Force PCs in a domain to Update from WSUS

Hi Guys,
I have a Windows Server 2012 domain, and a group of PCs with Windows 10 Pro that belong to that domain.

My goal is to have all the PCs in the domain to run the Windows Update Service one day of the week (ideally Friday) contact the local WSUS Server (which is the same domain controller where they are being authenticated) and then force them to restart when they finish.

All of this should happen at 3:00AM without any user intervention.

I have installed WSUS in my Windows Server Domain Controller.

I have setup the all the GPOs below (at the end of this message).

Yesterday the test PC was detected by the WSUS, and the report told me that there were 5 updates needed and approved ready for installation, so I left yesterday very happy thinking that the windows updates were going to be applied and the PC was going to restart at 3:00AM.

Oh surprise when I arrived this morning and no Windows Updates were applied and the PC was not restarted.

Questions:

Do you have a step by step guide on how to do this?

What am I doing wrong?

This is a list of all the GPOs I created and applied to the test computer:

\ Computer Config \ Policies \ Admin Templates \ Windows Components \ Windows Update

Always automatically restart at the scheduled time: Enabled (15 minutes)

Configure Automatic Updates: Enabled
4 - Auto download and schedule the install
Install during automatic maintenance: Disabled
Scheduled install day: 6 - Every Friday
Scheduled install time: 03:00

Do not connect to any Windows Update Internet locations: Enabled

Enable client-side targeting: Enabled (mygroupname)

Specify intranet Microsoft update service location: Enabled
http://mydc.mydomain.local:8530

Turn off the upgrade to the latest version of Windows through Windows Update: Enabled

Any help will be greatly appreciated.
Thanks.
cargexAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Windows 10, like Windows 8 before it, only allows limited control over when and how WU installs updates (even when connecting to a WSUS server.)  Most of the policies you listed are simply ignored.  WU will check in. WU will install patches. And WU will pick an idle time it thinks it can reboot. You don't get a lot of say in the matter.  WSUS in the modern era is really just a control mechanism to approve patches. But not a granular install mechanism.  You have to plan accordingly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cargexAuthor Commented:
So what is the solution to have the kind of control that I need?

The issue here is that the computers are being used from 8:30AM to Midnight, and sometimes they restart in the middle of the day when the user is working.
0
Cliff GaliherCommented:
That should only be happening if the user is not logging out and is ignoring the reboot warnings repeatedly.  But to answer your question, if you want very fine grained control over installation and reboots, you need an agent based product.  Those tend to not be free and there is administrative overhead.  Think Kace, Shavlik, SCCM, etc.
0
cargexAuthor Commented:
Ok, here is what I've found out in my tests.
The Windows Update group policies are applied, just not exactly as they are programmed.

For instance "Always Automatically restart at the scheduled time" with a value of 15 minutes. You would think that if you schedule the Windows Updates at 3:00AM then the restart would happen at 3:15AM

Well it turns out that the 15 minutes apply to any moment after Windows Updates are applied, and they aren't applied necessarily at 3:00AM.

My Solution so far is to disable the  "Always Automatically restart at the scheduled time" and schedule a system restart at 5:00AM not necessarily related to the Windows Updates, but if Updates were applied then the restart will serve to finish the process. And restarting a PC on a daily basis is always a good thing to clear the memory, so win win.
0
cargexAuthor Commented:
Hi Cliff,
I have ran a lot of tests with WSUS, and my conclusion is that Cliff is absolutely right.

Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.