Hi team,
we have a WSUS server installed on Server 2019 and we are looking to implement the below patch process. Please help me to plan for the required GPO's.
Patch needs to install on a specific day and time.
Post successful patch installation suppress the reboot, engineer will login and perform the reboot manually.
User should receive a periodic popup when the patch is install and also when its in the pending reboot state.
Hi midhunPS-0986,
Thanks for your response.
I read that if we configure the deadline from WSUS console, it will override the policy Specify deadline before auto-restart for update installation and will perform an immediate reboot.
Would you mind to provide the article link for my reference? In my opinion, the deadline from the WSUS console is used for approval, not for reboot.
As I described it for the first time, it is difficult for us to control the restart on the Windows 10 clients.
Policy: [Specify deadline before auto-restart for update installation]
This policy means that the clients who applied this policy will reboot at any time before the deadline not reboot at the deadline moment.
For example, if the deadline is 15 days. The clients will reboot before 15 days. But the exact restart time of the clients are uncertain.
In addition, we could apply the policy to specify the active hours to delay restart:
But the default max active hours range is 18 hours. We could not restart the clients at the specified time.
Regards,
Rita
If the response is helpful, please click "Accept Answer" and upvote it.
Hi midhunPS-0986,
Thanks for your posting on Q&A.
It is difficult for us to restart the computer manually after installing updates in Windows 10. It is recommended to refer to the following policies to configure:
1. Patch needs to install on a specific day and time.
2. Post successful patch installation suppress the reboot, engineer will login and perform the reboot manually.
Here is the below policy about restarting the computer for your reference:
(Location: Group Policy Management Editor\Policies\Administrative Templates\Windows Components\Windows Update)
This policy does help to restart the computer manually after installing the updates when the user logs in. But if there is no one login after installing updates, the computer will restart as usual.
3. User should receive a periodic popup when the patch is install and also when its in the pending reboot state.
WSUS does not have this feature currently. This may need to be implemented using a script. I may need more time to research.
Regards,
Rita
If the response is helpful, please click "Accept Answer" and upvote it.
[2]: /answers/storage/attachments/21370-15.png
[4]: /answers/storage/attachments/21404-17.png
For the popup and alternative thoughts on how to deploy updates, check out part 4 of my 8 part blog series on How To Setup, Manage, and Maintain WSUS.
For the popup - please scroll down to the section entitled:
I Want Notifications!!!
Thanks for the detailed explanation.
If WSUS doesn't have any option for manual reboot, how long we can extend or configure the Automatic reboot.
Like post patch installation, reboot pending, wait for 15 days for auto reboot, in between Admin can reboot.
Hi midhunPS-0986,
We could apply the following policy on the client to pend restart:
[Specify deadline before auto-restart for update installation]
(Location: Group Policy Management Editor\Policies\Administrative Templates\Windows Components\Windows Update)
Reference picture:
Please note that the policy has a conflict with the following policies:
1. No auto-restart with logged on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
Regards,
Rita
If the response is helpful, please click "Accept Answer" and upvote it.
Thanks Rita, I will test this on a server 2019 and will update the status soon..
Hi
My 2019 server was waited for only 15 mints for reboot even though I have selected for 30 days. I can see the attached options for scheduled the update but its a manual activity. One more thing I was using a deadline for that approval. Please check and help me
Hi midhunPS-0986,
This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
Regards,
Rita
Thanks for the update.
I read that if we configure the deadline from WSUS console, it will override the policy Specify deadline before auto-restart for update installation and will perform an immediate reboot.
So I have approved patch without deadline, Patch installed successfully on scheduled time and waited for reboot. But the dialogue box shows that machine will reboot out of the active hours and I have the options for reschedule or restart now (same mentioned in my last post).
I have selected 30 days for the policy (Specify deadline before auto-restart for update installation.) but again server restarted after 3 hours in the non active hours.
Is there anyway can we disable the reboot of active hours ? server OS is windows server 2019.
Hi midhunPS-0986,
Thanks for your response.
I read that if we configure the deadline from WSUS console, it will override the policy Specify deadline before auto-restart for update installation and will perform an immediate reboot.
Would you mind to provide the article link for my reference? In my opinion, the deadline from the WSUS console is used for approval, not for reboot.
As I described it for the first time, it is difficult for us to control the restart on the Windows 10 clients.
Policy: [Specify deadline before auto-restart for update installation]
This policy means that the clients who applied this policy will reboot at any time before the deadline not reboot at the deadline moment.
For example, if the deadline is 15 days. The clients will reboot before 15 days. But the exact restart time of the clients are uncertain.
Regards,
Rita
Thanks Rita, going through many other forums understood that many others are facing the same situation and not sure MS is doing something for this. please find below the WSUS deadline explained article.
https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127631
Hi midhunPS-0986,
Thanks for your response.
If there is anything else we can do for you, please feel free to post in the forum.
Regards,
Rita
Hi MidhunPS,
we released this policy back in January 2020 specifically for servers which are affected by default active hours reboot behavior, this way the server does not reboot unless you press the restart now button or schedule the reboot (WSUS deadlines still override policies so do not deploy updates with mandatory deadline if you want to avoid this):
If you do not see this policies, please apply the latest ADMX templates from 2004:
https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra
HTH,
Andrei
5 people are following this question.
