Updates install but there is no reboot prompt and no forced reboot

Discussion in 'Windows Update' started by Drew, Oct 21, 2008.

  1. Drew

    Drew Guest

    We have been pulling our hair out trying to figure out what is going on...
    The WSUS server is pushing out updates fine, they are installing fine, but
    they are not prompting the user to reboot,

    Here is a snippet from the WindowsUpdate.log file,

    2008-10-21 11:26:09:148 1116 840 AU Launched new AU client for directive
    'Reboot Pending', session id = 0x0
    2008-10-21 11:26:09:195 3832 cc4 Misc =========== Logging initialized
    (build: 7.0.6000.374, tz: -0400) ===========
    2008-10-21 11:26:09:195 3832 cc4 Misc = Process:
    C:\WINDOWS\system32\wuauclt.exe
    2008-10-21 11:26:09:195 3832 cc4 AUClnt Launched Client UI process
    2008-10-21 11:26:09:211 1116 fd0 AU Windows Update is disabled by policy for
    user
    2008-10-21 11:26:09:211 3832 cc4 Misc =========== Logging initialized
    (build: 7.0.6000.374, tz: -0400) ===========
    2008-10-21 11:26:09:211 3832 cc4 Misc = Process:
    C:\WINDOWS\system32\wuauclt.exe
    2008-10-21 11:26:09:211 3832 cc4 Misc = Module:
    C:\WINDOWS\system32\wucltui.dll
    2008-10-21 11:26:09:211 3832 cc4 CltUI FATAL: Failed to get notification
    handle, hr=80240025
    2008-10-21 11:26:09:226 1116 840 AU AU received handle event

    This message is repeated every 15 seconds.

    Why is the user not notified that a reboot needs to be performed?

    Thanks,
    Drew
     
    Drew, Oct 21, 2008
    #1
    1. Advertisements

  2. 2008-10-21 11:26:09:211 1116 fd0 AU Windows Update is disabled by policy for
    0x80240025 WU_E_USER_ACCESS_DISABLED
    Group Policy settings prevented access to Windows Update.

    Forwarded to the WSUS newsgroup for Drew's convenience:

    NNTP link for OE:
    news://msnews.microsoft.com/microsoft.public.windows.server.update_services


    MowGreen [MVP 2003-2009]
    ===============
    *-343-* FDNY
    Never Forgotten
    ===============
     
    MowGreen [MVP], Oct 21, 2008
    #2
    1. Advertisements

  3. Drew

    Drew Guest

    I apologize for the wrong NG... I was unaware that there was one for update
    services. Thanks for pointing me in the right direction.

    Drew
     
    Drew, Oct 21, 2008
    #3
  4. Looks as if you have the user group policy setting "Remove access to use all
    Windows Update features" enabled. This will disable the reboot prompt.

    This post describes how to enable just the reboot prompt while leaving the group
    policy setting in place:

    <http://groups.google.com/group/microsoft.public.windows.server.update_services/msg/60e7023cbee2712e>

    http://groups.google.com/group/microsoft.public.windows.server.update_services/msg/60e7023cbee2712e

    Harry.
     
    Harry Johnston [MVP], Oct 21, 2008
    #4
  5. They're never going to prompt the user to reboot -- you've blocked access to
    the UI to allow that to happen by enabling the user policy "Remove access to
    use all Windows Update features".



    --
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin \(MVP\), Oct 21, 2008
    #5
  6. Drew

    Drew Guest

    Ok, that makes sense. If I disable, "Remove access to use all Windows
    Update features." then it seems to look to Windows Update instead of our
    WSUS server. For instance, I set 10 updates to be pushed, if I disable that
    policy, then I get 15 updates to be installed. Is it looking somewhere else
    besides my local WSUS?

    Thanks,
    Drew
     
    Drew, Oct 21, 2008
    #6
  7. That definitely shouldn't happen. I suspect you're mistaken; could you try it
    again?

    Harry.
     
    Harry Johnston [MVP], Oct 21, 2008
    #7
  8. That policy would not make any distinction between WSUS or Automatic
    Updates.

    Of course, if you're expecting to see a web-based client interface for WSUS,
    that could be the source of the confusion.

    WSUS works in the background, just like Automatic Updates has for the past
    ten years.

    This would suggest that the client isn't even using WSUS, but is still using
    the default "Automatic Updates" methodology.

    Quite possibly!

    1. Technical/semantical point -- the WSUS Server doesn't push updates, it
    makes them available to clients who identify and request them.

    2. In order for clients to identify and request them, they need to know
    where the WSUS Server is. Have you configured Group Policy (or Local Policy
    if no Active Directory) to correctly configure the clients to use the WSUS
    Server? Of particular note, the one policy that impacts the WSUS vs AU
    decision is the policy "Specific intranet Microsoft update services
    location" which must be enabled to faciliate the use of a WSUS Server.

    3. Once the policy is configured, to verify that the clients are properly
    receiving the policy you can use any of the policy management tools, or you
    can inspect the registry at HKLM\Software\Policies\Microsoft\WindowsUpdate,
    and in the AU subkey the value "UseWUServer" should be = dword:0x1.

    --
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin \(MVP\), Oct 21, 2008
    #8
  9. Drew

    Drew Guest

    I retried it. I was mistaken, it looks to have worked correctly. Although
    now I need to figure out how to automatically install them and then prompt
    the user to reboot.

    We had this working at one time, but it was automatically rebooting the
    user, which causes a lot of problems. Most of our computers aren't kept
    powered on all night (power saving initiatives), so we can't schedule to
    install the updates and reboot.

    Thanks,
    Drew
     
    Drew, Oct 22, 2008
    #9
  10. Drew

    ahmed Guest

     
    ahmed, Oct 22, 2008
    #10
  11. Drew

    ahmed Guest

     
    ahmed, Oct 22, 2008
    #11
  12. Drew

    ahmed Guest

     
    ahmed, Oct 22, 2008
    #12
  13. Drew

    Drew Guest

    I understand that, it was a semantic oversight...
    OK... here is the problem. Our Group Policy worked great before all of our
    computers were refreshed. Once the computers were refreshed, the Local
    Policy seems to be overriding the Group Policy. Therefore when setting the
    Group Policy on AD, it doesn't do anything. I have been testing with my
    computer, by changing the local user policy.

    I am not sure how to change all of the local user policies across the
    organization, which I guess is my next task.

    I also want to figure out how to automatically install the updates and
    prompt to reboot.

    Thanks,
    Drew
     
    Drew, Oct 22, 2008
    #13
  14. Fwiw... Local Policy *cannot* override Group Policy.

    If it appears that local policy is overriding group policy,
    you have a bona fide indication that group policy is *not* being received by
    the client.
    You have to go to each individual machine -- that's why they're called
    "local" policies. :)

    But don't do that. It won't help, and you'll just waste a lot of time
    chasing geese.

    Instead use one system .. a trusted system .. and diagnose why the GROUP
    policy is not being applied as intended.
    Fix your policy issue first. The rest will automagically follow!


    --
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin \(MVP\), Oct 22, 2008
    #14
  15. Drew

    justscott Guest

    I have my computers now automatically updating at night and prompting
    loggedon users for a restart. They only notification they receive is if they
    need a restart... no yellow shield that updates are downloaded and no option
    to decline.

    See if you have a USER setting: 'Enable Windows Update Notifications' under
    the WindowsUpdate section.

    I'm not sure how I have this setting, but it's most likely due to a updated
    wuau.adm template. How I got it i'm not sure..I didn't update it manually.
    However, I did install the WUA Client 7.2.6001.784 on the computer that I
    administer my GPO's from.... It would be nice to know if this newer WUA
    Client actually modifies/updates the wuau.adm file.
    http://support.microsoft.com/kb/949104/en
     
    justscott, Oct 22, 2008
    #15
  16. Drew

    DaveMills Guest

    Look at the event log for errors and try leaving and rejoining the domain or
    simply using the network wizard to re-establish the trust between the client and
    the DC. If that works and the new OS was installed using an image I would start
    to consider how the image was made.
     
    DaveMills, Oct 23, 2008
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.