WSUS randomised reboot times - Maintenance Windows doesnt work

I am successfully using WSUS to update our fleet.
I have an issue with the timing of the installation and reboots, particularly of Servers.

At 4am (scheduled install time) all servers download, install and reboot.
Which is what its meant to do.
The issue i have is that often the reboots happens within minutes of each other, and worse, may have all Active Directory Servers rebooting at exactly the same time, so for a few minutes there is no AD servers on the network.

I want to be able to randomise the reboots by 1 hour so that they dont all occur at exactly the same time.

I looked at the Maintenance Scheduler GPO settings which should allow randomisation, so that the Automatic Maintenance runs at 3am (plus or minus 1 hour), which should install Updates and reboot if needed. But this doesnt seem to work.

My GPO settings are as below:

Computer Configuration (Enabled)
Administrative Templates

Windows Components/Maintenance Scheduler

Automatic Maintenance Activation Boundary Enabled  
Regular maintenance activation boundary 2000-01-01T03:00:00

Automatic Maintenance Random Delay Enabled  
Regular maintenance random delay PT1H

Windows Components/Windows Update

Allow Automatic Updates immediate installation Enabled  
Automatic Updates detection frequency Enabled  
Check for updates at the following
interval (hours):  6

Configure Automatic Updates Enabled  
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance Enabled
Scheduled install day:  0 - Every day
Scheduled install time: 04:00
If you have selected “4 – Auto download and schedule the install” for your scheduled install day and specified a schedule, you also have the option to limit updating to a weekly, bi-weekly or monthly occurrence, using the options below:
Every week Disabled
First week of the month Disabled
Second week of the month Disabled
Third week of the month Disabled
Fourth week of the month Disabled
Install updates for other Microsoft products Enabled

Do not include drivers with Windows Updates Enabled  
Enable client-side targeting Enabled  
Target group name for this computer Windows Servers

Specify active hours range for auto-restarts Enabled  
Specify the max active hours range:
Max range:  18

Specify intranet Microsoft update service location Enabled  
Set the intranet update service for detecting updates: http://wsus.domain.local 
Set the intranet statistics server: http://wsus.domain.local 
Set the alternate download server:  
(example: http://IntranetUpd01)
Download files with no Url in the metadata if alternate download server is set.  

Turn off auto-restart for updates during active hours Enabled  
Active Hours
Start:  6 AM
End: 10 PM

Turn on recommended updates via Automatic Updates Enabled  

Windows Components/Windows Update/Windows Update for Business

Manage preview builds Enabled  
Set the behavior for receiving preview builds: Disable preview builds
Select when Quality Updates are received Enabled  
After a quality update is released, defer receiving it for this many days: 7

Which im hoping will do this:

Set the Maintenance Windows to be 3am with a Random Delay of 1hour (so hopefully the server installs the updates and reboots at a random 1 hour time, doesnt seem to work)

Install updates immediately if they dont affect the OS.
Check for updates often, every 6 hours

Download and Install the updates everyday during the Maintenance Window and also at 4am (which it does exactly at 4am, but not during Maintenance Window at 3am+-1hour)

Set Active hours to be between 6am and 10pm so no reboots occur during working hours.

Dont install Preview Builds and dont install Quality Updates immediately, wait 7 days before installing.

So what am i doing wrong as the Servers are not installing the Updates during the Maintenance Window, but is waiting until 4am and then they all reboot around the same time?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Set the DCs up so they do different times or better even days. If an update decides to wreck something on all DCs, what will you do? So it's better to do the first half of DCs on one day and the other on the next day.
DaveAuthor Commented:
So you are suggesting to move the DCs into another Sub OU and apply a different GPO to them?
That's a bit clunky as a solution, but would work.
But it doesn't help for the rest of the servers that are Rebooting at the same time. That's a load in the VM Hosts.

Is there a way to randomise the times?
No. I am suggesting to use another policy for them, not to move into other OUs, which is not recommended for this.
You can use security filtering on policies so that they only will only be applied by certain computers/groups of computers (one way) or use WMI filtering (another way).

I did not use randomization for restart times yet and would have to try that out myself, sorry.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

DaveAuthor Commented:

Yes, ok. So a WMI query that would apply to Odd numbered final octet IPs and another that would apply to Even Numbered last octet IPs would work well.

The AD servers are consecutive IPs, x.x.x.10 and x.x.x.11 so a GPO with a WMI filter for Odd numbers would apply one day (or week) and then another GPO with Even number WMI filter could apply for the next day (or week)

This would also work on the rest of the servers, that would mean only half of the servers would reboot at around 4am, the other half would the next day (or week)

No idea how to write that WMI query though :-)


Still a load on the VM Hosts to have half the server farm rebooting within 10-20 minutes of each other, which randomisation of the WSUS would fix.

Im surprised that i havent seen this before elsewhere (or i just havent noticed) and that this isnt a problem for others as well?

Any other ideas to get a randomisation reboot schedule for Windows Updates?
The Maintenance Schedule looks like its perfect for it, if it worked!
Use security filtering. Create a policy "WSUS for DC1", open properties ->security -> Authenticated users: untick "apply policy" and add the group "DC1" (which holds the 1st half of your DCs) and check "apply policy" for them. Do the same on another policy "WSUS for DC2" which applies only to group DC2. No WMI needed.
DaveAuthor Commented:
That's ok for the DCs but not for the rest of the server fleet.
DCs don't change often so a static group will work.
Putting machines into groups is too manual for the everything else.
That's why I was thinking of wmi as it's automatic.
Without using WMI syntax but still using WMI: Set the policies manually on one machine and look at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Now transfer all these registry keys to a group policy preference ("GPP") registry item collection. Then use item level filtering on that GPP which is clickable WMI. As easy as it gets.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DaveAuthor Commented:
@McKnife. Thank you again for your prompt replies and I appreciate it.

I can use an IP address filter, but thats for an IP Address Range.  
So i can set the range to be half of the Server Subnet, and the second policy to the the other half, so half the servers reboot at one time, and the other half all reboot at another different time. So thats almost there.

But like a lot of people, our AD Servers have consecutive IP addresses, so they will be in the same half.
So we are back to the AD servers rebooting at the same time, so the GPP solution wont work for the Domain Controllers.
I would have to use the initial solution of security filtering of computer names for the DC OU

That will work.
But, boy is that messy.

Its going from one GPO describing WSUS settings for all servers, including DCs to 4 GPOs:
2 with manual security filtering of Computer names
2 with GPP and Item level targeting IP address ranges.

If only randomisation would work on the single WSUS GPO that would be so much cleaner.
I cannot try and test randomizations before Monday - but I will.
I have no test server to try with at the moment, but let me make sure: is "install during automatic maintenance" in the "configure automatic updates" GPO even checked?
DaveAuthor Commented:
Install during automatic maintenance Enabled
Let's see if I can use my testlab at home tonight.
DaveAuthor Commented:
Hi @McKnife
Did you have any luck with the randomisation?
Tried, but it took more than just turning it on. Not experienced with scheduled maintenance - abandoned the testing for now, sorry. Will return to it for sure, but I cannot say how soon.
DaveAuthor Commented:
@McKnife. No worries, thanks for your help so far
I returned to that problem on Sunday, but found that it will only start maintenance if the download has already occurred and that hadn't happened. So again, I need to take a moment of time for tests.
DaveAuthor Commented:
Thanks @McKnife
Sorry for not coming back - Simply didn't find time to sit down within all the daily stuff. I cannot see when this will improve, so maybe it's best to close this question for now.
DaveAuthor Commented:
In the end, I couldnt get randomisation working the way i hoped.
I did get partial solutions that were not what I was looking for.
However, thanks to McKnife for his assistance anyway.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.