WSUS approval procedures.

Hello all,

I've been trying to get some definite answers on a couple of wsus scenarios and can't seem to find anything definitive.  So I'm asking for some help on either finding Microsoft's official answers to these questions or answers based on the experience of the experts here.  We just installed WSUS 3 on a network and are a little confused as to how deadlines work, the impact of local admin rights and the deployment of Service Packs.

The client wants to have critical updates automatically approved and have the end users get prompted to install the updates so they can install them themselves throughout the day.  However, every couple of weeks he wants to have everyone leave their computers on and force all the remaining approved updates to install overnight.

This seems doable, we've setup the automatic approval for critical updates and that seems to be working fine in our testing.  However, I'm a little unsure if the user needs to have admin rights in order to run the approved updates, will they run if the user only has domain user rights?  Is this the same for all updates including service packs?

Also, we're a little confused about the deadline feature.  From what I gather, we can just set a deadline for a night of our choosing and as long as the workstations are on, all the updates that have a deadline for that day will automatically install the updates.  This is how we are planning to implement the forced updates every couple of weeks.  But I can't seem to find any info on if this works for service packs as well and if there is any impact caused by a user who  remaining logged on during this process.  Will the deadlined updates (including service packs) get force installed regardless of the user being logged on?  If the user is or isn't local admin, will that make a difference?  And are there any gotcha's with XP SP3 and the forced deadlines (this is the one service pack that needs to be rolled out to almost all the machines) will it install automatically if we put a deadline on it?

 Thanks in advance for any help.
Who is Participating?
I did this today :) so nice and fresh in my mind.

Sp3 will deploy with deadlines fine, it will take a while to download to the machine and it will either install at thr preset time youve set Via the gpo or local policy. Default microsoft time is 3am. Sp3 install is different to a regular patch rollout as when the computer restarts the windows setup screen comes up breifly on boot and you can see it installing but won't ask the users for any details to enter. Something to remember if you are wanting to inform the users to keep their mind at rest.

If the user is logged onto the machine , the yellow sheild will appear in the taskbar and prompt them that there are updates to be installed. Nothing happens till the preset marker is reached and then an install and reboot will take place. So basically during the day the updates trickle to the machine and sit there waiting. IF throught the day the user goes to the shutdown menu they are prompted to install updates and shut down as well as the usual set of options. If this is taken the updates will install and the machine will turn off. This takes longer than if the user installs the updates from the sheild.

If a deadline has been set then after the install the user will be prompted to save their work as the machine is shutting down in 5 mins. When this happens in a deadline senario the restart later option is greyed out and the machine is gonna reboot come what may. Something to let your users know about.

Setting a deadline in the past will immediately fire the update in question out to all the machines in the group approved from the WSUS console. This can be handy for express updates of critical patches. Setting one in the future will mean that it gives the machines time to naturally install in the lazy way WSUS seems to deploy patches and if there are stragglers it will nip those in the bud. WIll also mean new machines joining the network will be fully patched very quickly if an older image is used.

I would suggest if you are going to be installing SP3 to a large number of network clients to use the bandwith limiting features available via GPO during office hours as even with BITS 2.0 its still gonna really put a lot of pressure on the network if all the machines are downloading at the same time , especially if it gets to the point where the deadline has passed etc and the patch is deploying.

The updates get installed whether the user is logged on or not. The updates get installed whether or not they are an admin. It installs the updates at the set time or when the user interacts with the install updates prompts.

It won't prompt with the sheild if the user has restricted access to the start menu etc , we have limited accounts restricted via GPO that basically have a redirected start menu and thats it and ahve found this stops the yellow sheild prompting to say the updates have downloaded but still allows the user to shut down and install updates and the automated process works fine on them too.
EnvisionTechAuthor Commented:
excellent answer, thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.