Desire to have absolutely no input / notification to users of upda

Discussion in 'Update Services' started by Indiana Larry, Jan 17, 2006.

  1. I have been testing for a couple of weeks now, but cannot seem to get WSUS to
    work the way I want. Here's what I have and what I want:

    1) None of our users are members of the local administrators group
    2) I am using Group Policy to configure the updates on the clients
    3) All user computers are turned off each night (except for a handful that
    need to be on 24 x 7- I will deal with those separately)
    4) I don't want the users to see any messages prompting them to load or
    install updates
    5) I don't the computers to automatically reboot or the users to receive
    any prompts to reboot their computers - if the patch requires a reboot, it
    should silently wait until the user logs off or issues a shutdown / restart.
    6) Ideally, the user would not see the "Install and shutdown" message, but
    that would be OK (I would just let them know to ignore this message).

    Here are my current settings:

    Allow Automatic Updates immediate installation: Enabled
    Allow non-administrators to receive update notifications: Disabled
    Automatic Updates detection frequency: Enabled - 1 hour (for testing)
    Configure Automatic Updates: Enabled - 4 / 0 / 04:00
    Do not adjust default option to 'Install Updates and Shut...: Disabled
    Do not display 'Install Updates and Shut Down' option in ..: Disabled
    Enable client-side targeting: Disabled
    No auto-restart for scheduled Automatic Updates installations: Enabled
    Re-prompt for restart with scheduled installations: Enabled - 1440 minutes
    Reschedule Automatic Updates scheduled installations: Enabled - 5 minutes
    Specify intranet Microsoft update service location: Enabled - (our WSUS

    Hopefully this is something that
    a) can be done, and
    b) isn't TOO obvious so that my ego isn't permanently damaged, as I've
    spent WAY to long looking for a way to make this work!

    Any suggestions that make my "dream" patch process work would be appreciated!
    Indiana Larry, Jan 17, 2006
    1. Advertisements

  2. There are no scenarios which meet your criteria using WSUS.

    Take out any one of the below 6 items and I can work you a solution, but the
    given criteria makes it impossible.

    Truthfully, your "dream" patch process is everybody's dream patch process,
    and, if it could be done, Microsoft would just teleport the patches onto our
    systems while they're powered off.

    So, let's talk about basics, first.

    1. The system must be powered on in order to install updates.
    2. When the system is powered on, either a user is logged on, or a user is
    not logged on.
    3. If a user is not logged on, updates are simple, they install covertly,
    automatically, the system restarts, and nobody probably even notices. But
    that doesn't seem to be your situation.
    4. If a user -is- logged on, now you have some questions:
    - What are the risks of installing system-related files while a user
    is working on the machine. (Those files, btw, that -can- be installed.)
    - For those files that cannot be installed while the machine is
    'up', the machine -must- be rebooted in order to apply the update. No
    reboot. No patch. No security fix. Might as well not install the update in
    the first place.
    - If you don't want the user to see anything that's going on in the
    background, that's fine -- until the point where the system knows that it
    needs to reboot to finish the installation. The -one- option that does -not-
    exist is the option to NOT REBOOT. It's not an option, and I seriously doubt
    that Microsoft is ever going to give users that option.

    So.... you really only have two choices:
    - install and restart when a user is not logged on
    - install and restart when a user is logged on

    The former requires no notification; the latter absolutely requires
    notification to the user.

    Quite honestly, in your situation, I think your best solution is to use
    "Install Updates and Shutdown" as a /normal/ mode of operation (note,
    however, that this option only exists for XP SP2 systems), and for those who
    choose not to install update when prompted, your "Reschedule Automatic
    Updates" option will force the installation at the next power on.

    Incidentally, the "No auto-restart.." policy will always produce a pop-up
    dialog box for any logged in user.

    Finally, another option recommended often for scenarios such as yours, is to
    /schedule/ the updates for one hour before your normal end of workday (e.g.
    4pm). Set the "Delay restart for scheduled installations" policy to its
    maximum of 30 minutes, which will result in one prompt to reboot
    (~4:30-4:35pm), which can be ignored. The user shuts down their machine at
    5pm, and the remaining steps of the reinstallation occur at the next
    powerup, without requiring an additional reboot, and entirely transparent to
    the user.
    Lawrence Garvin \(MVP\), Jan 18, 2006
    1. Advertisements

  3. Thank you for the reply.

    Hopefully I didn't come across as thinking that there was a way to install
    updates while the system was off or without ever rebooting!!! I merely was
    looking for a way to have any selected (as in me doing the selecting via WSUS
    approvals) updates go through the load process while the users are logged in
    and without them knowing about it, then apply any patches requiring a reboot
    to do so only / automatically when they log off, shut down, or restart, all
    without any pop-ups or input required from the end user.

    Your last 3 paragraphs are helpful - I did not know that "Reschedule
    Automatic Updates" will force the installation at the next power on, nor that
    "No auto-restart" would alway produce a pop-up. The proposed solution in the
    last paragraph could be useful (even though I know the pop-ups will annoy /
    confuse a number of our users for months to come!) - would I then need to
    allow non-administrators to receive the update messages in order for them to
    delay the reboot, or would they just have to put the message box aside until
    they are ready to shutdown?


    Indiana Larry, Jan 18, 2006
  4. All of that is possible -except- for the desire to have -no- popups imposed
    upon the user for reboot.

    Either a user is a non-admin, in which case the reboot will actually be
    forced upon them, at the configured timeout delay (5 min by default); or if
    the user is an admin (or an elevated non-admin), then they'll actually get
    a -choice- to reboot now or later, with later being delayed according to
    that configuration option (10 min by default).
    If you wanted all users to have the ability to delay the reboot, then you
    would need to enable the policy to "Allow non-admins to receive update
    notifications." However, that has several other unpleasant ramifications, so
    you really don't want to enable that policy setting.

    Rather, the best way is simply to ignore the dialog box, move it out of the
    way, or, as one poster discovered a while back (but is surely to be 'fixed'
    in a later rev of the WUA), you can simply click on the RedX of the dialog
    box to make it go away.
    Lawrence Garvin \(MVP\), Jan 19, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.