After 6 months of testing this in my company, i can confidently say it takes one registry key to make Windows Update bearable
Local Link | Content link | Reddit Link
r/sysadminu/WhAtEvErYoUmEaN101 (2734)

TL;DR it blocks automatic restarts completely. Period.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotification.exe]
"Debugger"="cmd.exe /c echo %DATE% %TIME% suppressed automatic reboot >> C:\\UpdateOrchestrator.log"

Modify it however you like, i doesn't have to output anything to a log file. This is just how i rolled it out in my company.

I tested this a lot and confidently say this is the most unintrusive method i know to supress automatic reboots, nag screens, update notifications and the lot.
Windows Update uses this executable a lot. Not only for restarting, but for every type of notifications you can get about them. "Updates available", "You should really install updates right now", "Updates need to be installed, please restart" aswell as "Updates cannot be installed" won't appear anymore. Taken you are monitoring installed updates, which you should, this shouldn't be an issue.

While blocking the UpdateOrchestrator\Restart task, which basically just calls MusNotification.exe with some arguments, isn't new, Microsoft blocked disabling it in 1803. This feature has to stay for backwards compatibility, so i'm certrain this workaround won't be fixed any time soon.

To explain what the key does:
The Image File Execution Options subkeys actually can control a whole lot about how Windows executes files. The Debugger key was used by a lot of scareware back in the day. It redirects execution from every executable named like the key to the debugger and appends the original executable and all arguments to it. To my understanding this process would then normally be expected to set up a debug environment and start the actual process. Which we don't. So we effectively cut MusNotification.exe out of the chain and therefore preventing Windows Update from being so intrusive to the user.

Bonus: If anyone wants the powershell script to monitor installed windows updates that i use in conjunction with this i can post that too.

Hope this helps anyone.

Edit: To clarify. Updates installed normally. I know about the shit-ton of GPOs you can enroll that are supossed to give you control but to my experience Windows 10 Pro ignores all of them.
The only thing that this does is supressing notifications and automatic restarts.

Edit 2: There's the monitoring script: https://github.com/WhAtEvErYoUmEaN/CheckInstalledWindowsUpdates

Edit 3: spelling

Comments (376)

[removed]

there you go

[deleted]

dont' worry, ms will see this thread and "fix" it in the next update that hopefully thanks to OP I wont' get... lol

Fixed critical security flaw that gave users the ability to customize and control their device

This is very useful. Thanks.

Can't wait for Microsoft to (maliciously, IMO) 'fix' this 'bug' in the next patch Tuesday. Can't have Pro users controlling their systems, can we? /rant.

We'll see. I was actually contemplating releasing this because of it. But there'll always be ways.

I've been using a program called shutdownBlocker on my personal stuff. It conjures the same screen you get when you shut down a pc with unsaved office docs.

Your solution is far more elegant.

There is another program called RebootBlocker: https://www.udse.de/en/windows-10-reboot-blocker

This tiny program installs itself as a Windows service, and changes the Active Hours settings in the background, thus preventing Windows from rebooting itself.

I doubt they'll block it. I posted this as a way to nerf the GWX.exe (Windows 10 upgrader) in r/technology over a year ago and they haven't done anything about it.

At most, they'll just add it to the list of system executables that you aren't allowed to put in image execution options. Like, you can't use this to block task manager or msconfig.

https://old.reddit.com/r/technology/comments/6ajiyk/hp_is_shipping_audio_drivers_with_a_builtin/dhf3tpe/

Doesn't process explorer replace task manager this way?

[deleted]

[deleted]

Yeah, go try that on real users. They won't do it.

Fun detected, nerf incoming.

Out of interest, what are you using to deploy patches in your environment?

I don't know wherever i can disclose that. Let's just say the current patch provider they use is more than unreliable. Hence the script to monitor windows updates at least.

Fair enough. Blink once if it's WSUS, twice if it's ConfigMgr, or just stand there with looking dead inside if they're just pointed at Windows Update.

The reason for asking is that the goal I usually strive for is to get the user involved in patching and 'encourage' them to initiate patching when it's convenient for them. We use ConfigMgr which, while it could be better, allows you to do that pretty reasonably. If the deadline hits when it's inconvenient ... tough ... you ignored 7 days of notifications. Hourly in the last 24 hours. Don't do that and you'll never have a problem. So my assumption is that the product you're using has it's own UI of some kind? Patching is rebooting so it's gotta happen at some point right?

It actually just shoves msu`s down DISMs throat and is set to not reboot workstations.
It's a shitty system but i inherited it and we aswell as our customers are in it so switching over has yet to be done

Got it, some crazy half-baked home grown thing. My condolences. And to be clear, I'm just trying to better understand the scenario where your solution is needed/helpful.

If your customers are small I'd highly recommend looking at WSUS or at least WUfB with Windows Analytics (as they roll to Win 10). WSUS has a small bit of infrastructure and can be a PITA but it's free and allows/requires you to approve updates. WUfB is really a Win 10 feature that allows you to create deployment rings via GPO and, in theory, delay or pause patches. It wasn't great when first released but it's slowly getting better. Windows/Desktop analytics is 'free' and solves the reporting side.

Not all heroes wear capes.

Does a blanket around the back count? :D

Close enough. You've saved me a lot of grief :)

Alternatively, just don't give MusNotification.exe any room in the notification areas and Windows Update will also refuse to run.

Oh yeah, that was a fun bug to find out about. Had a VM that wouldn't update and had to google the error code to find out there was a problem displaying notifications. Open the notification tray to find that it's entirely full of left over ghost icons from some program that kept crashing and relaunching, adding another icon each time until there were about 100 of them.

Why is there a limit to how many notification icons there can be at once? Why does Windows Update completely fail to function if it can't create one? Why does it even need a notification icon if you start updates from the Windows Update control panel?

That has to be one of the stupidest bugs ever. Good to know as I am rolling out win10 to the machines at my new job next quarter. Hope to never experience it personally.

Why does Windows Update completely fail to function if it can't create one? 

try {
    create_notification
    }
catch {
    Throw "can't create notification. no can run"
    }

do_the_needfull_updates

I’ve hit this so many times.

[deleted]

I know this is the "official" answer for what should work, but as with others here, it didn't work for me. Search for "Windows 10 updates ignore group policy" or "Windows 10 automatic reboots with GPO set". Anything along those lines and you will find a ton of people that are still having their systems automatically reboot despite this (and other) settings. It's the entire reason third party tools like NoReboot exist.

I initially went this route myself quite a while ago (can't remember the version number at the time, but I am using Pro). I set it, and the next update cycle my system rebooted. I thought I might have done something wrong, so I double checked the setting, the registry key, everything. Next month, same thing, each time running VM's would get powered off, documents closed, I would lose a ton of work. I checked event logs, and sure enough, restart for updates.

I resorted to disabling all automatic updates, not just downloads and restarts, across the board. I still patch, I just perform it manually at a time that suites me and that I can gracefully close my work (this is my home PC of course, so it's manageable). It's a pain, but not as much as having my computer randomly restart.

Microsoft patches are currently a flaming dumpster fire. It's better in an enterprise where you have centralized patch management, but there's still nothing good about them, it's just slightly more tolerable.

Edit: When the open letter regarding patch management was published, I noticed that it contained a section regarding unwanted reboots. While it doesn't specifically state what measures people are taking or that there are issues with the GPO, I think it does make it clear that things are not working as expected and it is hurting customers and end users. I just wanted to point this out as it's one of the best references to Windows updates in general and specifically calls out reboots.

I am disturbed when I see users and consultants talk about taking drastic measures to take back control of updating and rebooting. Some are disabling Windows Update as a drastic measure to ensure that updates do not reboot systems when they are not wanted. It’s clear that your team also acknowledge that unexpected updates are problematic. But your customers deserve better than “promising” results. They deserve a stable platform that reboots only when they want it to.

On the last, when I see that sysadmins have been blackholing the update servers on their routers, you know something is fucky. None of this is good, you roll out updates when they work for your organization, and not all of them can afford Enterprise skus, but still have the requirements to not bring their users to their knees because a bad update slipped through (which seems to be the rule rather than the exception in these days of non-existent patch QC).

If the problem is MS spaghetti code OS, then maybe that should be addressed rather than rushing updates out to prevent 0 days.

If the problem is MS spaghetti code OS, then maybe that should be addressed rather than rushing updates out to prevent 0 days.

And we all remember the shitstorm last time they promised an entire re-write... and the one before that

It's be fine if they'd actually do it. But they never do. It's always just more shit on top of the old OS

each time running VM's would get powered off, documents closed, I would lose a ton of work

I'm on board with most everything here, but... ctrl-s, man, ctrl-s. Who steps away from a keyboard without it?

"we'll get around people not updating on time by forcing them to avoid updates in order to maintain sanity" way to go Microsoft. Plus the gamble wheather some random thing will be broken afterwards.

I went to multiple Microsoft sponsored events this year with talks about Windows Updates and the Microsoft engineers on stage in no uncertain terms said unless you are running an enterprise SKU, don’t expect consistent update/restart behavior via GPO.

What they describe has been my experience. Is this a big, or a feature that makes you buy enterprise?

To the customer it’s a bug, to MS it’s a feature.

This should be their new company slogan...

I prefer: "Microsoft. We hate you!"

[deleted]

(my other complaint is that the w10 search is so fucking garbage it's unreal.)

Holy fuck, for real:

ch

No results

chr

No results

chro

"Ah, you mean Chrome!"

chrome

No results

What in the fuck Microsoft?

I find, almost like clockwork.

cont

Searches web for everything...nothing local.

close Start menu, open again and try again

cont

now it comes up with local results...

I personally find that if you've already done a search and backspace to type a new search it becomes literally retarded. Maybe something to do with the whole coratana bloatware

Lots of people have this complaint, so I know there's something to it. However, w10 search has always worked fine for me.

Holy shit don't even get me started. Relevant to this specific post:

Check

Nothing

Check for updates

Nothing

(BackspaceBackspaceBackspaceBackspace) Check for upd

Best match: Check for updates

[deleted]

Does it find all the files it deleted?

haha, nope, it just gave the UX guys a raise, instead.

they split search and cortana

I felt that thing was half baked anyway. All the limitations of bundling all the features into one point intrusively, but with none of the convinience that could be offered by integration. They should have worked on making those systems work better, not just making them more noticible.

No, it dosen't.

It still divides it into different categories, it still has the worst, space-wasting UI ever, and it still jumps around. You can see the top result, press enter, and it updates a millisecond before and you end up executing the wrong thing.

It still doesn't prioritize start menu executable over random .exe files (why do uninstall exes ever show up in search? ... especially with the above problem)

The UI is still trash.

It's still slow as fuck.

Install "Everything" for a look at how a search should be done.

The ads and the control loss are probably the biggest hangups for me. For the sm ads so far I've copied by just pretending the start menu isn't there which is lame. It can be frightening to return after a short break and find out it restarted,because sometimes this can lose data. Microsoft just assumes that if you're not moving your mouse, the entire rest of the world has stopped. And that everyone has the same schedules, workflow,etc.

"~~Heckler&Koch~~ Microsoft. Because you suck and we hate you."

"Microsoft. Because you have to."

"~~Heckler&Koch~~ ~~Microsoft~~ Windows. Because you suck and we hate you."

Most of Microsoft's FOSS stuff (.NET Core & family, VS Code & family, etc) isn't so bad.

Just Windows & Windows related software. (Looking at you, Visual Studio)

Oi! I like Visual Studio!

Except for the part where it takes three seconds to register a keystroke or a UI change after a system hibernation.
And the part where debugging in a Citrix environment is wholly unpredictable.
And the part where one-click deployment works sometimes.

Most of Microsoft's FOSS stuff (.NET Core & family, VS Code & family, etc) isn't so bad.

Yeah, I agree. I just needed to make that joke.

"Because we're Delta airlines and life is a fucking nightmare!"

Precisely. We should get a refund/rebate if it isn't published in the marketing materials.

This has really improved security on the internet though. Lots of parents with kids that instinctively turn off auto updates have had that option removed. By pushing the requirement outside of consumer hands the internet is a better place.

I don’t like it, but it’s a tough-love requirement.

Then allow Pro versions to just fucking turn it off.

Even fucking server 2008 has forced restarts.

[deleted]

No, I mean 2008. And 2008 is based on w8... it's the same UI.

No... 2008 was based on Vista. 2008R2 was W7, 2012 was W8, 2012R2 was 8.1. 2016 was W10 Anniversary, 2019 is W10 180x... I forget if it's 1803 or 1809. Newest thing I use daily is 2012R2.

Ehh... I would argue that if you are knowledgeable enough to set GPOs then you should be able to dictate your own update policy.

What it's generated is that there is a higher portion of kids messing around with Enterprise Edition LTSC in the home than actual small businesses running it.

the second one

a lot of typical "control" GPOs are Enterprise and Education only in Windows 10.

Yeah, but if you buy an OS, you should expect to be able to exert a fair bit of control over when it reboots. What if I have a long running task that doesn't gracefully pickup after an ungraceful exit? I've gotta re-write my program or just deal with it? Not at this price, M$. If I re-write, it'll be on another OS. And it'll be the last re-write done for an M$ reason.

Microsoft's logic is that if you need that functionality, you must be running professional workloads, so you should pay for an OS with those features enabled. Pro is no longer "professional" but "prosumer", those features are now relegated to Enterprise, or you could just run it on a server instead.

It's artifical segmentation, but as long as they can get away with it, they will, they're a publicly traded company after all, got them shareholders to please.

In the meantime, actual prosumers are being increasingly nudged towards pirating LTSC or Enterprise, which they can't legally obtain as an individual otherwise. The only thing they could buy is the $309 "Pro for Workstations" which still includes Candy Crush. You'd think an $309 piece of consumer software wouldn't be an advertising platform.

Make that double Candy Crush! Last pro install I did, straight from the official Media Creation tool had CC vanilla and Candy Crush Soda Saga. Also some Mickey bullshit and other crap.

I absolutely fucking hate this. My users aren't playing games, they're working. Get your bloatware shit out of my business software that I PAY FOR to be for business.

I started installing N, because it's missing the crap for whatever reason.

I'm seriously considering switching to server just to avoid all this crap.

Lots of people in the audio / lighting industry are using LTSB or LTSC. Features don't matter, stability does. Nothing sucks more than announcing in the mic in front of hundreds or thousands of people that Windows is rebooting.

Video industry, also using LTSC/B

LTSC is designed for specialized equipment, and if you're running something uptime critical, it's likely that that's exactly what it was designed for.

Just don't put LTSC on everyone's computer then wonder why Microsoft won't help you with your Office ProPlus issues.

Microsoft could have avoided everyone being nudged towards LTSC by making the select few things that people who shouldn't be using it for, actually available.

As Jim Sterling says about game publishers all the time:

"They don't just want some of the money, they want all the money[ in the entire world]."

"if you give us just a little bit more of your life, a little bit more money, we'll make things better! You owe us this! Don't prevent us from doing business by withholding from us!" Yet every time an inch is given,they don't give back and nobody learns. They can't be as friendly as people think them to be. It's just how those organizations work. Dealing with what they do in that light rather than pretending their just as fragile and loving and deserving of care as an individual would prevent a lot of heartache.

Hint: install the N version, it comes without the crap (you can activate the normal version on the machine, then do a clean install with the N version without a key, and it'll activate).

Any source on that before i flip our WDS images to try?

Just my own testing.

Will try. Thanks for the info.

actually since 1803 or 1809 Pro for Workstations has the same default apps as Enterprise.

Oh wow, I missed that. I'm slightly impressed that they actually changed it. Though... that's still advertising and preinstalling random bits of unwanted software, and unlike Enterprise, PfW isn't meant for the audience that customizes their images.

No, Microsoft just got tired of being in the news for people's systems being crippled by exploits that had been patched for months.

Now they just make the news for poor QC on the patches they force on everyone.

Except, now they're in the news for rebooting during television programs or other mission critical operations. That's not a better look.

Worse, MS have dropped the ball on their QC repeatedly, with several instances of patches causing endless reboots or log files filling the hard drive.

So, in the past, shitty users would never update "because they always break something." Sysadmins knew that wasn't true except in very odd cases like malware or when the user broke something and just blamed the updates. Now, they've taken away the ability to deny updates, except the updates are often broken and reboots can happen without warning. Now the shitty users' confirmation bias is proven to be correct! Talk about shooting yourselves in the foot.

As a sysadmin I can tell you that many of my users will delay or disable updates. Somehow it's the one thing they all learn and share with each other.

This goes for their phones too. They will come to me first if an app or software misbehaves before allowing an update. However the unexpected Win 10 reboots have really been horrible as well and have included some updates that seemingly BSOD'd some systems.

Sounds like you aren't managing it well.

Well no.. that was it. I setup push deployment and had to reimage 6 systems of ~350 which was about 20 mins.

Still updates shouldn't cause BSOD. Were you trying to be edgy?

They're not in the news for that.

They get a couple words on a few subreddits and some tech sites.

The update headaches are way, way, way more palatable for them then the unmitigated disaster that was XP and giving people control over updates.

Even know morons still try to actively disable windows updates because they think they're smart and can go 6 months without patches without getting pwned.

It would have been an annoying but net good thing if it was handled well. Instead they dropped the ball by using the fact that nearly everyone will receive updates automatically as a license to not bother listening to bug testers or fixing stuff. "We don't have to care because what are they going to do? Stop installing our updates? Ha!"

except servers also reboot

I'm one of their shareholders, and I'd be less worried about my investment if they weren't such dicks to their customers. My only Pro instance is for home and home business. When I bought it, this update BS was not as clear as it is now. I have had significant losses of time, data and money because of M$'s patching SNAFUs over the past year or two. I now do ridiculous backups of EVERYTHING, which I hate having to do, and I know I'm not as protected as I'd like to be. I just don't have the budget to it the right way at home. But my needs are pretty data-intensive, and my workflow is pretty chaotic, and these are big factors. And I've been surprisingly unlucky in regard to co-incidence of M$'s F-ups and my business needs. Even their 'prosumer' platform shouldn't be this big of a shit-show.

Would be nicer if they made it more obvious, rather than pretending their now slightly more featured edition would be suitable for slightly above average workloads. Because there's a big jump between doing next to nothing with a machine and using it as part of a large organization, but Microsoft seems to have it separated into just those.

because those options cover 95% of their userbase

The inbetween is a niche market to them, so they won't focus on it.

Pro is no longer "professional" but "prosumer"

Which we all know is bollocks frankly. Prosumers get jack out of the additional features in Pro over Home unless they're running an AD domain at home, which is really niche. Pro is a business SKU that MS see as poaching sales from Enterprise so they want to kill it, nothing more, nothing less.

What they should be asking themselves is why they believe a Pro business is going to upgrade to Enterprise all of a sudden, it's not got any more affordable and the MS365 option for Enterprise is hard to get priced except through a VAR, they really ought to just capitulate, kill Enterprise, roll all the features into a new Pro and find a tiered way to monetise it. Or just stick with the tiering Windows 7 used.

Shareholders to please.

Australia's main ~~ponzi scheme~~industry is the banking sector, who have just discovered they don't have a social license to operate anymore after we forced the government to haul them through a Royal Commission process.

It'll be fun when people realise they have the power to take Microsoft's social license away from them.

ELI5 Social License

https://i.imgur.com/yHSrsHl.png

When a company no longer finds it has a social license to operate, it finds itself subject to regulation that forces it to change its behaviour. Yes, they can keep bribing the government more and more money through "donations", but eventually the public get too pissed off and force the government's hand (or similarly, the government finds it no longer has a social license to operate, and a regime change happens).

[deleted]

The updates often take so long to run that the schedule would be difficult to implement reliably. Also, my jobs don't have a schedule. So I can't give the updates one. I just need them to run -- and finish -- when I need them. Don't want to have to check the MS update pan for my PC whenever I have work to do. Also, the problems with the updates are a problem. Like the 1809 update that deleted files under the user's profile. Un-F-ing-believable. How do they even keep the same name on the company with crap like that popping off?

lol why would they lock that feature down by SKU

microsoft is almost as bad as oracle

You must not actually ever deal with oracle.

Because money. There is little to no reason to buy Enterprise otherwise.

Most people should not be disabling automatic updates or force reboots.

Home users have no reason to be disabling reboots after automatic updates. It is to protect the user and the rest of us.

An Enterprise has patch management and may have reasons why they can not yet upgrade to X. Preforming a upgrade may cost lots of money and time. A home user not so much. If a application breaks they can stop using the application that is failing to update. Enterprise environments have other systems that force the user to reboot. Or they have systems that will do it when it is less intrusive to the business.

Home users have no reason to be disabling reboots after automatic updates

What if I don't want to? To me, this is enough reason. Everyone should have a choice. Consequences are another thing, but there should be a choice.

It is to protect the user and the rest of us

Yeah, a phrase right from the MS sales/marketing pitch. You can convince my grandma with it.

Consequences are another thing, but there should be a choice.

What if those consequences effect others?

What if those consequences effect yourself? Wasn't there an update a while back that deleted user data and people couldn't avoid automatic/forced 'restarts starting it until Microsoft themselves drug themselves out of bed and shut that update off till it was fixed, even when the "bug" was reported before it was released and they didn't care?

And if it effects others, their/your system wasn't patched or was open to begin with.

Something I could get behind is a delayed update setting. A setting that say for a week or two it would not apply updates unless you specifically ask for it.

Home users have no reason to be disabling reboots after automatic updates. It is to protect the user and the rest of us.

This is bollocks. OP quoted an MS engineer as stating that "unless you are running an enterprise SKU, don’t expect consistent update/restart behavior via GPO" (my bolding). Not all users of non-enterprise versions of Windows 10 are these ingénues that you think need nannying. For a start, you are forgetting about Windows 10 Pro users, who as the name suggests are likely to be professional/business/technical users. I'm also not sure it's your business to say that users of the Home edition don't deserve to have some control over this if they show the technical wherewithal needed to apply a GPO or registry setting.

I can attest from bitter experience that my Pro installation periodically ignores this GPO setting and happily reboots my machine with no warning, almost always while I have several virtual machines running.

I'm also not sure it's your business to say that users of the Home edition don't deserve to have some control over this if they show the technical wherewithal needed to apply a GPO or registry setting.

Just because someone has the technical ability does not mean they understand the implications for preforming a action.

Just because you can use your Keyboard, doesn't mean you should.

So what? It's MY computer, not Microsoft's.

Thats life. I'm less worried about how little people don't patch their software than the people I hear driving with completely gone brake pads all the time. Hopefully the metal pad holders and rotors hold out and they don't just careen into someone. But we still have them driving around.

Clearly, from this thread, most of them do need nannying.

XP was a disaster and everyone thought back then they didn't need nannying, either.

Home users have no reason to be disabling reboots after automatic updates. It is to protect the user and the rest of us.

Because Defender is literally the only software mankind has ever invented throughout its history to defend computers from malicious software, right?

There are constant security patches to the OS that have nothing to do with Defender.

AV software prevents exploiting known vulnerabilities.

OS security patches actually close those vulnerabilities.

Edit: This I am talking about Security Patches not AV. I am generally curious where the comment on AV is coming from.

I am aware that Windows 10 AV is Windows Defender. My comment is about security patches.

Its the second form of defense against exploits, malware and other shenanigans that will still need to run on the machine regardless of how it got on there. Thats why.

You realize that antimalware stuff doesn't really stop much outside of threats older than 5 or 6 months, right?

And it definitely doesn't stop browser exploits that immediately chain to custom malware that AV doesn't detect.

[deleted]

My god, you're an asshole.

This is why I consider this subreddit "non expert". You're 100% correct yet you get downvoted to oblivion because you don't support the "nerd rage circlejerk" of sysadmins who can't even see anything resembling the big picture.

It's a bunch of low level keyboard jockeys with no higher grasp of proper IT practices, security, anything.

They're angry because Microsoft's perfectly reasonable (but not perfect) practices are taken as a personal affront to their own nerd autonomy.

sysadmins who can't even see anything resembling the big picture

Consider - in the context of the 'big picture' if you will - that the easiest way of stopping Windows from pulling this crap is to prevent Windows from getting updates at all. Law of unintended consequences and all that.

It's astonishing to see people who purport to know better being hostile to the concept that an administrative user of a computer should have control over when it reboots if they explicitly wish to.

you do

100%

it's called windows enterprise and SCCM

i.e. how you should be running your network

And when users had control, they fucked it up. Big time. Guessing you weren't around in the XP area where it was like 2 out of 3 computers were infected with -something-.

"Oh, let's let our users decide when they want to reboot! Oh wait, we have 500 machines out of 1000 that haven't been updated in 3 months?! Oh shit, 250 of them just got hit by ransomware? However could that have happened?"

Even on LTSB/C GPO behavior is wildly inconsistent and breaks frequently.

Seriously? That's even worse.

Microsoft is a bunch of lying assholes. I was eventually informed that a lot of front end settings in SFB actually do nothing. Like setting lengths of ring before transfer- front end says 15, 30,45 seconds. No matter what, it will be 38 seconds. They just lie to make it look more flexible than it is. That is directly from Redmond. Fucks.

Which is fucking infuriating. Like only massive businesses need to control this shit... the majority of business users have pro, not ent.

Did they explain why they thought this was acceptable?

“Too many businesses just use the pro edition so we lop off features they need and lock them behind a different SKU.”

"Windows is installing updates on the computer you only use a few times a month for live lighting and DJ'ing in bars and clubs"

And those engineers survived the lynching? Amazing...

Hm, I don't know. I've set this on my Pro device and it works like a charm.

unless you are running an enterprise SKU, don’t expect consistent update/restart behavior via GPO.

This drives me mental, for years Pro was the barebones business SKU, it lacked bells and whistles but it had the core functionality but now MS have decided it's not a business SKU and doesn't need those core features. Like, I get they're trying to sell Enterprise but if Pro isn't for business use who the hell is it for?

I'm going to buck the trend here and say this is a good thing. If you don't have an enterprise IT team managing your updates, you are far better off from a security standpoint having those updates shoved down your throat.

W10 has been the most secure Windows to date because of this. Do we have to drop extra money on Enterprise licensing? Yep. But this isn't just a cash grab. This is MS saying: we want a product that is as secure as possible for our non-enterprise customers. If you are going to claim that you can manage your workstation security better than we can, then put up the cash to prove that you have a real IT department.

Its a gatekeeper.

.

except in the past, the updates didn't break everything like they do now. They didn't uninstall software that you owned, they didn't completely change the interface of some things... most of the crap they shovel now isn't security related, its UI changes, new versions of candyCrap etc... if it was purely security fixes they were forcing I would have 0 issues with it..

I’ve worked places with infrastructure teams of 10 people and the business uses pro, not enterprise. Enterprise is traditionally used by very big business, with everyone else using pro.

Even if you have 1 IT guy and 10 PC’s, that doesn’t mean those PCs aren’t critical to your business... and given how fucking fast and loose MS has been with updates anybody with any sense whatsoever is controlling their own updates.

It’s pathetic that they do this. These days all my clients are SMB, you think they appreciate coming in Monday morning and finding out they have 30 minute of updates waiting which have just fucked their workflow?

Pro has always been a « business » OS while Enterprise was « large business », by relegating Pro to a home-business OS they are essentially screwing thousands of small to medium businesses that never needed « Enterprise » and thus never deployed it.

That is 100% not the case anymore.

If you employ a system administrator, you should have enterprise licensing.

If you don't understand this basic part of Windows 10, you probably should be still on the helpdesk.

edit: lol junior admins yelling at clouds and downvoting that which is true.

this subreddit.

Yes thank you for your misguided arrogance, the attitude never seems to amaze me.

You know what I would really like? The other Admin we could employ instead of paying out the ass for Enterprise to get features that came with Pro in Win 7.

switch to linux then, it will most certainly be cheaper (lol) and you'll have all the control you want! good luck!

Agree to a point. Having the updates forced are a great idea, if they were well tested and limited to security issues. Anything that does not directly affect the security of the system should be included in feature updates and allowed to be optional.

Instead, we get nearly the opposite. Massively flawed patches that get rushed out the door and have caused more widespread issues than the security flaws they fix, unwanted programs added, and the near continual cascade of fixes for fixes. I don't think anyone would be able to get away with remote restarting someone's machine mid day because you really thought they needed 3D Paint, but the current Windows Update system does just this.

I'm 100% on board with non-negotiation on critical updates, but only if they're actually critical and they're stable.

I would agree if they donate the difference to charity, or make it free but require an Enterprise agreement.

It's a cash grab and you know it.

W10 has been the most secure Windows to date because of this

Rofl. Next you're going to tell me it's the most bug-free version to date.

You have absolutely no idea what you're talking about.

Nah. Its been buggy as hell, and the recent patches have made work more difficult than it needs to be. But I am honest in my appraisals. Tell, which version of Windows was MORE secure than 10?

windows 3.1 you couldn't hack it, because you had to work at it to get it to connect to the net in the first place... /s

Good old trumpet winsock!

//showing my age here...

LOL no doubt... and spending hours trying to get the damn atz commands right so the modem would dial out without waking everyone in the neighborhood with DEE DEE DEE DUR DUR DUR

But alas, it is.

But it's correct.

For so so so many reasons.

That's fucking lunacy on their part. But what are we gonna do, move to a linux distro that still uses init.d?

I think the UI is bad if it doesn't clearly indicate "this option will be ignored". If the option is visible people will select it thinking it will do something,and shouldn't be expected to know some odd Microsoft lore to know what options they're presented with will do what it says or even consitniently do one thing or another. Their smug "oh, well the users should have known " instead of fixing the issues or at least making the system more usable.

Works for me. //shrugs//

[deleted]

? So you just admitted that it didn't work 100% on your single PC, but you don't see how that could be a problem for a whole company? I'll let you figure that out yourself.

Didn't work consistently. Was the PC of my boss out of all of them. GPO was set, 1803 didn't care. That's what sparked the idea actually.

Pro or enterprise?

Pro. And as other and i already mentioned, it ignores the necessary GPOs.

I bet Enterprise obeys it. MS is deliberately crippling necessary corporate functionality in Pro to goad us into shelling out for Enterprise.

Same as how you used to be able to turn off the store via GPO in Pro, but now you can't and that GPO only works if people have Enterprise.

You're completely correct.

There are even GPOs that specifically state they need to be applied to enterprise to work - e.g. changing the lockscreen background.

You can work around that with direct Registry GPOs.

You can but it's such a pain in the ass.

Also harder to document for others to work on, whereas a group policy object comes with built in notes as to its purpose.

I bet Enterprise obeys it.

There are several caveats to that, but yeah.

If your users can check for updates and machines aren't LOCALLY set to defer feature updates, AND the local deference timer isn't up, a user can pull 1803.

Now you might ask, why would you let a user check for updates? Well because so many of the updates break, hang in the background, and continue to hog half your RAM and 75% of your CPU unless you manually restart the check process that you HAVE to allow the users to do it or else they can't do simple tasks like launch outlook.exe and you'll be getting calls about it 24/7.

We have enterprise in our environment, and the issue is the same: regardless of what we set for GPO settings (including "no auto-restart with logged on users for scheduled automatic updates installations"), the machines would still reboot during business hours. Personally, I'm keeping OPs registry suggestion in case we need it again. thanks OP!

Gotta love actively fighting against your own OS.

Or is it now windows as a service bullshit?? Lol

Were you using wsus with the going settings?

Nope. No WSUS.

We use wsus to control when updates happen.

Configure the workstations via gpo to check for updates at midnight and schedule reboots at 3 am everyday. Then we manually approve updates on wsus as we notify the departments it's happening. Hasn't failed us so far.

Haven't played around with it yet. Good to hear that Pro machines at least adhere this setting then.

This gpo doesn't work for disconnected rdp sessions. It works in all other scenarios. The restart orchestrator hits a point that checks for logged in users and if it finds them, reads this key and acts accordingly. If no one is logged in, including disconnected rdp, it doesn't read the key and moves into auto restart and engaged restart behavior. Have a flow chart, corresponding logs, and confirmation from Microsoft that this is the behavior. They refuse to update the documentation to reflect it or alter the behavior to pre win10 for this key. Our support minutes were refunded, even though it was 'by desgin' since there was no way to know that with the documentation they provide.

Did not work for me with Pro. Nothing did, so I'm gonna try this.

The majority of windows 10 specific GPOs are Enterprise only.

Yeah, and I totally get that. I'm just amazed at how little control is granted the user through the UI. It's really just a big F-U from M$. And if you're accustomed to or even familiar with GPO settings or any system management app, it's even more frustrating. I've found a (ghetto) workaround, but I shouldn't have had to.

Agree. I understand MS wanting to control the experience/safety more, but that's why there's a Home version. Pro is primarily used in the professional world and should have comparable control.

This hasn't reliably worked since the Anniversary Update a year or two ago.

I found out the hard way this doesn't work the way it seems. This setting only looks at "active" sessions. Once the session times out, locks, and/or the user disconnects for a period the setting is ignored and the system will reboot.

I have users that are constantly running debugging programs and applications on their session whether they are actively logged in or not. This gpo setting doesn't care.

One Enterprise setting that does work (for now) though is to not automatically check for updates. I've set this for my "special" users and tell them only check for updates if you plan to reboot then and there.

How do I apply a group policy on my home computer which isn't part of a domain.

NO. No no no no no.

I have had so many fucking servers reboot because this GPO was set and the idiots I worked with just never log out of them, so the moment I would log off the goddamn server would go down.

"Never log off your machines" is not the right answer to this problem.

Ugh, you shouldnt have an automatic update setting on your servers unless you're handling it much more granularly.

Workstation on the otherhand, if it reboots when someone logs out, no problem with me.

Oh, I like this comment.

You shouldn't do this, you shouldn't do that...

May I ask you, why we had YEARS of Windows 2008 and 2012/R2 perfectly running with "Install and wait for restart" and now we shouldn't?

  1. You should have a system that isnt microsoft handling things like this. There's a million of these systems. How are you doing your automation?

  2. It's a bad practice to have automatic updates on servers. You should be installing and rebooting as per policy; whatever policy works for your business.

  3. You should not be installing patches that need a reboot and then not rebooting. Changing code on a running server and then running code from just memory is a fools errand.

You should have a system that isnt microsoft handling things like this. There's a million of these systems. How are you doing your automation?

Yep, I need something-something because you said so, and completly disregard working experience which run these systems for years.

It's a bad practice to have automatic updates on servers. You should be installing and rebooting as per policy; whatever policy works for your business.

My business policy is "auto install and wait for reboot, reboot as per policy". And just for a point - I'm not in one business for 20 years.

You should not be installing patches that need a reboot and then not rebooting. Changing code on a running server and then running code from just memory is a fools errand.

This is bullshit. You don't even understand how (and more importantly - WHEN) updates are applied. Go read about "pending file operations".

"Hold my beer" - Microsoft

Probably.
I want them to try.
There's so much legacy stuff they forget when blocking it people it's funny. We'll find another way sooner or later. The more tinkerers know the better.

That's a hell of a clever solution. Was it your idea?

I read about disabling UpdateOrchestrator\Restart in Task Scheduler before, but MS blocked that quite well.

It clicked when my boss was affected by the issue. I remembered how scareware did it back in the day with the explorer.exe and it worked for this also. So yes, it was kinda my idea.

Haven't installed 1803 yet, but I used to remove all access permissions from Restart task file so that system can't update or execute it. Has this solution been blocked now?

I exausted a lot of options and couldn't disable it anymore. Hence this.

That still works for me on 1803 pro

We still use this as an effective workaround on servers. To elaborate, you can still to disable the scheduled task, but you also have to deny the system account access to C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\reboot file as you suggest. Not sure if OP has done this, which may be why the task gets re-enabled. We also use Pro and between this and the no reboot with users logged on GPO we get the intended behavior.

Interesting, I just renamed the Reboot task in C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator and created a folder named Reboot to keep it from recreating the task.

It works, but is a bit more clunky than your solution.

When did you do that? Everything i tried, including escalating to fucking TrustedInstaller did not make 1803 allow me to change anything about this task. If you can reproduce that then this is an even better solution that what i did here.

I think it was about 6 months ago. I didn't change the task name in the scheduler, though I did disable it first.

I changed the name on the task file in that folder directly via right-click, though it did give me a UAC prompt to complete.

Disabling alone shouldn't be possible anymore. It just throws some non-standard error about missing access rights into your face. Even as SYSTEM.

TRUSTEDINSTALLER still appears to have access on my 1803 machines - once I set permissions from there it seems to have been sticking ok.

FWIW, on a clean install of 1809 (possibly auto-updated very quickly from an older build on the install media; not sure), SYSTEM does have full access to mess with the task files.

[deleted]

Yeah, probably. But that'd be tedious.

Thank you very much for sharing this. Just clicked the "save" button.

+1 for the powershell monitoring script please

So what path environment variable is cmd.exe selected from since you don't specify the entire absolute path explicitly?

Typically system32. Microsoft wants you to specify the full path but since every system on earth should have system32 in its %PATH% it's %PATH%.

No Windows sys in front of me, sorry, but what if there's a cmd.exe ahead of system32 in the path somewhere?

Current directory, then cycle through %PATH% contents until found.

If you somehow have a cmd.exe in the %PATH% before system32, you have a bigger problems than that cmd.exe before system32.

I understand your security implications.
Yes it would use the earlier cmd.exe
If you're keen on not being affected by any kind of PATH hijacking going on feel free to add the full path.

[deleted]

I'm at the convenience that my users turn their PCs off when they leave the building.
Windows changes the shutdown and restart buttons to apply updates and restart/shutdown when it needs to restart. The problem neatly solves itself.

If the machines actually manage not to install updates i can talk to the users and fix that at a convenient time.

[deleted]

It's an old trick. You'd be surprised how much malicious content you can stop by setting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSEXESVC.exe\Debugger

Which effectively kills a remote admin running psexec on your machine. Wannacry is a nice example of malware spreading with psexec.

Of course.

It doesn't differs from "If you have a car keys you can drive off the bridge?"

Sir you are a god. I run a lot of data recovery some in Windows in my pc repair shop. This will save so soo much stress and prevention of lost time and recovery

I've finally gotten around to testing this and I'm impressed - but i'm not 100% happy with it.

I unplugged a test-box from the network, formattet it and installed a fresh copy of Windows 10 v1803 on it. I added the registry key before connecting it to any network. Then I went home and checked in the day after.

The logfile looks like this: https://pastebin.com/AQmybaVt I'm happy with how much it suppresses.

However, a big issue I'm having is that Windows installs half the update in the background without asking and then prepares for reboot. Often this results in loss of functionality or things being buggy, especially on our servers. Our Terminal server was misbehaving in December and telling all outlook users that the license was invalid. Reboot took 1 hour and 20 minutes due to updates they don't let me stop.

Just yesterday our other server suddenly decided to update Exchange while everyone was trying to work, so it disabled the exchange processes. I discovered this because a user phoned me saying they can't connect to the email system. All this resulted in 3 unavoidable reboots because it got into a snowball effect with other updates they don't let me stop, one of them failed and there we had 2 hours of downtime in the middle of the day. 70 users scratching their asses gets pretty expensive.

My criticism is aimed towards Microsoft and not this registry key of course. The key is absolutely great - it was my expectations that weren't 100% realistic.

I'm now going to format that same computer one more time to try another trick I read where you set the standard NIC to "metered connection" to see if that lets me take back ownership of our property.

This shit is insane. Also, I thought this didn't occurr on server verisons,....?

i wish. windows server 2016 is pretty much windows 10. You know how it still has the old GUI in some places (control panel etc) and the new one other places (settings, apps). Well in the server version that's even worse, there's a lot of softwaregore going on there with functions that don't work, buttons that don't do anything just because they have even less focus on making it userfriendly. I mean I can get around it, that's my job but it's annoying as well as respectless. After the exchange fiasco described in this post our CEO asked me to write a complaint letter to Microsoft and i totally support him. Instead I had a sit-down meeting with him where i showed him the open letter by Susan Bradley as well as the pedantic response by Microsoft that was sent last summer and we agreed that this complaint letter would be a big waste of time. I'm guess I'm lucky to have such a supportive and understanding boss when it comes to shit like this.

Thanks. I must say I first interpreted MS blocked this since 1803, as being sarcastic and 1803 being the year. ;/

I feel like we're back in the days when we were hacking phones to jailbreak them, finding workarounds and Apple kept slapping patches on them to keep us out.

I feel so dirty, heh!

And just like the jailbreaking scene, Apple/Microsoft are getting good at locking owners out of their equipment.

It's taken them both a good number of years, but it's getting there.

[deleted]

Please go back through the posts on this sub to understand. The systems we deal with are usually mission critical ones. And so a reboot in the middle of a job can spell disaster for the user, and if it's an exec, doom for the poor IT staffer that gets caught in the middle.

We would appreciate a little reading before posting any further critical statements if you could, please.

Thanks

[removed]

Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.

Community Members Shall Conduct Themselves With Professionalism.

  • This is a Community of Professionals, for Professionals.
  • Please treat community members politely - even when you disagree.
  • No personal attacks - debate issues, challenge sources - but don't make or take things personally.
  • No posts that are entirely memes or AdviceAnimals or Kitty GIFs.
  • Please try and keep politically charged messages out of discussions.
  • Intentionally trolling is considered impolite, and will be acted against.
  • The acts of Software Piracy, Hardware Theft, and Cheating are considered unprofessional, and posts requesting aid in committing such acts shall be removed.

If you wish to appeal this action please don't hesitate to message the moderation team.

[deleted]

And it was well on its way to the top comments as upvoted by the userbase

Top comment is 284 upvotes after 24 hours of being up. Your comment had 13 upvotes after 13 hours of being up. Please excuse me if I don't believe you.

Secondly, as title states, "Community Members Shall Conduct Themselves With Professionalism". As such, please be professional and constructive- wishing death threats or death upon engineers only doing their job is considered unprofessional.

The nuclear option still exists.

Either nuke the update directory from orbit or just use Linux. Either way you win.

I just run WSUS, set it to install updates and reboot during the normal 3AM window, and push updates from there.

In my experience with Windows Server, allowing updates to occur, but not reboots, leads to a system that gets more and more broken over time until a reboot. The updates occur, services stop and wont restart, and basically it becomes more and more unusable over the course of a few months.

Windows 10 may be different, but (afaict) the Windows update model really does require reboots to occur for the running services to keep working correctly.

Never ever ever block restarts completely. You are to schedule that. This just gives you the opportunity to take the control away from Redmond.

Excellent tip, thank you. We monitor patching, the reboot-needed flag, and intelligently schedule and enforce all of it ourselves - having Windows 10 constantly fighting with us and screwing things for the end users infuriates me. It's great you tested this for 6 months for unintended consequences as well.

C:\UpdateOrchestrator.log"

Question - from your testing, are you confident that MusNotification.exe always runs as local system/etc (and thus has rights to C:)? Ie, do any of your users run as unprivileged accounts?

If MusNotification.exe interacts with explorer.exe to pop up notifications/etc then it might be run in the context of an unprivileged user account then, right? I think directing the logfile to %temp%... might be safer if that might be the case, since that would then log regardless of the security context.

I'm not certain right now but i think it was either system or TrustedInstaller.

There weren't any permission issues i can remember

Edit: Owner of the file is the localhost\Administrators group. SYSTEM and said group having full access.

[deleted]

I might get shit for that but i just let them update.
Edit: Also my users don't let their PC run all night.

Thank you sir.

great news.

Thanks

things like thos make me wish my company wouldn't cheap out on AD in favour of useless several tens of thousands of jira plugins where the budget gets spent on...

Granted you can activate wmi remote management and get admin credentials on all machines the basic functionality is just a few scripts away.

i didn't k ow about wmi remote management, i will look into this, thanks ^_^

How do you run monitoring for updates pending, etc. SCCM, GPO scheduled task? Just curious how you deal with actually pushing though reboots to apply updates.

I monitor the installed updates. Machines get marked off they don't install any. You can then run an update search via the wuaapi.

I don't force reboot anyone. They're turning off their PCs at night which means updates get installed because Windows replaces the shutdown options when updates are pending.

Are you running your script remotely? How many computers are you administering?

I recommend looking into runspace pools, aka multi-threading. Forgive me I've been away from IT for some time now, however you can create a way to have multiple threads and have multiple instances of script running, one for each computer (limited by the thread count of your specification), thus cutting your execution time down exponentially.

Also, I recommend the important information you need for review from each computer be placed into an object with properties (probably most of your "write-hosts"). Then have this object exported to a simple html table into your email. This way you won't need to watch the screen for any information.

The script is executed by a monitoring software. Hence no runspaces.

Microsoft blocked disabling it in 1803.

Man, they've been bastards for such a long time.

Best holiday present ever!

i will give this a shot!

I REALLY hope this works, if so you are my company's hero! Windows 10 updates doesn't behave at all with GPO, just shoots a windows about rebooting, we have tried everything including "No auto-restart with logged on users for scheduled automatic updates installations". and active hours which only stops "non-critical" updates

Thanks!

It should. This was the behavior we had before i rolled that out.
Let me know if it works

I have an interesting problem of the MusNotification.exe registry key not being there at all in the first place... but my workstation now freezes up indefinitely whenever it automatically downloads and installs new Windows updates, and the only way to get out of it is by force rebooting.

This happens for a few other machines that have 1803 installed. I'm beginning to think that the absence of that exe is the reason why all those machines freeze up indefinitely when updates are being installed.

The key isn't there by default.
Also that's the first time I've heard of this.
Does it still happen if your delete the key?

Sorry, I should've clarified. I haven't run the script yet. Our current problem is that for the machines with 1803 installed, our GPO is not blocking the Windows updates consistently. We use PDQ Deploy to install new updates, and when I do run them on the machines, it freezes them and causes them to hang indefinitely until the machines are forced to reboot. I know that they will not unfreeze because I'll have deployed these installations at 7 PM, and the login Windows screen the next day will be frozen at something like 11:00 PM from the previous night.

Super frustrating, but we've since stopped any machine being updated to 1803.

If I had real gold, I'd give it to you. This is going to make my life worth living, again.

Real heroes don't wear capes. I feel dumb for not thinking of this myself. Thank you very VERY much.

That's great work!

I've added this to our free utility "Amphetamine" which prevents screen saver, sleep modes, and shutdown/restart, and allows some recovery actions when a shutdown/restart is prevented like starting services, programs, and emailing an admin.

Amphetamine: https://www.d7xtech.com/free-software/amphetamine/

That's great! Make sure to warn your users that this disables update related notifications though. Didn't see anything like that on the page you linked.

Edit: nevermind, just read the release notes.
Edit 2: Also merry thanks for linking back here!

Does this only work for win pro? We have about 10 machines but they came with win home edition. The auto restart is really inconvenient. Even with it scheduled I'd still love to delay it until I want the machine to restart.
Don't really have a fancy IT set up or anything. Just try to manage what I can.

Theoretically it should. Don't see why not.

I have limited knowledge with this stuff so I will see if I can set it up. Not having it restart while I'm rendering or something would be amazing.

I implemented this registry addition and started the 1803 patch upgrade on a test machine, using our RMM software (started the patching without allowing a reboot).

After the install finished, Windows rebooted automatically and applied the update.

I tested again with the registry key, but this time restarted the machine before starting the patch, after adding the key.

Install finished and the reboot still happened.

Not sure if I'm doing anything wrong or maybe the fix has been "fixed" by M$, but will keep trying.

Either build upgrades don't work with Musnotification or your RMM software might restart on its own. Don't know.

Why is blocking automatic restarts considered good? Schedule that shit and do it properly.

"Windows automatic restart" != "Scheduled restart"

You can only give it an 8 hour windows to not restart itself.

Useless. Several workstations rebooted in front of me within that window anyway.

It even worse than that.

I had my work laptop sitting all weekend with my locked session, I came in monday, check mail, go to the coffee machine... and returned to "installing updates".

All this with properly configured "working hours".

That makes sense if you locked your desktop. If you had logged, then it would have been quite the opposite.

Now justify how a locked session is no go, but a five minutes you are not before your screen - go to a forced reboot.

Also you are completely missed "properly configured "working hours".

makes sense, only the MS QalityControl Team has to work 8h a week. oh wait.

It's 18 hours now.

[deleted]

Oh, I was talking about the desktop versions.

That would be nice if we could, but unfortunately windows 10 does not respect scheduling or active hours the moment a single update breaks, which is basically every other week.

Even with scheduled restarts, if MS deploys a zero-day patch like the IE fix that went out the first week of December, it'll reboot the system, no appeals or excuses. I had phone calls on this too.

I'm not saying good, i'm saying bearable.
This is not a good solution. It's just the best i've seen so far. I'm not a fan of blocking updates completely but it's oftend suggested in forums sadly. I thought why not throw this method into the mix.

Coupled with WSUS managing the updates and not Redmond, it makes it bearable.

Why isn't the best solution just to update the machine properly? You know how weird they are going to get now...

One does not exclude the other. I didn't have one machine fall behind on patches. As windows schedules an update for installation the shutdown and restart options change to "apply updates and restart/shutdown". No worries. As i said anyone, with or without this workaround should monitor the proper installation of updates aside from just the status of the service and such.

Not all PC use cases are tolerant of automated reboots. I've never worked anywhere where I got a green light from management to update/reboot every machine automatically. Yes, I work for unreasonable idiots.

VDI images that run from a master image, come to mind. When a update is released you test it, then update the master image and recompose the pool of desktops. Never should the pool desktops themselves patch individually

If you are at that level. Not all companies have a full VDI deployment.

I was just giving a situation where it wouldn’t be ideal. Also there was a post around here not long ago about a railway control center’s display that had a pop up over the top of a rail line.

I would imagine they’d like some control over patching, too.

Yup. And not all managers understand this about VDI. I didn't implement it because my manager wanted to micromanage the snot out of it. Defeats the whole purpose, IMO.

https://www.techradar.com/how-to/windows-10-october-2018-update-problems-how-to-fix-them

How does it makes it bearable? I'd be worried if I was not confidently knowing my network's endpoints were being patched. Instead a control like this put in place means machines can and will remain unpatched for very, very long amounts of times.

It makes it bearable in the way that your end users are not constantly complaining about Windows 10 machines restarting "in the middle of xyz without any reason". As an administrator you have the tools to monitor that yourself and take proper action if a machine falls behind. No reason for microsofts policy to make it harder for you and/or your users.

Monitor the update log for successful update installations, take action if the right ones don't appear.

My machines don't restart in the middle of xyz because we make them do updates at night. Not a problem.

That's great for you, then you don't need this kind of workaround. Unfortunately my management does not want machines apart from servers running overnight.

I used to have a client like that, said it was to keep the leccy usage down, I just went ahead and did it anyway, wake the machine on LAN, let it do updates and then shutdown again.

They wouldn’t know otherwise, if they ask, blame it on a crash. Cosmic rays or some shit.

Electricity is almost ALWAYS cheaper at night. Tell your bosses you are technically SAVING the company money.

Oh that client is long gone now, hell I'm starting a completely new job in January. No longer in the MSP business, now moving to private IT but my old boss says I'll have a spot available if I need it.

I'm gonna miss them. ❤

WOL, update, then shutdown. How is that not acceptable?

If the update fails, then the user will have horrible performance when they run immediately after the next login, and possibly be prompted with a forced reboot splash if the issue is allowed to persist for a week.

Have you ever actually worked with windows 10 updates in an enterprise environment before? Your putting an awful lot of faith in the updates actually working, and your users not leaving vital work open too. Call me suspicious but I don't think you've actually done this in practice.

It’s too late now because you let the cat out of the bag, but you need to stop presenting other options that are the wrong ones. Get out of that habit.

Tell them they can reboot during the day during work, or at night away from work.

Computers can be set in the bios to power on at certain times. Power on at 2 am, policy sets an update window for 2-6 am. Updates do their thing, the computer shuts off, boom.

It's almost like different people have different business related requirements. If you've never had to work around idiocy, that's great, but you can't say this is "the wrong solution".

It sounds like he is aware of the drawbacks presented by the solution, but is managing it properly on the back end.

Going against managements wishes and just powering up overnight because you think you can do whatever you want is not a smart idea. It only takes one fuck up for you to get busted.

I did not wait for 6 months efore sharing this without a reason. I wanted to be sure this is not worse than other solutions circulating out there. As i said, no matter what, you should definitley monitor windows update logs. It's atrocious how often Windows Update breaks in the wild.

I agree with you 100% and appreciate the share. This guy above is just a bit of a putz.

I work in EDU where there is a mass panic at even a thought of removing admin rights on every account.

Like I said, it's too late for him at this particular job because the cat's out of the bag, but he should still work on cultivating the skill of maneuvering management into the correct choices. Presenting the illusion of choice to higher ups is a critical IT skill.

I've never worked in a place where users weren't local admins on their individually provisioned PC's.. large or small, it has always been allowed. When I say large, I worked for General Electric. The base image made them local admins as part of the process.

Seems like a relatively minor thing to worry about if you have an imaging solution and proper security practices in place.

Seems like a relatively minor thing to worry about

Agreed...people get so hung up on this topic, but honestly, if a user has local (especially physical) access to a computer, then whether their account is a local admin or not is fairly inconsequential since 1.) the risk of local computer privilege escalation is one that should be assumed is ever-present (let's face it, it has traditionally always been easy) and 2.) most of our worries (ransomware/etc) remain valid whether an account is a local admin or not.

I mean, I'm not saying most users necessarily need local admin rights, but I certainly don't think it's high on the list of important things to worry about when it comes to overall security concerns.

And what happens when those updates fail to apply and then kick off again at the next login?

Or do you expect us to believe you've literally never had a single update fail? Because Windows 10's intended behavior is to retry a failed update without regard to scheduled or active hours.

Yah... Dude not everyone has 8 hour workloads.

For starters, if you're focusing on network security from the endpoints and not your access point you've already royally fucked up.

Buy a fucking firewall.

I run WSUS and schedule restarts and have GPOs all properly configured and still occasionally get users PCs that reboot at very upsetting times as they shouldn't have. Recently migrated the PDC to Windows Server 2016 and noticed new GPO options that I think are helping though.

Just wanna drop the info that you can just take the policies folder from any Windows machine and upload it to the central share for even 2008R2 DCs to be able to deploy Windows 10 GPOs.

I regularly download them from Microsoft directly and do this.

https://www.microsoft.com/en-us/download/details.aspx?id=57576

Do you not have any remote users ? I’ve had to go in on quite a few weekends where people couldn’t remote to their desktop because windows decided it was going to reboot on its own

I've got all the notifications enabled, and in the past two years I've seen exactly two of them - in all other instances my computer rebooted unexpectedly.

You can't expect me to check Windows Update every time I leave my computer for a few hours.

I've on multiple occasions told Windows to delay until after hours only to come back from lunch with a freshly restarted machine.

RIP all my open programs.

Uptime, baby!

[deleted]

I'm with you on that. Security updates are important. This is my take on providing a workaround that isn't "Disable Windows Update". I hope for MS to provide a smoother experience in the future, but until that happens we need to help ourselfes. This is a workaround. It is intended to help people that have this issue and exausted all other options like i have. This is not some 10 things you definitley need to apply to your windows installation guide and i expect every sysadmin to weigh the pros and cons themselves.

Just out of curiosity, Windows restarting automatically is not the only thing you put your trust in to be up-to-date, right?

[deleted]

but in my experience if you let people not reboot for updates, it will never ever get done

Agreed - that's why I'm actually 100% okay, and even welcoming of, the changes in Windows 10....for home users. Particularly laptop users, because let's face it, that's almost always the problem child - users who don't even know what "reboot" means and have only ever hibernated/slept their laptop since they bought it 300+ days ago.

The problem is for business. Any sysadmin worth their salt should be monitoring for 1.) missing patches and 2.) pending reboot status (it's an easy to query regkey that patch management software can easily poll). MS is either intentionally (crippling Pro vs Enterprise) or unintentionally (changing the regkeys/gpos/etc needed to modify this behavior 20 times a month) making this nearly impossible for us.

As such, we need "non-standard" workarounds like the one OP posted, because MS can't make up their mind and we're all sick to death of trying "proper" fixes for this only to be fighting a constant battle with MS to take control again with our own systems.

[removed]

win10 loves to wake at night, do updates on battery, reboot, then stay awake until he battery dies

Seriously? Wow. I haven't run into that one, but I can't say I'm surprised.

It sounded like windows restarting on their own was the only thing making sure updates get applied in your case. Hence the question.

I'm on the side of deploying measures you yourself control in regards of monitoring update installation and uptime of machines.
They light up red if updates are not installed or if they are up for more than a few days.

[deleted]

Look at this guy, actually thinking GPO's are respected. Poor lil' fella.

I'll be honest here and say i've not looked into WSUS at all yet.
I know that it can display this sorta stuff, but i resented to other ways. (See the PowerShell script in the post)

Only an infinitesimally small percentage of the patches that require reboots actually patch nasty stuff like Eternalblue that ransomware easily exploits. For that <1% of patched security holes, an "OMG YOU MUST REBOOT RIGHT. THIS. INSTANT!" is justifiable. For everything else, MS needs to give us far more freedom than they currently are.

I mean, I'd even be more understanding if they had a "You've left X/Y/Z for 1 week - no more delays allowed". But just a matter of hours? No.

NOTHING is justifiable when you have a Win10 machine driving a 3D printer on an extended print...

Webcam connected to the computer so it could be monitored remotely so I coudln't turn off network access. Even having my Wifi set to metered mode and the reboot happened.

There are use cases were reboots are COMPLETELY unacceptable. Point, period and end.

There is also now a Raspberry Pi driving the printer instead of Windows 10.

Some of the other responses in this thread and corresponding ratings on my comments are concerning...

Sorry you didn't run backups?

Sorry you didn't have a firewall that blocks rogue connections?

These are easily avoidable problems. Defender isn't the end all be all in anti-virus support. Are you like, 16? I feel like you must be to not actually understand life outside of the win10 bubble like that.

This.

People avoiding patching their shit in this sub is ridiculous. Sysadmins of all people should understand the importance of it.

I get it: if you’re disciplined and do it weekly, monthly, whatever: fine. How many of you realistically do that? Equifax happened because “Eh, get to it later.”

Especially for end-users... They won’t proactively restart, ever. People walk in all the time with issues solved because they haven’t rebooted in weeks. Scheduled restarts, or automatic ones, or nag screens: these are good things to get people do patch their stuff. Letting them sit in pending status for weeks at a time is no good security policy.

What you're talking about isn't what this is about. The tools provided to stop restarts while the machine is currently being used for something important sometimes don't work the way they're described, even with best-possible habits and systems in place to allow timely updates. When this happens the affected computer is rendered less useful than a broken brick, and it simply isn't acceptable. If you haven't had it happen to you yet, then good for you. But there's a difference between not wanting your computer to turn off in the middle of an important task and whatever it is you're describing.

People avoiding patching their shit in this sub is ridiculous

Bullshit. The whole idea behind forced updates is that it makes it easier for MS to patch stuff nad fix things.

What we actually got? Nonexistent QA, shitton of bugs including personal files' deletion (failed october update), random restarts, etc. It's even worse than before.

There is absolutely no reason to keep windows 10 up-to-date. I'll let others do the beta testing and update maybe half a year.

“No reason to keep up to date”

  • guy who works at Equifax, probably.

Rest assured, all those "leaked" vulnerabilities had already been extensively used

But if regular updates give you the peace of mind that you're secure, go on

I will be trying this out, thank you!

Does this work for SCcm. Our company uses the damn thing and it undermines most of my registry work

SCCM has maintenance windows which covers your needs.

You're a sysadmin... Working with registry.. and you don't have access to SCCM?

And SCCM on Win10 ent should coordinate all this for you without needing registry hacks.

I'm but lowly desktop support with some system administrator dumped privileges

I was sitting here like...SCCM? Lol I guess they didn’t want to get that going in their org. Zero problems with reboots. :)

the problem is a lot of these folks either:

1.) don't know how to professionally manage a network

2.) don't get a budget for it

3.) don't work hard enough to request the proper resources and decide that "hackery" is fine because they can make it work

4.) get tasked with things that are above their level and don't have the necessary permissions or what have you to be able to accomplish them correctly.

some of these are good excuses, but 1,3 are probably not good ones.

Have you considered The Automation from ConnectWise? It has a full kit that improves on SCOM and gives you a ton of other features.

Not my call but I could sell it. Care to tell me more, friend?

It pricey, but it can do all your administration and support needs through it. Built in scripting to make your own apps to run repetitive stuff or anything else you can code with it. Remote control, install/uninstall software, reboot systems, both off and on domain, run census/inventory, you name it. It's basically a swiss army knife of system management suites. Very complex and comes with a magnum of coursework to go through and CE classes too.

If you already have Connectwise, then it should be fairly straightforward, since CW is already confusing enough as it is...

the last set of updates has moved me away from microsoft.. i used reboot restore on my kiosk machine.. it was in a constant download update files and reboot.. reset the disk image and repeats..pry rebooted itself a couple hundred times before i just pulled the power cord and moving to linux and mac

moving to linux

Yeah, I've really started to consider where I can integrate linux more lately as well (obviously not everywhere, but...). I'm fine with Win10 for home users, but MS is going too far (candy crush, constantly trying to thwart sysadmins managing rebooting/patching, etc) in the business sector.

Win10 for home users are ok up until windows decides to download a 6gig patch. My high speed 20meg internet from century link is really only 12meg down, 1.5meg up. so it really cripples everyone else on the network. century link won't just charge me for 12meg, they only offer a 4meg down plan or 20meg down plan and it's my fault for being so far away form them I only get 12, not their problem apparently.

And what are the stats on how many of your clients are behind on patching because users never log out or restart?

You know, if you disable auto-restarts, you can also schedule restart by yourself?

It astonishing number of 'sysadmins' who whines about disabling auto-restrarts, but completly relying on OS to restart for updates. It is a matter of 15 minutes to write a GPO with a script to check

if ($restartneeded) {
    if ($uptime -gt 7days) {
        If ($currenttime -in 00:00 to 05:00) {
            shutdown -r -f -t 1800 -c "forced restart for updates to install"
            }
        }
    }

Clients that would is otherwise be gone because they need 24/7 running machines because of arbitrary reasons get appointed regular maintenance windows where a tech restarts everything and makes sure machines are updating correctly.

People that hate random restarts but shut down overnight aren't affected.

[deleted]

Currently workstations only. The servers are behaving.

Good for you - mine aren't :)

Did you write that script a long time ago? Get-Hotfix gets the info you need.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-hotfix?view=powershell-5.1

I played around with Win32_QuickFixEngineering. Sadly it does not fetch all updates and certainly lacks since the introduction of cumulative updates it completly lacks data in most cases.

This script is intenionally written to use the same data that the actual Windows Update history in settings/wuapp uses. It's also fully backwards compatible to PowerShell 2.0 (2008R2)

here since i hate having no evidence at hand. Left is everything the script fetches, right is the WMI query.

Ok, yeah looks like your queries are definitely grabbing quite a lot more updates, mostly Windows Defender, but even excluding those there are a few more.

PS> $updateHistory | Sort-Object Date | Where-Object Title -notmatch "Defender" | FT Date, Title

Date Title

---- -----

12/6/2018 9:46:26 AM Feature update to Windows 10, version 1809

12/6/2018 6:21:16 PM 2018-11 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4467708)

12/6/2018 6:21:26 PM Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems (KB4462930)

12/6/2018 6:21:28 PM 2018-12 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems (KB4471331)

12/6/2018 6:22:48 PM 2018-11 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4467708)

12/11/2018 6:21:13 PM 2018-12 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4471332)

12/11/2018 6:24:27 PM Windows Malicious Software Removal Tool x64 - December 2018 (KB890830)

12/11/2018 6:24:50 PM 2018-12 Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows 10 Version 1809 for x64 (KB4470502)

12/11/2018 6:26:54 PM 2018-12 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4471332)

12/13/2018 2:05:55 PM 9N4D0MSMP0PT-Microsoft.VP9VideoExtensions

12/13/2018 2:06:08 PM 9N4WGH0Z6VHQ-Microsoft.HEVCVideoExtension

12/20/2018 2:20:42 PM 2018-12 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4483235)

vs

PS> Get-Hotfix | Sort-Object InstalledOn |FT InstalledOn, HotfixID, Description

InstalledOn HotfixID Description

----------- -------- -----------

12/6/2018 12:00:00 AM KB4465664 Security Update

12/6/2018 12:00:00 AM KB4471331 Security Update

12/6/2018 12:00:00 AM KB4462930 Update

12/6/2018 12:00:00 AM KB4465477 Security Update

12/11/2018 12:00:00 AM KB4470788 Security Update

12/12/2018 12:00:00 AM KB4470502 Update

12/22/2018 12:00:00 AM KB4483235 Security Update

Yeah the script actually goes the whitelist route and only looks for known Windows Update agent strings. Took a while to get it working on all editions down to 2008R2. But that ensures you don't get stuff like UWP updates that also use that log.

What does this blob do?

Haven't run windows in a long time, but if this is useful, I'll send it to the windows admins at work. Those guys are really into windows for some reason.

It's all in the description. It blocks restarts and all notifications as a side effect. Be sure to monitor that updates are getting properly installed.

Okay, I was able to read the description, but I don't think I quite get the problem. This blocks notifications and reboots? Why do you need to do this?

Serious question. If MSFT wants you to reboot, isn't that what you should do? There is that crazily large registry that needs to get modified continuously with reboots. That used to be one of the big reasons that multiple reboots were part of many software installs.

We are all happy to reboot, but we want to be able to reboot when it is convenient for us/users, not at completely random time

Huh. Completely random times is irritating.

Might have to do this one. Already shut Cortana and Windows Defender down, maybe take a stab at Windows Update.

Do you run SCCM in your environment for managing windows updates?

I am actually using GPO setting on my Enterprise W10 and it works fine :)

Can someone explain how to implement this? I understand its a folder within Regedit but is there supposed to be a key within it?

Save it as a text file with a .reg extension. Then execute it.

Thank you!

You can also push registry changes via group policy.

Anyone else have the opposite problem? I have some Win10 PCs that refuse to automatically install updates even after the WSUS deadline passes. I have even more that install the updates but never force the restart. I have 0 issues with this on Win7

Copied

Thanks man. Will Test it out.

Op, I’m almost positive that your os will break after a while if you don’t reboot periodically. I had a win10 Pro pc setup that kept a VPN connection alive and I removed the scheduled task that win updates would run that triggered the reboot.

It worked and reboots no longer happened but eventually the OS stripped my local admin rights away, disabled the windows update service and I had to jump through some backdoor hoops to re enable the updates and get the OS patched to the point that the OS gave me admin permissions back.

Lesson learned. I upgraded to 8.1 and never had any issues again and also regained total control over updates and reboots.

This is great. What I found that actually solved it for me was to take the windows computers completely offline. Cut off all access to the internet, except for the whitelisted hosts/sites that are required. This might not work for regular workstations, but if Microsoft Wiretap services can't check for updates, then the machine runs much better. Without sending the telemetery to micorosft and friends I find the CPU usage is much lower and the system as a whole performs great with lower latency too.

I have been doing this for about 2 years now. I use different versions of Linux as my host OS then I have a windows 10 VM with all my "windows only software". I only let it see the internet for updates. By using shared folders I can get whatever work I need done. Without a network connection windows 10 is freakishly quick. My VM on a normal SSD is probably two to three times as fast as my NVMe win 10 laptop opening and using apps.

Am I really the only person in the world not bothered by MS Updates? I install them as soon as I seem them and reboot whenever I like.

If it works for you that's good. Problem really only gets apparent once you have to manage multiple people that just want to work.

I've had 24+ plus jobs run -- jobs that cannot be paused and resumed. Forced updates have cost me an entire day's worth of production and nearly $35 in materials.

My goodness. This is what I’ve been needing. Thank you!!!

Big if true;

OP = hero

Chiming in on this thread to say be wary of the cumulative update for this month. I've had nonstop gpu crashing and system lockups since installing it.

I went ahead and rolled it back and have had a much better experience.

Hopefully you can take some constructive criticism, but misspelling period and suppress doesn't inspire much confidence in using your registry key. Not because you made a mistake, but because you don't seem to check your work.

I'm not a native speaker, so corrections are always appreciated. Also i never thought about writing suppress with a double p. Thanks for telling me.

[deleted]

It's been 17 hours now.
Just in case the bot is still on hiatus

exclamation mark first.

Or just install the updates in a scheduled timeframe like normal sysadmins and not use crap like this.

Or you could run enterprise

Does this still work? What are we supposed do, createn new registry key?

I actually recently have been informed that the newest Win11 build has no Musnotification.exe anymore.
However internally we’ve switched to using GPO to postpone restarts by 30 days as that actually works properly now