Windows Update on Windows 8/8.1/2012/2012R2 has some confusing behavior.
I’m assuming you’ve installed the 2013 patch 2885694 to get more control over the updates. You’ll probably want to read the WSUS blog article about that patch. But still you may be wondering how updates work without and with group policy.
This is the Group Policy Object (GPO) we’re concerned with (see TechNet):
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates
Settings for this policy are stored in the registry (TechNet):
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Windows 8.1 Default (No Group Policy)
If the above GPO is not configured:
The above registry key does not exist.
Windows Update on Windows 8.1 looks like this:
Note that the “Install updates” drop-down is enabled—the user can change it.
By default, updates are installed during the maintenance window (more on that below).
Group Policy Defined, Auto Maintenance NOT checked
If you set “4 – Auto download”, Install during automatic maintenance is not checked by default:
The registry of a Windows 8.1 client looks like this:
And Windows Update looks like this:
From the administrator’s perspective, updates are now scheduled like they were under Window 7 (although the restart functionality is different—see the TechNet articles cited above).
From the user’s perspective, updates are installed automatically—note that the drop-down is disabled and cannot be changed by the user. Unlike Windows 7, the user cannot see when the updates will be installed.
Group Policy Defined, Auto Maintenance checked
If you set 4 – Auto download and check Install during automatic maintenance:
The registry of a Windows 8.1 client looks like this:
Note the new AutomaticMaintenanceEnabled value.
And Windows Update looks like this:
So this is more like the default without the GPO, updating during the Window 8 maintenance window, except now the user cannot turn off automatic updates.
The Maintenance Window without Group Policy
In the first and third scenarios above, Windows updates happen during the Windows “maintenance window.” By default, the Windows maintenance window can be changed by the user:
That policy is executed by this scheduled task:
Microsoft > Windows > TaskScheduler > Regular Maintenance
Although not mentioned in the UI, the default is to set up the task with a random delay of 4 hours.
The Maintenance Window with Group Policy
The group policies for adjusting the maintenance window are here (TechNet):
Computer Configuration > Policies > Administrative Templates > Windows Components > Maintenance Scheduler
If you set “Automatic Maintenance activation boundary” to “2000-01-01T06:00:00” (6am) for example:
On the client computer, this value is stored in the registry here:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance
The registry is set as follows:
The user is no longer able to adjust the schedule from the UI:
Note that the scheduled task is automatically updated (after logoff/logon).
There is also a GPO for changing the random delay, but since we did not define that, the delay remains as 4 hours.