There have been numerous posts where people ask about ways to delay (or cancel) the reboot of the client machine once the update is "installed".
Let me attempt to elaborate on the relationships between download, install and reboot operations and how they should be spaced in time for the client machine to be in the most stable and secure state.
(1) Download and install are two independent and distinct operations.
(2) Install and reboot are two very closely tied operations.
Just downloading the update on your machine has no effect in patching the machine.
A downloaded but not-installed update does not affect the security or functionality of the machine in any way.
On the other side, for an update which requires reboot; the install and reboot operations should be tied together very tightly. For an update that requires reboot, the update is NOT installed until the system reboots. A partially installed update (pending reboot) results in a non-updated and insecure state of the machine. Also since this is a ‘synthesized’ state, it can result in instability.
Ideally, install and reboot should be a quantum operation.
Let me explain this point with an example.
Let's say update U requires reboot.
You install U on your machine and have not rebooted the machine yet.
At this stage the update is NOT fully installed. Only after the machine is rebooted, the update is fully installed.
So as an admin, one should try to view install and reboot operations as part of a single transaction.
The admin should attempt to minimize the time for which any machine is in a reboot pending state.
Admins are far better off to schedule the installation of reboot required updates at a time when the system can be safely rebooted vs delaying reboot to introduce stability risk in combination with the system not being updated and protected.
There are various settings in the group policy which the can control the reboot behavior of client machine and the user experience around this.
Most relevant ones being
· No auto-restart for scheduled Automatic Updates installation
· Delay restart for scheduled installations
· Re-prompt for restart with scheduled installations
I will blog about it next. Stay Tuned…
Chinmay Parekh (WSUS)
Most PC BIOS, by default, will display an error at POST if there is no keyboard attached. Typically, the user must press some key <F1> or I guess <ESC> to get past the warning. These types of errors also occur if there is a floppy drive configured in the BIOS and the physical drive stops working or is removed.
Motherboards that are ment to be used headless in a server role, would typically have a bios option to continue on these warnings instead of asking for user input.
The obvious workaround for a suboptimal bios would be to leave a keyboard attached. I would hope most IT departments validate these types of things before rolling out hardware but I can understand some situations that could cause this hardware validation to not happen.
In short, I really don't see how this is a WSUS problem.
What about the ability to delay the restart for non-admin users. I'm want to force the install but the only option for non-admin users after the patch is installed is to Restart now. I'd like my users to have the ability to delay the reboot for say 60 minutes or so. This alows them to save their work and I can pester them every hour (or sooner)that they need to reboot. I'm told this is a limitation with the current Update client, will there be any change soon?
I HATE what Ms did with the new Windows Update.
I even thought about disabling Automatic Updates at all. The annoying pestering restart-window sucks really.
Even if I kill the windows update client, it just restarts.
You are even so pestering that you destroy unsaved work to automatically reboot (this timebomb after resuming from hibernation).
I hate Windows Update since this features was introduced.
And of course an machine in pending state is perfectly finde IF I WANT IT!
The company users will reboot anyway at the end of the day.
Thank you for the post Chinmay. We have a large number of laptop users. The Laptops are not plugged into the network at night when updates are pushed out, so they get the updates when the users get here the next morning.
Our desire is for the laptop to stay in that installed/non-rebooted state until the end of the day when the user will shutdown on their own to go home. I believe this is one situation where separating the install/reboot process by a few hours is important to making the install seamless for the users.
Currently, we're configured so that 30-minutes after they log in, the updates are installed and they receive the prompt to "restart now". The "restart later" option is grayed out. Two questions, then: 1) If I set the "delay restart for scheduled installations" option in the GPO, that seems like it will fix our problem, but will that force the restart instead of prompting the user at the end of that delay? 2) Is there a way to enable the "restart later" option without allowing the user to approve/disapprove updates?
Looking forward to your next post.
I am attempting to use a group policy to institute automatic updates.
So far I have the GPO set up except there is one thing I want to change but I can't find it even though I imported the latest wuau.adm template file.
the setting I am interested in setting via GPO is:
This is cut and paste from the the template file:
#if version >= 4
#if version >= 3
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
Why can't I see this as a setting in MY GPO? I want to reboot if a user left their machine logged off, but not if it is logged on.
Does this make sense. I am using the latest production version of WSUS.
exactly the same problem I have. We have 96% non Admin User. So non of them will be able to delay the reboot. Our current solution.
Option 4 with a Install time and no reboot.
The End User see following scenario: When they are shutting down there PC they have the Option "Shut Down and Install". The Scheduled time is somewhere at Midnight. So on the next day they will install the Update in the background and at the evening they shut down. So the maximum 8 hours are the PC in State Reboot Pending.
To your trouble with the ADM. Have you tried the filter Option. In GPMC click on "Administrative Template" and then you can use in the Menu -> View -> Filter -> and remove the last Flag (something show full configured only) then you will see much more option in the GPMC.
B.r. Thomas Laggner
Du musst ein Fachmann sein - wirklich guter Aufstellungsort, den du hast!
Du mußt eine NAZI sein! Deine facist tendancies stellen durch dar.
I'd have to agree that the ability to patch, and wait for a reboot is something that is sorely needed. If patches come out Tuesday at 3 PM, I'm technically in an insecure state until I apply and reboot the servers. What difference is it I install the updates and then wait to reboot? Both are still leaving the computer unsecure. When you have hundreds of servers that need patched and rebooted, it is unwise to merely have them all download, and all reboot at that same time as some don't always come backup. you then are looking at an extended outage for servers. For example, if I have 500 servers, and I patch them at 10 PM, then they all reboot, and 10 of them don't come back up, who knows how long until server #10 will be back up. On the flip side, if I patch them all at 10 PM, then I can slowly reboot them all to minimize the associated downtime.
Mikael Rönnbäck, you mention some of your server have life or death related criticality levels, I'm surprised you would rather have your servers in a pending reboot state vs. skip a patch maintenance window. Frankly I would consider it fairly irresponsible to make a blanket statement on such an important decision. Having the server in a synthesized state means the server is inherantly unstable. I would not want to be the helicopter pilot with you as my sys admin ;^).