. Scott Evans says:

    *Restart ASAP not install 🙂

  53. MarcK4096 says:

    It looks like the restart problem may be fixed by KB3138615 (released Feb 2016). It lists the fix item "Windows Update would sometimes not restart the computer as expected when the “Always automatically restart at the scheduled time” policy was set.".

    1. MarcK4096 says:

      It appears KB3138615 has not fixed the problem as I thought. We had half a dozen 2012 R2 systems not reboot last patch cycle because disconnected RDP sessions were present.

      1. MarcK4096 says:

        I tested this again on both Windows Server 2012 R2 and Windows Server 2016 and both restarted, as desired, after updates were installed even though there was a disconnected RDP session active. So, it looks like the bug has been fixed by one of the cumulative updates.

        Thanks for resolving this.

  54. Tom says:

    I just logged in to my db server and it has informed me that my server will restart next time I login. WTF!!!
    It is so unbelievable that this would be a default set up. Even if they are trying to be secure by Default at least make it restart at 3am rather than next time I login.
    It baffles me to think anyone could be so idiotic as to do this. So so so disappointed in Microsoft.

  55. Amsalu says:

    My pc is running windows 8 OS. Even though I got Microsoft update messages and downloaded both important and optional updates for months it has not worked. Seems like fake. The Microsoft store doesn’t open despite the fact that I have an account. I exhausted all available options from Microsoft support and gave up any hope.

  56. David Barker says:

    Today I logged into a production server to check on a scheduled task. After logging off, the production server decided to reboot shutting down the SQL Database for 3 dozen users. Of course, the help desk phones went crazy. Why in the world would Microsoft allow a server to reboot automatically after you log off from the console? Why did the server not reboot after updates were installed automatically at 4:10 AM? I verified that the server is fully patched and that the GPO is configured properly (no auto-retart with user logged on is set to disabled). After all this time, why is this still an issue? I hate this Russian Roulette game that Microsoft plays.

    1. I can’t tell you exactly why the server did not reboot after installing the patches, but I agree that this would have been preferable. Does this happen every month? If so, then it might be worth filing a bug so that we can investigate what sounds like errant behavior.

    2. MarcK4096 says:

      I have had this happen to me in the past with Server 2012 R2. My repro steps are:
      – An administrator logs on to the server and notices the Windows Update icon in the notification area.
      – The administrator opens Windows Update and manually installs the updates declining the request to reboot with the intention to have t he server rebooted off hours.
      – Administrator logs off the server and it reboots immediately.
      – An administrator logs on to the server and installs a hotfix declining the request to reboot.
      – Administrator logs off the server and it reboots immediately.

      Now, if our admins log in to a server to install updates or a hotfix, they disconnect from the RDP session instead of logging off. T his prevents Windows from thinking “Oh, no one is logged in. This is a good time to reboot this production server.”

Skip to main content