• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 683
  • Last Modified:

How to tell when servers require a reboot following update from WSUS

Due to the number of servers we manage I would like to control updates on a number of non-essential/utility servers via WSUS. We have a GPO set that is set to update such servers (approved updates) and reboot @ 3am (daily as needed).

I am seeing the appropriate servers installing updates but they are not rebooting as expected. The server status report indicated "Pending reboot" and the corresponding server console is requesting a restart to complete the updates.

Questions;
1) Is the failure of the scheduled reboot as indicated by the GPO typical, and if so;
2) How can I best tell which servers have been updated and are awaiting a reboot?

My understanding is that best practice is not to leave a server in a transitional state so I'd like to understand when servers are in this state.

What are others out there doing, how is this being handled?
0
agradmin
Asked:
agradmin
  • 7
  • 6
1 Solution
 
Cliff GaliherCommented:
Set deadlines when you approve updates and it'll force a reboot even if an account is in a "connected" state (fairly common for some types of servers which can cause a reboot to get delayed.)
0
 
agradminAuthor Commented:
Thanks Cliff, that's interesting. What sort of typical deadline (eg hour/day/week) have you seen this work for? It would be nice to be able to set the deadline short so at least you have some control over when a server might reboot.
I would only use this on utility servers but still need some level of control.
0
 
Cliff GaliherCommented:
It works as long as the deadline isn't so short that you'd expect a reboot immediately. The agent still has to see the deadline.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
agradminAuthor Commented:
Cliff,
Does the machine reboot when the deadline is met (ie can be scheduled) or at some random time beforehand?
0
 
Cliff GaliherCommented:
When the deadline is met...or after. Now keep in mind that WSUS does not push updates. Clients pull updates. And the WU agent checks in on a schedule. So lets say the agent checks in every 8 hours and checks in one day at 4PM. Then you log in at 5PM and l approve an update for 6PM. The client will  reboot at 6PM because it does not know the update is approved and is unaware of the deadline. When it checks I again (approximately midnight) it will see both the approval and the deadline, and know the deadline has already gone by. This will trigger an IMMEDIATE install and reboot, regardless of who is logged in or what they are doing, unless you configured a separate GPO that grants users the right to delay delay the reboot.

So plan your deadlines accordingly.
0
 
agradminAuthor Commented:
Thank Cliff, this is all great information.

So if I approve an update at 8am today with a deadline of 3am tomorrow, will the server possibly pull the update and install pending a reboot, and if not rebooted manually by 3am do so then? I would like to minimize the amount of transition time between install & reboot in case of instability.

It would be nice if WSUS provided a way to see which machines are pending a reboot to enable management.
0
 
Cliff GaliherCommented:
That is how it should work, in theory. If you actually run an update report you can see if a machine needs a reboot.
0
 
agradminAuthor Commented:
But I would have to check the update report for each individual machine, and there is no way to report on ALL machines that require a reboot, correct?
0
 
agradminAuthor Commented:
Cliff,
Can you just confirm that you have to report on each individual machine to see if it pending a reboot, or is there a way to list all? Otherwise I think you have answered my question - thanks for sharing your expertise.
0
 
Cliff GaliherCommented:
You should be able to generate one report with all machines in it. One of th statuses is reboot required.
0
 
agradminAuthor Commented:
I would have thought the same - the only report options I can find on status is in regard to the status of the install itself (eg installed/Failed/Needed).
If you know of a report option that would list all machines pending a reboot I'd love to know where it is.
0
 
Cliff GaliherCommented:
First, I am talking about an actual report. Not just a filter of an on-screen list. Second, I don't recall there being a report like what you want. But if you generate a report of all computers and their status, one of the status is that a reboot is required. Can you get a report of *just* those computers? Probably not without a lot of work. But do you need to go into each computer separately? No. One report can give you everything you need.
0
 
agradminAuthor Commented:
Thanks for the descriptive answers.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now