MCKasu
asked on
WSUS and Group Policy settings for Restart Now/Restart later option
Hi
I have a question regarding GPO settings for WSUS. I know there is a lot of stuff out there regarding this but I haven't found anything to match the settings I have or the results I am getting.
I want to be able to download patches and update clients at 3am. If the user remains logged in I want the update to install and if the update requires a reboot then I want to let them know that a reboot is required. Similarily, if they turn off their PC, when they next log in I want the update to install and give them a message that a reboot is required. I do not want the PCs to reboot automatically if someone is logged in.
Because I do not want users to have access to any of the Windows Update features and I do not want them to get messages about updates which are pending I set the following User policy
Admin Templates\Windows Update\
Setting "Remove access to all Windows Update features" : enabled
Because I want the users to get notifications of any reboots that are required I set the following user policy
Admin Templates\Windows Update\
Setting "Enable Windows Update notifications" : enabled
Setting "Configure notifications" : 1 - Show restart required notifications
These policies work fine and seem to do what I require, however, when the user gets a notification that a reboot is required, they have the option to Restart Now or Restart Later. I thought that only Admins got the Restart Later option. All of our users are locked down and none of them have any local Admin rights. I don't mind giving them the option to restart later because I can set the popup to appear every 5 mins and I am sure they will soon get sick of it and reboot, but I am curious as to why they get the option.
Any help would be greatly appreciated.
Thanks
I have a question regarding GPO settings for WSUS. I know there is a lot of stuff out there regarding this but I haven't found anything to match the settings I have or the results I am getting.
I want to be able to download patches and update clients at 3am. If the user remains logged in I want the update to install and if the update requires a reboot then I want to let them know that a reboot is required. Similarily, if they turn off their PC, when they next log in I want the update to install and give them a message that a reboot is required. I do not want the PCs to reboot automatically if someone is logged in.
Because I do not want users to have access to any of the Windows Update features and I do not want them to get messages about updates which are pending I set the following User policy
Admin Templates\Windows Update\
Setting "Remove access to all Windows Update features" : enabled
Because I want the users to get notifications of any reboots that are required I set the following user policy
Admin Templates\Windows Update\
Setting "Enable Windows Update notifications" : enabled
Setting "Configure notifications" : 1 - Show restart required notifications
These policies work fine and seem to do what I require, however, when the user gets a notification that a reboot is required, they have the option to Restart Now or Restart Later. I thought that only Admins got the Restart Later option. All of our users are locked down and none of them have any local Admin rights. I don't mind giving them the option to restart later because I can set the popup to appear every 5 mins and I am sure they will soon get sick of it and reboot, but I am curious as to why they get the option.
Any help would be greatly appreciated.
Thanks
There's a great explanation of all Windows Update settings on this page:
http://web.archive.org/web/20070815191337/www.vbshf.com/vbshf/wsus/wsus_faq.htm
http://web.archive.org/web/20070815191337/www.vbshf.com/vbshf/wsus/wsus_faq.htm
From the link you may find this helpful
Remove access to use all Windows Update features
This setting allows you to remove access to Windows Update.
If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.
Supported on: At least Microsoft Windows XP Professional or Windows Server 2003 family (although this works on 2000 as well – Rob)
Shut Down option in the Start menu.
Rob’s notes:
Found under ‘User Configuration’> ‘Administrative Templates’ > ‘Windows Update’
This will block all access to the Windows Update site so the only location you can pull updates from is your WSUS server.
How this relates to WSUS: This option will cause the option ‘restart later’ to be grayed out even if the user is a local administrator on the PC. The only way to eliminate this message is either to click ‘restart now’, or to stop the ‘Automatic Updates’ service. It is an effective way to remove the ability to defer restarts to all of your users, including administrators!
You may end up annoying a LOT of people with this setting, so be careful!
NOTE: This is a user-based policy.
Remove access to use all Windows Update features
This setting allows you to remove access to Windows Update.
If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.
Supported on: At least Microsoft Windows XP Professional or Windows Server 2003 family (although this works on 2000 as well – Rob)
Shut Down option in the Start menu.
Rob’s notes:
Found under ‘User Configuration’> ‘Administrative Templates’ > ‘Windows Update’
This will block all access to the Windows Update site so the only location you can pull updates from is your WSUS server.
How this relates to WSUS: This option will cause the option ‘restart later’ to be grayed out even if the user is a local administrator on the PC. The only way to eliminate this message is either to click ‘restart now’, or to stop the ‘Automatic Updates’ service. It is an effective way to remove the ability to defer restarts to all of your users, including administrators!
You may end up annoying a LOT of people with this setting, so be careful!
NOTE: This is a user-based policy.
ASKER
Thanks for the replies. As I said, everything seems to be working fine, however the standard users have the ability to "Restart Later" and this is really what I am questioning as I thought only admins had this right. Below are the policies I have set. Updates are scheduled for 3am.
Cheers
Computer Configuration (Enabled)
Administrative Templates
Windows Components/Windows Update
Policy Setting
Allow Automatic Updates immediate installation Enabled
Allow non-administrators to receive update notifications Disabled
Automatic Updates detection frequency Enabled
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
Policy Setting
Delay Restart for scheduled installations Enabled
Policy Setting
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled
No auto-restart with logged on users for scheduled automatic updates installations Enabled
Re-prompt for restart with scheduled installations Enabled
Policy Setting
Reschedule Automatic Updates scheduled installations Enabled
Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://wsusserver
Set the intranet statistics server: http://wsusserver
User Configuration (Enabled)
Administrative Templates
Windows Components/Windows Update
Policy Setting
Enable Windows Update Notifications Enabled
Policy Setting
Remove Access to use all Windows Update features Enabled
Cheers
Computer Configuration (Enabled)
Administrative Templates
Windows Components/Windows Update
Policy Setting
Allow Automatic Updates immediate installation Enabled
Allow non-administrators to receive update notifications Disabled
Automatic Updates detection frequency Enabled
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
Policy Setting
Delay Restart for scheduled installations Enabled
Policy Setting
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled
No auto-restart with logged on users for scheduled automatic updates installations Enabled
Re-prompt for restart with scheduled installations Enabled
Policy Setting
Reschedule Automatic Updates scheduled installations Enabled
Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://wsusserver
Set the intranet statistics server: http://wsusserver
User Configuration (Enabled)
Administrative Templates
Windows Components/Windows Update
Policy Setting
Enable Windows Update Notifications Enabled
Policy Setting
Remove Access to use all Windows Update features Enabled
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What I have done in the past is configure "Install Updates and Shutdown" as the default shutdown option with your pesky "Enable Windows update Notification".
Here's what happens. Either they shut down, and that installs the updates upon shutting down. Or they get annoyed at the popup window that says you need to reboot.
http://technet.microsoft.com/en-us/library/bb457141.aspx
But, there is one thing you need to understand:
There is a difference between download updates and wait for the user to interact, or an automatic install of the updates. In other words, Download, and Install are two different concepts when managing updates on the clients. You can download the update to the client and then prompt the user for reboot. Also you can download the update to the computer and make the "Install updates and shutdown" option as the default shutdown procedure. Both usually handle that lazy user from shutting down without installing updates for you.
If you force installation, the computer will reboot, (potentially in the middle of work hours).