Intune - Windows Updates Reboot Grace Perion Question

Question

Intune - Windows Updates Reboot Grace Perion Question

David Moon 606

Hi All
Trying to understand how the grace period works in Intune, when a users machine has been offline for lengthy period.
Lets say the the Intune Update Rings are setup like this. Will just show the relevant ones.

Quality update deferral period (days) - 2
Automatic update behavior - Auto install at maintenance time
Active hours start - 8am
Active hours end - 4pm
Change notification update level - Use the default Windows Update notifications
Use deadline settings - Allow
Deadline for quality updates - 2
Grace period - 2

So lets say this was for November 2022 updates.
The user has been offline since start of November, and has come back online, say 1st December 2022.
So the Deferral period has passed. So the patch in theory should show up fairly quick.
Now, based on the deadline, the patch will not force install until 3rd December correct?
So 3rd December has arrived and patch has now force installed. It now shows a toast pop up to say reboot is required by 5th December (due to 2 day grace) or snooze, reboot tonight, etc.

Question here. When it says reboot is required by 5th December. What exact time is it referring to? Is it 00:00 5th December? So if device is left on, all the time, does it provide a warning pop up like 15min before the forced reboot?

Anyway, lets say user ignores and dismisses the notification.
Then it will try to reboot the PC automatically outside of the Active Hours correct?
Lets say user starts the device 9am and puts the device to sleep at 3pm, not allowing the auto reboot to happen.
Same behaviour for 2 days. So 2 day grace period has passed.

So on 5th December, when exactly will the PC get force rebooted? I assume as grace has passed, it will now ignore the active hours.

Thanks
Dave

Accepted answer

1 additional answer

Your answer

Answer 1

Crystal-MSFT 53,991 Microsoft External Staff

@David Moon , Thanks for posting in Q&A.

Based on my understanding, when the device come online on Dec 1st, the update download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. So if the device is online after active hours on Dec 1st. and is not in use It will install the update at that time. Then it will come to restart pending. When restart is required, users are prompted to restart. If the user don't restart, when the pending restart time 2 days is reached, the device will try to restart. The time can be on Dec 3th .(The grace period countdown starts from the time of the pending restart.)

If the device is offline after active hour on Dec 1st or the device is in use, the device will automatically install after 2 days, on Dec 3th. Because the deadline of quality updates, countdown starts from the time the update is offered (not downloaded or installed). After the installation, the device will go into pending restart, and will be forced to restart after 2 days.

Meanwhile, there's another setting "Auto reboot before deadline", if it is set Yes, then the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline. If it is set No, devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart.

Here are some articles for the reference:
https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-settings
https://learn.microsoft.com/en-us/windows/deployment/update/wufb-compliancedeadlines
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

David Moon 606 Reputation points

2022-12-13T11:21:43.87+00:00

@Crystal-MSFT
Hi, Yes you are right.
The install of the updates will happen on Dec 1st.
It does appear that, if the machine comes online on Dec 1st, it has already factored in the "Deferral" & "Deadline" period having being passed, and does install the updated.

So now to the Grace Period.
So there is no way to find out exactly when the reboot will be forced at this stage (on Dec 1st, after patch is installed and pending reboot?)
I am in middle of a testing right now. I had a device pending reboot from yesterday, and Windows Update said it needed to be rebooted by 13/12/2022 (which is today as of type). I put the machine to sleep. Woke it up today, and WU message this morning said, will be reboot in 5 hours. So i left it on all morning. In the arvo, still nothing. 5 hours have passed. Checked WU again, and this time the message now says the machine will reboot 11:54PM. I am going to put it to sleep again, and see what happens tomorrow morning.
Thanks
Dave
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2022-12-14T05:04:34.407+00:00

@David Moon , Thanks for the update. After researching, I find it seems the RebootRequired value will be created at
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

But the time is not seen. After checking again, I notice there's a setting "Restart checks". When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. Maybe it related. I notice the reboot will be at 11:54PM at the message now. And you will wait. If there's any update, feel free to let us know.
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2022-12-19T05:19:02.813+00:00

@David Moon , Hope things are going well. If there's any update, feel free to let us know.
David Moon 606 Reputation points

2022-12-20T23:40:48.227+00:00

Thanks for your responses @Crystal-MSFT .

As for my test when i put my device into sleep, before 11:54PM.
Next morning when i checked, it was patched.
I was sure i put it to sleep.... the logs suggest it rebooted around midnight. Maybe something woke the machine up... don't know. Anyway, thanks for your responses on this.

Cheers, Dave.
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2022-12-21T01:17:29.617+00:00

@David Moon , Thanks for the update. I am glad it is patched and rebooted. I think it maybe that we set the Restart checks. At this time the reboot time is during maintenance windows. So it is forced. If there's anything else we can help in the future, feel free to post in our Q&A to discuss together.

Thanks for your time and have a nice day!

Answer 2

Not to beat a dead horse but, I'm encountering a similar problem where a user has had their computer off for a period longer than the deadline.

This triggered the update immediately upon turning the computer, however, the grace period is appearing to apply after the update is installed rather than when the update was made available, causing an additional day's delay for the update already well behind the deadline, not much of a question just thought I'd post up my findings since your post help me discover some of this.

TLDR: it appears that grace period only applies when the update is installed on the machine not on release of the patch or expiry of the deadline.

Cheers

Share via

Intune - Windows Updates Reboot Grace Perion Question

1 additional answer

Your answer