Configuring Windows 10 Devices to Wake and Update Outside of Class time

Problem

Today, many productivity hours are lost due to software updates installing during class time resulting in frustrated users. Customers that are leveraging traditional management solutions such as System Center Configuration Manager (SCCM) or other 3rd party tools don’t have an easy way of updating these devices outside of class time. Solutions such as Wake on LAN have been around for years, but with the move to wireless devices, it’s not a viable solution. SCCM supports wake timers, but only for desktop devices.

Solution

In Windows 10, there are two solutions to this problem

  1. Shared PC CSP
  2. Automatic Maintenance

Shared PC CSP is a Configuration Service Provider MDM policy that was introduced in Windows 10 1607. Shared PC does many things to improve shared device management such as cleaning up old user profiles, improving logon performance, and more.

Automatic maintenance is a Windows feature that was introduced in Windows 8 that leverages scheduled tasks to allow them to wake a device during a specified period.

In education environments with shared devices, it’s recommended to use Shared PC as that will be the easiest method to enable devices to wake during the automatic maintenance period. However, shared PC does enable several additional policies that you may not want on your devices.

For more information about Shared PC, see how to set up a shared or guest PC. It’s important to understand the local policies that are being set on the device to understand if setting Shared PC is acceptable within your environment. For example, Shared PC will prevent usage of OneDrive for file storage.

IMPORTANT: To wake a device using the methods described in this article, the devices must be non-connected standby devices (devices that support the S3 sleep state). Connected Standby devices (such as surface) will not wake via the RTCWake timer. This is something we’re actively investigating.

Configuring Shared PC via Windows Configuration Designer (WCD) for new devices

Windows Configuration Designer (WCD) is used to create provisioning packages. It can be installed from the Windows Store by searching for Windows Configuration Designer. Once installed, you can create a desktop provisioning package from the list of package types on the left. During the initial wizard, one of the options will be to Configure Devices for Shared Use.

If you continue through this wizard, you can enter a device name, product key, specify wifi, whether you want to join AD or Azure AD, etc. Once you’ve completed that, this package will be ready for use for new or existing devices. You can then take the .ppkg file and put it on a USB stick and insert the USB stick during OOBE of a newly unboxed Windows 10 1703+ device and it will apply the settings in the package to that device. You can also run it by double clicking it, using powershell, etc. However, keep in mind that if you do fill out the entire wizard, you would be renaming the device.

Configuring Shared PC via Windows Configuration Designer (WCD) for Existing Devices

For existing devices, you don’t need to go through all the steps in the wizard. If you have an existing 1703+ device, you can apply the ppkg to just set Shared PC.

Open Windows Configuration Designer and select Advanced Provisioning

By looking in the advanced editor, we’ll see the different options we can configure for Shared PC (amongst a ton of other settings). We’ll need to enable the following settings to be able to wake the device:

  • EnableSharedPCMode = True
  • MaintenanceStartTime = 0 (this will wake the device between 12-2AM. There is a 2-hour randomization start time that is applied to the value you specify here. Valid values are 0-23. If you specify 13, the device will wake between 1PM-3PM or 13-15.)
  • RestrictLocalStorage = False (if set to either NOT CONFIGURED or TRUE, RestrictLocalStorage will prevent a user, even an admin, from being able to use File Explorer to access the file system. You still can use it via cmd or powershell. I’d suggest initial testing to have this set to False. If set to True, all users on the device will only have access to their c:\users\profile\downloads folder in File Explorer)
  • SetEDUPolicies = True for more info see configure windows for education
  • SetPowerPolicies = True (Prevents users from changing power settings; Turns off hibernate; Overrides all power state transitions to sleep (e.g. lid close))
  • SleepTimeout = 3600 (device will fall asleep after 1 hour – the default value the PPKG will set is 300 seconds (5 min) which is likely to be an issue)

Note that the above settings will NOT create the scheduled task necessary to wake the device.

To create the scheduled task to wake the device, we have two options:

  1. Enable account maintenance
  2. Enable SetEDURestart Windows Update policy

Enabling Account Maintenance

To enable account maintenance, we need to set the following policies:

  • AccountModel = Domain-joined (can also select domain-joined and guest if you wish to enable guest access. Guest access will create a button on the logon screen to allow for guest accounts to use the device. The guest account is a temporary local account that will be deleted on logoff. This can be useful for younger grade levels or those that have issues typing)
  • DeletionPolicy = Delete at disk space threshold and inactive threshold (this will enable the ability of Shared PC to delete profiles when disk space falls below 25% free and will delete the oldest profiles first until 50% free. It will also delete profiles when they are older than the inactive threshold which is 30 days by default.)
  • DiskLevelCaching = 50 (this is the amount of free disk space in percent that we wish the device to have after deleting profiles)
  • DisklevelDeletion = 25 (this is the amount of free disk space in percent threshold that we wish the device to start deleting the oldest profiles first)
  • EnableAccountManager = True (enables the ability for account maintenance to run)
  • InactiveThreshold = 30 (the number of days a profile has been inactive before it will be deleted. In 1:1 scenarios where students may come back to the device after a long break (summer or winter) you may wish to increase this value to 90 or 180 days to prevent a student’s profile from being deleted)

Once these settings have been applied, a scheduled task is enabled in task scheduler under Microsoft\Windows\Shared PC\Account Cleanup

This scheduled task will be responsible for waking the device.

Enable SetEDURestart Windows Update policy

Some customers may opt to not enable account maintenance in Shared PC. They may have their own solutions or they may be in a 1:1 situation where it’s not necessary however they want some of the other benefits Shared PC offers.

Earlier I mentioned a Windows Update policy called SetEDURestart (in Group Policy this is referenced as Update Power Policy for Cart Restarts). This is a new policy that was introduced in Windows 10 1703 to skip checking of the battery level to ensure that the reboot will happen at the ScheduledInstallTime for updates (by default this value is 3 AM). This policy is a bit misleading because there’s also a scheduled task that this policy creates under UpdateOrchestrator\Combined Scan Download Install. This scheduled task is not created if the SetEDURestart MDM policy, or the Update Policy for Cart Restarts local/group policy is not enabled.

So, what does all this mean?

Ultimately, all we need is a scheduled task to wake the device up. If using Shared PC via WCD, it will do account maintenance via a scheduled task called Account Cleanup under the SharedPC folder in task scheduler. If you also want to bypass power checks, you can do that to by enabling SetEDURestart to 1 in Policies\Update\SetEDURestart in WCD. Having either of these set will create a scheduled task that will wake the device. Shared PC will also set the RTCWake value for the balanced power scheme to 1.

NOTE: If you’re using Windows Update or WSUS (i.e. not using SCCM or a 3rd party tool)

You may also want to apply the AllowAutoUpdate policy to Auto-install and restart without end-user control (this sets AllowAutoUpdate to 4). This will help ensure that the updates install and reboot. If you are using SCCM or a 3rd party tool, you can ignore this setting.


Once you have your provisioning package set up the way you want, you can click the Export drop down at the top and then apply it via USB at OOBE, or you can deploy it via SCCM, GP, or whatever management tool you use via Powershell.

As of Windows 10 1703, provisioning packages can be applied silently without being signed using the following command.

Install-ProvisioningPackage -PackagePath C:\Foo\bar.ppkg -QuietInstall -ForceInstall

How to enable in Intune for Education

Intune for Education makes this super easy to configure. Just go to the groups node and for the group you want to configure, select Settings and expand Device sharing settings and select Optimize devices for shared use.

Note that this doesn’t give you the same granular settings that you had in WCD. If you want to granularly apply these settings, you would have to do them via custom OMA-URI settings in the full Intune portal. How to configure these settings is outside the scope of this post.

How to enable in Group Policy

For those environments that do not wish to enable Shared PC, Automatic Maintenance can be configured via group policy to wake devices. To do this, the following items will need to be configured:

  1. Configure Automatic Maintenance Activation Boundary
  2. Configure Automatic Maintenance WakeUp Policy
  3. Optional: Configure Automatic Maintenance Random Delay (Recommended)
  4. Configure Update Power Policy for Cart Restarts (Windows 10 1703 GPO)
  5. Set RTCWake Timer on power scheme (Powershell)

In Group Policy, create a new Group Policy object and configure the following settings:

  1. Navigate to Computer Configuration – Administrative Templates – Windows Components – Maintenance Scheduler
  2. Enable and Configure Automatic Maintenance Activation Boundary using the following format: 2000-01-01T13:00:00 . In this example, the activation boundary is set to 1PM using a 24 hour clock and click OK.
  3. Enable Automatic Maintenance WakeUp Policy and click OK.
  4. Enable Automatic Maintenance Random Delay and set it using the following format: PT1H. In this example, the delay would be 1 hour. You can change this by modifying the 1 to a 2 for 2 hours, etc. It is recommended to set this so devices aren’t all waking at the exact same time.
  5. Navigate to Computer Configuration – Administrative Templates – Windows Components – Update Power Policy for Cart Restarts and Enable the policy
  6. Enable the RTCWake timer on your devices

    To enable RTCWake, we need to use Powercfg.exe to do this:

    Powercfg /SETACVALUEINDEX SCHEME_BALANCED SUB_SLEEP RTCWAKE 1

    And

    Powercfg /SETDCVALUEINDEX SCHEME_BALANCED SUB_SLEEP RTCWAKE 1

    The above commands will enable for both plugged in and battery states. This will only work for the balanced power scheme. If your devices are using different power schemes, you could use the below powershell script to apply to all power schemes.

     

    $PowerSchemes = (powercfg.exe /LIST) | Select-String "power scheme guid" -List
    $AllowWakeTimersGUID = ((powercfg.exe /q) | Select-String "(Allow wake timers)").tostring().split(" ") | where {($_.length -eq 36) -and ([guid]$_)} 
     
    foreach ($PowerScheme in $PowerSchemes) {
       $PowerSchemeGUID = $PowerScheme.tostring().split(" ") | where {($_.length -eq 36) -and ([guid]$_)}
       foreach ($Argument in ("/SETDCVALUEINDEX $PowerSchemeGUID SUB_SLEEP $AllowWakeTimersGUID 1","/SETACVALUEINDEX $PowerSchemeGUID SUB_SLEEP $AllowWakeTimersGUID 1")) {
        Start-Process powercfg.exe -ArgumentList $Argument -Wait -Verb runas -WindowStyle Hidden}}
    
    
    
  7. You can apply either the direct powercfg commands above or the script in a variety of ways. One way being GP as a startup or shutdown script, through a group policy preference using a scheduled task, the other being through SCCM or whatever management tool you are using.

To validate that this is working, open an admin command prompt or powershell prompt and type in powercfg /waketimers

Miscellaneous items to think about:

  1. Just because the device wakes doesn’t necessarily mean it will install anything. Keep in mind what your current power policies are set to. If the device goes back to sleep five minutes after being awake, that won’t be enough time to get SCCM policies and install content. You may need to change your off-peak power settings to allow for the devices to stay awake longer to get policies from SCCM to install any updates/software that is being deployed.
  2. This process will work for machines managed by WSUS too or any third party management tool.
  3. If you are unsure if you have any devices that support connected standby, you can run Powercfg /a. If you see Standby (S0 Low Power Idle) this is a device that supports connected standby.
  4. If you’re on 1607 and can’t or won’t configure Shared PC, you also don’t have access to the SetEDURestart policy. You’ll need to create a scheduled task manually. You can do this via the following powershell script.
$task = Get-ScheduledTask -TaskName InvokeMaintenance -ErrorAction SilentlyContinue

If(-not $task)

{

$ST_A = New-ScheduledTaskAction -Execute "cmd" -Argument "/c"

$ST_T = New-ScheduledTaskTrigger -AtStartup

$ST_S = New-ScheduledTaskSettingsSet -DisallowHardTerminate -RunOnlyIfIdle -MaintenancePeriod 24:00:00 -StartWhenAvailable -WakeToRun -ExecutionTimeLimit 00:30:00 -Priority 0

$ST_P = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest

Register-ScheduledTask -TaskName "InvokeMaintenance" -Action $ST_A -Trigger $ST_T -Settings $ST_S -Principal $ST_P
This entry was posted in Modern Management. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *