Re: Rescheduling missed updates with WSUS 3.0

Dave, I was just reading through your thread again and the link you referred to.

In my Group Policy I have a Policy called WSUS that is linked to the domain. Are you saying that you have a seperate policy for WSUS Client computers and WSUS Server Computers ?

Do you then link these to the domain.local > My Business > Computers > SBSServers / SBSComputers containers seperately to control the download and install behaviour ?

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:OJPmDObFIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
If I'm reading your original post correctly, your users are local admins on the client PCs? That would explain why they get the shield, and can choose to install the updates or not. I agree that's a weakness, but I've only got a couple of users who run as local admin. I'm one of them (don't tell Susan Bradley), and I leave my PC running all the time, so mine are already installed when I get here. I've recommended that the others just ignore the shield, and let the updates either install at the scheduled time, or at shutdown.

I would expect that if you tell AU to install the updates at mid-day, they would install, but then the users (at least the non-admin users) would be forced to reboot. Even admin users will get tortured with frequent requests to reboot, although at least they can veto the request if they're paying enough attention not to OK it without thinking.

Whatever you do, I recommend enabling the setting not to force the restart. I haven't had any problems with non-admin users just doing the "install updates and shut down" thing, allowing the updates to install at the end of the work day - that becomes the default shutdown option if there are updates waiting to install.

By the way, while I have client PCs set to "auto download and install," the SBS and member servers are set to "auto download and notify." I don't ever want a server to reboot itself unless I'm here to make sure it comes back up normally, and I view automatically updating servers as an invitation for your boss to call you with a big problem during your vacation.

This article explains all of this in detail - see the chart about 3/4 of the way down that tells the effect of the settings on admin and non-admin users.

Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy
http://www.microsoft.com/technet/community/columns/sectip/st0506.mspx

"Arthur" <mynewsgroupaccount@xxxxxxxxx> wrote in message news:uRlvxCbFIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Thanks very much for the information.
From your description it actually sounds like the system is behaving correctly. RSOP returns the correct results.
I was under the impression that it would just go ahead and install the updates if the schedule was missed not present the Yellow shield and ask the admin user. That seems to me to describe "Download updates for me but let me choose when to install them"

What would happen if the schedule was set for updating the clients at say mid-day when it is more likely the PCs will be turned on ? Would the updates just go ahead and install or would the yellow shield appear again ?

There seems to be some room for error when the admin user can decide not to install the updates and can also choose not to install the updates at shutdown time as well ?

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:%23asfliaFIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
First things first. It sounds like the policy might not be getting applied to the workstations? If you look in CP -> Automatic Updates, can you see that the policies you set are indicated there, with no ability to change them? If you log into the workstation and do Start -> Run -> Rsop.msc, do you see the policies in the results? (You might have to restart the workstation several times - maybe 3 - before the policy will be applied).

I have the policy set to not force a reboot if a user is logged in. So if the PC is turned off when the update is scheduled, and the user has local admin rights, when they restart they get the yellow shield prompting them to apply the updates. If they don't, when they go to shut down, they get "Install updates and shut down." If they don't shut down, updates apply at the next scheduled time, as long as the user is logged out.

Non-admin users get the same thing, except they don't see the shield or have the option to manually install the missed updates. They either get "Install updates and shut down," or the update installs at the next scheduled time.


"Arthur" <mynewsgroupaccount@xxxxxxxxx> wrote in message news:OgTMjbaFIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
I'm confused about the Automatic Update client when using WSUS.

I have installed WSUS 3.0 on the small business server and created the Computer Groups. I have setup the schedule for the Client computers to update at 3.00 a.m.

I have checked in the Groups Policy editor on the server and this all seems to be setup in the right place.

What is confusing me is that if a client computer is turned off at night it is not automatically updating after it turns on in the morning. It shows an alert that updates are waiting but they are not getting installed automatically.

According to the deployment guide on Technet this shold occur one minute after reboot if the Reschedule Automatic Update scheduled installations is set to not configured - see below.

If I use gpedit on the client then the settings do not show up as set at all.

I must be missing something basic ?
Reschedule Automatic Updates scheduled installations
This policy specifies the amount of time that Automatic Updates should wait after system startup before proceeding with a scheduled installation that did not take place earlier.

If the status is set to Enabled, a missed installation will occur the specified number of minutes after the computer is next started.

If the status is set to Disabled, a missed installation will occur with the next scheduled installation.

If the status is set to Not Configured, a missed installation will occur one minute after the next time the computer is started.

This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.

To reschedule Automatic Update scheduled installation

1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Reschedule Automatic Update scheduled installations, click Enabled, and type the number of minutes to wait.

3. Click OK.











.

Relevant Pages

  • Re: Possible security issue??
    ... updates with no issues. ... were able to install their auto updates as well. ... permission policy. ... Did you verify that the client computer is using ONLY ...
    (microsoft.public.win2000.security)
  • Re: Possible security issue??
    ... updates with no issues. ... were able to install their auto updates as well. ... permission policy. ... Did you verify that the client computer is using ...
    (microsoft.public.win2000.security)
  • Re: wsus question
    ... Did you install the .adm and configure it for the clients? ... POLICY!!AutoUpdateCfg ... AutoUpdateCfg="Configure Automatic Updates" ...
    (microsoft.public.windows.server.general)
  • Re: Windows update policy
    ... Allow Automatic Updates immediate installation Enabled ... 4 - Auto download and schedule the install ... Reschedule Automatic Updates scheduled installations Enabled ...
    (microsoft.public.windows.group_policy)
  • Question to Restart After Win Updates Installed - No Button Greyed
    ... The machine does NOT automatically reboot after the ... install, per the No Auto-Restart for Scheduled Automatic ... Updates Installations policy. ...
    (microsoft.public.windowsupdate)