Re: Windows Update "restart" dialog pestering users

Doug, you don't believe that that is what I am doing all day, do
you, surfing around to see if there are patches?

I used to subscribe to email notification for security patches.
Nowadays, I mostly subscribe to RSS newsfeeds.
So I'm notified at my workstation when there's something that I
should consider installing on my servers.

Here are the different notification methods and how to subscribe:
http://www.microsoft.com/technet/security/bulletin/notify.mspx

Moreover, I do *not* recommend to install *anything*, and that
includes Microsoft security patches, on a production server without
prior testing.

So my workflow is as follows:
RSS agent runs continuously on my workstation. I get notified about
a new critical security patch for my servers. I read the
documentation and install it on a test server (which is an exact
image of a production server where it comes to software, but runs
on cheap hardware), reboot it, perform some basic testing and then
take it into production with a couple of pilot users. Let this run
for a day or so (depending on the type of update). When no errors
are reported, I schedule maintenance time and update all my
production servers.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

Doug Starkey <doug_starkey@xxxxxxxxxxxxxxx> wrote on 14 nov 2005
in microsoft.public.windows.terminal_services:

> Well, I reject the characterization that having "Automatic
> Updates" turned on is a "mistake". I prefer to think of it as a
> matter of choice. I DO NOT let the updates automatically
> install; I don't even let them download automatically. I simply
> have it turned on in order to alert me to the fact that
> Microsoft has released a new patch. I have too many things going
> on in the course of my day to have to sit and think about,
> "Hmmm, I wonder if there is a new patch for my server...".
> Frankly, that is poor use of my time. Maybe some other
> administrators have the luxury of sitting around and surfing the
> web to see if there is some new fix to some hole in Microsoft's
> software. I don't. The alert from Automatic Updates makes my
> life a little simpler because I don't have to remember. I can
> let the computer do the "busy work" for me. And in these days
> when a security hole can have an exploit exposed even before MS
> issues a patch, the Automatic Updates at least help me keep as
> current as possible.
>
> But, if I leave the alerts on, my TS users keep getting prompted
> that there are new updates available.
>
> Heckuva choice to have to make.
>
> Right now I have gone ahead and turned off automatic updates. If
> someone has a group policy that will let only the Administrator
> see the alerts but not the "users", I would be greatly
> appreciative of knowing the proper settings.
>
> Doug Starkey
> Network Administrator
> Pecan Deluxe Candy Company
>
> In article <Xns970BDABAD2A4Cveranoesthemutforsse@xxxxxxxxxxxxx>,
> "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
> wrote:
>
>> What you seem to have done is to disable configuration of
>> Windows Update for your users (that's why the options are
>> greyed out, which is good), probably here:
>>
>> User Configuration - Administrative Templates - Windows
>> Components - Windows Update
>> "Remove access to use all Windows Update features" = Enabled
>>
>> without first disabling Windows Update completely, done here:
>>
>> Computer Configuration - Administrative Templates - Windows
>> Components - Windows Update
>> "Configure Automatic Updates" = Disabled
>>
>> IMHO, no user should ever see a reboot prompt, because the only
>> time that the system is updated is when you as Administrator
>> have manually started a Windows Update, in your scheduled
>> maintenance time. And then you have of course no users on the
>> system.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "OliverL" <olivvilo@xxxxxxxxxxxxxx> wrote on 11 nov 2005 in
>> microsoft.public.windows.terminal_services:
>>
>> > My response to goneill3's reply to Doug's original post was
>> > really about GPO.
>> >
>> > I also have GPO in place, which makes "Automatic Update" in
>> > Control Panel no longer configurable, (all options are grayed
>> > out). So we will keep seeing the reboot prompt.
>> >
>> > If there is something else that I didn't do correctly, please
>> > let me know, because I really want to avoid seeing the reboot
>> > prompt popping up on all TS users' desktop.
>> >
>> > Thanks.
>> >
>> >
>> > "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> > wrote in message
>> > news:Xns970ADD7A7621veranoesthemutforsse@xxxxxxxxxxxxxxxx
>> >> But if you disable Windows Update, there will never be a
>> >> reboot prompt for your users to see. Doug already came to
>> >> the conclusion that he made a mistake:
>> >>
>> >>>>> I figured, "What the heck, I'll download &
>> >>>>> install them and then wait to reboot until it is
>> >>>>> convenient."
>> >>>>>
>> >>>>> Obviously this is a bad choice.
>> >>
>> >> What you should do is to take complete control over the
>> >> update process: disable Windows Update, and only run it when
>> >> you have planned to run it, and when you also have the
>> >> opportunity to reboot directly after the update.
>> >>
>> >> _________________________________________________________
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> "OliverL" <olivvilo@xxxxxxxxxxxxxx> wrote on 10 nov 2005 in
>> >> microsoft.public.windows.terminal_services:
>> >>
>> >>> I think what Doug says is also the reboot prompt that is
>> >>> showing on all TS users (including admin) desktop.
>> >>>
>> >>> Turn off "Auto Update" will prevent the update prompt from
>> >>> showing prior to the update, but GPO will _not_ prevent the
>> >>> restart popup from showing on ALL TS users' desk _after_
>> >>> the server's updated.
>> >>>
>> >>> It's annoying, and confuses TS users who can do nothing
>> >>> about it.
>> >>>
>> >>> I want to disable this too, but don't know how.
>> >>>
>> >>> "goneill3" <goneill3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >>> message
>> >>> news:571FE12A-E072-44A3-94AC-50973A66F292@xxxxxxxxxxxxxxxx
>> >>>> Turn off Windows Automatic Update.
>> >>>>
>> >>>> Right click on my computer and go to properties, then
>> >>>> select the automatic updates tab. select the "Turn off
>> >>>> Automatic Updates"
>> >>>>
>> >>>> Better still, you should be doing this through group
>> >>>> policy, either local or Domain.
>> >>>>
>> >>>> goneill3
>> >>>>
>> >>>> "Doug Starkey" wrote:
>> >>>>
>> >>>>> If I'm posting this question in the wrong group, just let
>> >>>>> me know.
>> >>>>>
>> >>>>> I'm running TS on a Win2003 Server. I received notice
>> >>>>> that there were new updates available from Microsoft that
>> >>>>> needed to be installed. I figured, "What the heck, I'll
>> >>>>> download & install them and then wait to reboot until it
>> >>>>> is convenient."
>> >>>>>
>> >>>>> Obviously this is a bad choice. Now, all my TS users are
>> >>>>> recieving a dialog that says:
>> >>>>> "Automatic Updates
>> >>>>> Updating your computer is almost complete. You
>> >>>>> must restart your computer for the updates to
>> >>>>> take effect.
>> >>>>>
>> >>>>> Do you want to restart your computer now?"
>> >>>>>
>> >>>>> They then see two "grayed-out" buttons that say, "Restart
>> >>>>> Now" and "Restart Later". They cannot click either of the
>> >>>>> buttons nor can they close/dismiss the dialog box. Their
>> >>>>> only option is to drag the dialog to one corner of the
>> >>>>> screen and go on about their work.
>> >>>>>
>> >>>>> I, at the administrator console, keep getting that dialog
>> >>>>> about every 5 minutes! I COULD click the "Restart Now"
>> >>>>> button... but I don't want to just yet. I click the
>> >>>>> "Restart Later" button, the dialog goes away... AND COMES
>> >>>>> BACK IN 5 MINUTES!!!
>> >>>>>
>> >>>>> Surely there is some way to prevent my "Users" from
>> >>>>> seeing this dialog at all. And surely there is some way
>> >>>>> to make the computer wait longer than 5 minutes to ask me
>> >>>>> if I want to restart... again!!!
>> >>>>>
>> >>>>> Somebody please help!
>> >>>>>
>> >>>>> TIA,
>> >>>>>
>> >>>>> Doug Starkey
>> >>>>> Network Administrator
>> >>>>> Pecan Deluxe Candy Company
.