Windows Update for Business --- Installs happening during Active Hours

Good Afternoon All,

I am new to IT so learning the ropes, any help with this would be appreciated. Our org uses Windows Update for Business and we have Active Hours set. However, one user had a driver update for audio come down and install while they were on a meeting during active hours. I noticied that any update that does not require a reboot will do this. However, any update that does require a reboot will wait till outside of active hours. I thought it might be Automatic Maintenance time so I set that to 11:00 p.m. however, I still have not luck.

Any thoughts at all or advice? Windows 11 Enterprise, Microsoft 365 E5 license. Using Intune for MDM.

I only use WSUS and Active directory, the fancy guys above me use intune and other things to manage stuff at levels higher than me.

However, here is my limited insight:

Are you sure you have your update rings configured correctly? I would double check the machines you have in each ring and make sure something wasn't accidently moved by someone else.



Then for your update settings for the rings:


Then I would set that ring of Laptop users to the Auto install at maintenance time setting.

Auto install at maintenance time - Updates download automatically and then install during Automatic Maintenance when the device isn't in use or running on battery power. When restart is required, users are prompted to restart for up to seven days, and then restart is forced.

Click to expand...

So with this setting, an update would install if a restart was not needed. But it should respect the device isn't in use flag.......Perhaps if they were in a video meeting and not touching their laptop, it was enough time for it to think it was not in use and updated anyway.....

For important people you could set the Restart checks (EDU Restart) policy and use the skip:
Skip - Will restrict updates to download and install outside of Active Hours. Updates will be allowed to start even if there is a signed-in user or the device is on battery power, providing there is more than 70% battery capacity. Windows will schedule the device to wake from sleep 1 hour after the Active Hours End time with a 60-minute random delay. Devices will reboot immediately after the updates are installed. If there are still pending updates, the device will continue to retry every hour for 4 hours.

Gotcha. I will double check the device. These are the current settings we are using including the "Auto install at maintenance time". Thats why I thought it was "Security and Maintenance -> Automatic Maintenance" but when I set it to 11:00 p.m. with a 4-hour random delay. It still shows installing.

Update ring settings​

Update settings
Microsoft product updates: Allow
Windows drivers: Allow
Quality update deferral period (days): 0
Feature update deferral period (days): 0
Upgrade Windows 10 devices to Latest Windows 11 release: No
Set feature update uninstall period (2 - 60 days): 2
Servicing channel: General Availability channel

User experience settings
Automatic update behavior: Auto install at maintenance time
Active hours start: 5 AM
Active hours end: 8 PM
Option to pause Windows updates: Enable
Option to check for Windows updates: Enable
Change notification update level: Use the default Windows Update notifications
Deadline for feature updates: 1
Deadline for quality updates: 1
Grace period: 1
Auto reboot before deadline: No

I am at a loss honestly. I don't see anything wrong with your settings. Hopefully someone with more experience can chime in.

If you end up finding an answer I would love to know.

Thank you kindly @andrew129260, appreciate you taking a look and the ideas.

This part of the EDU function would not work in our environment. As we need to allow our users a few days in case they have stuff open or are working (We are 24/7, in the medical industry) on something. Then we enforce the reboot.
Line in question "Devices will reboot immediately after the updates are installed." I am testing it on a single device though to see if there is an GPO or CSP way to delay the reboot.

With regards to this line "I would double check the machines you have in each ring and make sure something wasn't accidently moved by someone else.". Everything is standard that I can see. Nothing has been moved and all policies are showing successfully.