13

We have WSUS pushing updates out to our user's workstations, and things are going relatively well with one annoying caveat: there seems to be an issue with a pop-up being displayed in front of some users informing them that their machine will be rebooted in 15 minutes, and they have nothing to say about it:

alt text

This may be because they did not log out the prior night. Nevertheless, this is a bit too much and is very counter-productive for our users.

Here is a bit about our environment: Our users are running Windows XP Pro and are part of an Active Directory Domain. WSUS is being applied via Group Policy. Here is a snapshot of the GPO that is enforcing the WSUS rules:

alt text

Here is how I want WSUS to work (ideally - I'll take whatever can get me close):

I want updates to automatically download and install every night. If a user is not logged in, I would like the machine to reboot. If a user is logged in, I would like their machine not to reboot, but instead wait until the next "installation period" where it can perform any other needed installations and reboot then (provided the a user account is not still logged in). If a user is to be prompted for reboot, it should only happen once per day (if possible), but every time they are prompted, they must have a way to postpone the reboot.

I do not want users to be forced to restart their computer whenever the computer thinks it should happen (unless it's after an update installation and there are no logged in users). That doesn't seem productive to force a system restart in the midst of a person's workday. Is there something that I can do with the GPO that would help make WSUS less intrusive? Even if it gave the user an option to Restart Later - that would be better than what is happening now.

edit

The goal is to be able to automatically download and install updates every night, and rebooting the machine only if there are no users logged on when the machine wants to reboot. If Windows has to nag the user about rebooting, this is perfectly fine - as long as they have an option to postpone that reboot.

edit

It turns out, we have some deadlines set on some updates (SP3, Client-Side Extensions, etc.), and with the post found below, some light has been shed on the situation:

http://forums.techarena.in/server-update-service/255722.htm

Cypher
  • 1,079
  • 2
  • 17
  • 24

4 Answers4

7

I think the most workable and least intrusive solution is to change the Configure automatic updating setting to 3 - Auto download and notify for install. That will not interrupt the user, and the option to Install updates and Shut Down will be automatically selected on the shutdown menu.

Periodically run a report of computers needing updates and wave a big stick at people who haven't done their updates.

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
  • I've considered this, however the goal was to get machines to install updates on their own (although we don't want users to shut down, machines need to stay on). – Cypher Jan 06 '11 at 21:18
  • I'm afraid I don't think it gets much better than this. We played with many many MANY combinations of these settings, and eventually decided the lesser of all the evils seemed to be to do it this way. – Ben Pilbrow Jan 06 '11 at 21:23
  • 2
    Do you really need to apply updates every day? I talked mgmt into a policy I called 'log off Wednesdays' and scheduled updates for that night, after a few weeks of walking around with the big stick on Wednesdays everyone caught on. I don't think WSUS gives you any other option. – jhayes Jan 06 '11 at 21:51
  • 1
    We tell everyone to shut down their computer at the end of the day (we're being green and all that), so the `Shut down and install updates` works perfectly for us. When there's no patches to apply, it just says `Shut Down` like normal. – Ben Pilbrow Jan 06 '11 at 21:59
  • @jhayes: It doesn't really need to be done every day - we just need to play catch-up at the moment since patching hasn't been done in about a year and a half. I almost fell out of my chair when I saw that, so the "every day" deal is not a requirement. I can see us possibly forcing a reboot on Sundays. That might work. – Cypher Jan 06 '11 at 22:08
  • @Cypher - you probably already know about "update tuesday"? Most updates are released on Tuesday by Microsoft, unless it's a 0-day exploit in the wild, or something otherwise rather serious. +1 for "Log Off Wednesday" up above. I would do the same, or I would have the machines do it automatically before work on Wednesday. – Harv Jan 06 '11 at 23:32
  • @Harv - yes, I'm aware of Microsoft's 'update Tuesday'. :-) We had a few hundred XP machines without SP2 and patching was slow, so we started patching every night. We've caught up significantly with 98% of all workstations on SP3 with 96% of all critical/security patches installed. It works well - I just can't believe that there isn't a way to allow our users to postpone a reboot of their machines. I must be missing something. – Cypher Jan 06 '11 at 23:57
  • I also use `auto download and notify for install`, but typically set the notifications to hit the users about an hour before they leave for the day. This means you aren't annoying your users all day long, and as most users realise that if they don't install them before they leave, that they'll be dismissing reminders every 10 minutes the following day, so they do tend to install them before they leave for the day. – Bryan Feb 12 '12 at 13:10
3

You could change "Configure Automatic Updates" to option "3 - Auto download and notify for install" -- you can enable and set a time limit for "Delaying Restart for scheduled installations"

You could also try "No auto-restart with logged on users for scheduled automatic updates installations" set to Enabled with "Re-prompt for restart with scheduled installations"

Marshalus
  • 134
  • 3
  • The "delay restart" setting defaults to 15 minutes. The maximum value is 30 minutes, however - it still forces the machine to pop that dialog, which is not what we want (unless they can choose "restart later"). Wouldn't your second suggestion forcefully reboot the machine after an update even if a user was logged on? Or am I mistaken? – Cypher Jan 06 '11 at 21:20
2

This was our biggest obstacle for deploying WSUS. The previous implementor ignored this, and we had teachers being forced to restart in the middle of a class. They were not pleased...

The settings you have should be doing this for you already. I have the same settings:

No auto-restart with logged on users for scheduled 
automatic updates installations: Enabled  

Re-prompt for restart with scheduled installations: Enabled  

Wait the following period before 
prompting again with a scheduled 
restart (minutes):  300

The "No auto-restart" setting is supposed to make this work the way you want. From WSUS help: "Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.

If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer."

We have not had any complaints since implementing this. I tested on a few of our more "forgiving" users before deploying to the whole school. I'm not sure that anyone even noticed that the updates were happening.

Another setting that I use that I think helps our laptop users is: 

Reschedule Automatic Updates scheduled installations: Enabled  
Wait after system 
startup (minutes):  60

This allows them to actually get their computers turned on and logged in before the background update installations start happening. I didn't want the installations to slow down the startup/login process if a teacher turned on their computer right before class.

minamhere
  • 859
  • 7
  • 18
  • This is why I'm so baffled and am asking here. I've used WSUS extensively in the past and didn't anticipate users **not** being able to postpone a reboot. – Cypher Jan 06 '11 at 23:53
0

I would change the following policy settings. The first because some updates don't require a restart of the machine and these can download and install protecting the machine before the next reboot. The second, because (assuming you are running most users as standard users as would be recommended) the lack of messages being shown to them maybe causing the forced reboots. Non admin users wouldn't be given update notifications of any kind, but they would need to follow the requested reboots of messsage they're blocked from seeing.

Allow Automatic Updates immediate installation - change to Enable
Allow non-administrators to receive update notifications - change to Enable
edusysadmin
  • 536
  • 2
  • 8