WSUS and forcing users to restart

[efector]

Currently I have configured a GPO that automatically downloads & installs updates. The challenge is that I have it set to prompt to restart(which is a requirement....no auto-rebooting).

Is there a way, to only allow users to delay the reboot ONCE and then the next time force them to restart. This is especially a problem with our laptop users because they just hibernate/suspend and never seem to restart.

Domain Controllers: Win2K8 R2
Client Machines: Windows XP w/SP3

 

[eritguy]

We run into the issue of annoying the end users so we have done it a different way.

All we do are reg hacks instead of GPO.

Although the user isn't forced to reboot, it pops up a window to restart now or later, but I push updates in the middle of the day and someone is cranking away on a word doc and happens to hit enter when that pops up (for the good typers that don't look at the screen!), they will reboot and lose their document.

My work around (using Novell Zenworks in an eDir environment on Windows XP, now Windows 7 machines) is to create a group of laptops and desktops and force run a reg hack against those groups. After the distribution of the reg hacks, I force a refresh of WSUS target.

Here's what I have, you can figure out what it does:

Laptops:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"TargetGroup"="Laptops"
"TargetGroupEnabled"=dword:00000001
"WUServer"="

http://wsus.mydomain.com"

"WUStatusServer"="

http://wsus.mydomain.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows WindowsUpdate\AU]
"AUOptions"=dword:00000003
"noauasdefaultshutdownoption"=dword:00000000
"noaushutdownoption"=dword:00000000
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"RescheduleWaitTime"=dword:00000005
"RescheduleWaitTimeEnabled"=dword:00000001
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000005
"UseWUServer"=dword:00000001

Desktops:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsof

t\Windows\WindowsUpdate]
"TargetGroup"="Desktops"
"TargetGroupEnabled"=dword:00000001
"WUServer"="

http://wsus.mydomain.com"

"WUStatusServer"="

http://wsus.mydomain.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000004
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"RescheduleWaitTime"=dword:00000005
"RescheduleWaitTimeEnabled"=dword:00000001
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000005
"UseWUServer"=dword:00000001

Script to refresh target:

net stop wuauserv
net start wuauserv
wuauclt /resetauthorization /detectnow

Now, when I want to deploy updates to desktops, I wake on lan using a scheduled task at night to run (and log it to find out which ones didn't wake up or respond so we can walk to them in the morning and force it on and to update). I push the updates towards the end of the work day before waking up the desktops giving them time to download. Then I just allow it to install and reboot on it's own. The side affect to this is a half hour of work to wake up a few machines manually (in a building of 200 computers or a little more).

Now for laptops, I have them download but not automatically install (for obvious reasons). So I make them install it. When they shut down the default is to install updates and shutdown. They can skip it if they want (some are in a hurry), but eventually they will install it and let it shut down.

I have been unsuccessful disabling the restart prompt automatically, so this is the way we push updates until I get VDI going next summer for 85% of our 4500 computers.

Hope this helps somewhat.