We have WSUS pushing updates out to our user's workstations, and things are going relatively well with one annoying caveat: there seems to be an issue with a pop-up being displayed in front of some users informing them that their machine will be rebooted in 15 minutes, and they have nothing to say about it:
This may be because they did not log out the prior night. Nevertheless, this is a bit too much and is very counter-productive for our users.
Here is a bit about our environment: Our users are running Windows XP Pro and are part of an Active Directory Domain. WSUS is being applied via Group Policy. Here is a snapshot of the GPO that is enforcing the WSUS rules:
Here is how I want WSUS to work (ideally - I'll take whatever can get me close):
I want updates to automatically download and install every night. If a user is not logged in, I would like the machine to reboot. If a user is logged in, I would like their machine not to reboot, but instead wait until the next "installation period" where it can perform any other needed installations and reboot then (provided the a user account is not still logged in). If a user is to be prompted for reboot, it should only happen once per day (if possible), but every time they are prompted, they must have a way to postpone the reboot.
I do not want users to be forced to restart their computer whenever the computer thinks it should happen (unless it's after an update installation and there are no logged in users). That doesn't seem productive to force a system restart in the midst of a person's workday. Is there something that I can do with the GPO that would help make WSUS less intrusive? Even if it gave the user an option to Restart Later - that would be better than what is happening now.
edit
The goal is to be able to automatically download and install updates every night, and rebooting the machine only if there are no users logged on when the machine wants to reboot. If Windows has to nag the user about rebooting, this is perfectly fine - as long as they have an option to postpone that reboot.
edit
It turns out, we have some deadlines set on some updates (SP3, Client-Side Extensions, etc.), and with the post found below, some light has been shed on the situation:
I think the most workable and least intrusive solution is to change the Configure automatic updating setting to
3 - Auto download and notify for install. That will not interrupt the user, and the option toInstall updates and Shut Downwill be automatically selected on the shutdown menu.Periodically run a report of computers needing updates and wave a big stick at people who haven't done their updates.
You could change "Configure Automatic Updates" to option "3 - Auto download and notify for install" -- you can enable and set a time limit for "Delaying Restart for scheduled installations"
You could also try "No auto-restart with logged on users for scheduled automatic updates installations" set to Enabled with "Re-prompt for restart with scheduled installations"
This was our biggest obstacle for deploying WSUS. The previous implementor ignored this, and we had teachers being forced to restart in the middle of a class. They were not pleased...
The settings you have should be doing this for you already. I have the same settings:
The "No auto-restart" setting is supposed to make this work the way you want. From WSUS help: "Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer."
We have not had any complaints since implementing this. I tested on a few of our more "forgiving" users before deploying to the whole school. I'm not sure that anyone even noticed that the updates were happening.
Another setting that I use that I think helps our laptop users is:
This allows them to actually get their computers turned on and logged in before the background update installations start happening. I didn't want the installations to slow down the startup/login process if a teacher turned on their computer right before class.
I would change the following policy settings. The first because some updates don't require a restart of the machine and these can download and install protecting the machine before the next reboot. The second, because (assuming you are running most users as standard users as would be recommended) the lack of messages being shown to them maybe causing the forced reboots. Non admin users wouldn't be given update notifications of any kind, but they would need to follow the requested reboots of messsage they're blocked from seeing.