Force reboot in WSUS

TheMSsForum.com: The Microsoft Software Forum

We've used SUS for quite some time now to distribute updates. I am in the
process of moving to WSUS and for the most part things seem to be working
well. One nice feature is the ability to see if a user has taken on the
patches. I know for a fact that currently many users blow past the install
and/or reboot prompts that they receive when SUS is trying to do its thing.
Ultimately I believe that we end up with machines that are not properly
patched. In WSUS it's nice to be able to get a report on the status of those
machines, but is there a way to force that PC to reboot remotely so that all
the patches are properly done?
Top

Re: Force reboot in WSUS by Roger

Roger
Thu Sep 22 21:12:24 CDT 2005

Yes, you can force the reboot when one is needed.
Also notice that with WSUS you can both provide a
schedule by which time the client is to have completed
install of a patch, and also, you can have patches that
do not interrupt services or require reboot installed
immediately (rather than waiting for next scheduled
install time).
Now, back to your point, with WSUS you require
installation in the same way as was done in SUS.
You set the Configure Automatic Updates to 4, and
you do not allow users to receive the update notifications
that let them delay. These settings are all well-covered
in the WSUS deployment paper.
Also, you are correct, if an install has been deferred,
then new patches are not noticed until the deferred has
been allowed to complete.

"Jon Yiesla" <Jon Yiesla@discussions.microsoft.com> wrote in message
news:14AA47DA-EDE9-4104-8F64-D83669B4C9DA@microsoft.com...
> We've used SUS for quite some time now to distribute updates. I am in the
> process of moving to WSUS and for the most part things seem to be working
> well. One nice feature is the ability to see if a user has taken on the
> patches. I know for a fact that currently many users blow past the install
> and/or reboot prompts that they receive when SUS is trying to do its
> thing.
> Ultimately I believe that we end up with machines that are not properly
> patched. In WSUS it's nice to be able to get a report on the status of
> those
> machines, but is there a way to force that PC to reboot remotely so that
> all
> the patches are properly done?


Top

Re: Force reboot in WSUS by Jon

Jon
Fri Sep 23 08:12:02 CDT 2005

Thanx for the reply. I have another question based on your answer. I see in
the deployment guide that there is indeed a registry key that will force the
updated computer to reboot and that the user has no ability to stop. I had
missed it on my original read since I was concentrating on the GPO settings.
However, I don't see a corresponding option in the GPO choices. Is there a
simple way to force the appropriate registry key out to the users via GPO?
Thanx...Jon

"Roger Abell [MVP]" wrote:

> Yes, you can force the reboot when one is needed.
> Also notice that with WSUS you can both provide a
> schedule by which time the client is to have completed
> install of a patch, and also, you can have patches that
> do not interrupt services or require reboot installed
> immediately (rather than waiting for next scheduled
> install time).
> Now, back to your point, with WSUS you require
> installation in the same way as was done in SUS.
> You set the Configure Automatic Updates to 4, and
> you do not allow users to receive the update notifications
> that let them delay. These settings are all well-covered
> in the WSUS deployment paper.
> Also, you are correct, if an install has been deferred,
> then new patches are not noticed until the deferred has
> been allowed to complete.
>

Top

Re: Force reboot in WSUS by Torgeir

Torgeir
Fri Sep 23 09:29:29 CDT 2005

Jon Yiesla wrote:

> Thanx for the reply. I have another question based on your answer. I see in
> the deployment guide that there is indeed a registry key that will force the
> updated computer to reboot and that the user has no ability to stop. I had
> missed it on my original read since I was concentrating on the GPO settings.
> However, I don't see a corresponding option in the GPO choices. Is there a
> simple way to force the appropriate registry key out to the users via GPO?
> Thanx...Jon
>
Hi,

What registry value is it that you have found?


And a fyi:

In the future, please post WSUS related issues to the newsgroup
dedicated to WSUS:
microsoft.public.windows.server.update_services

WebNews link to the WSUS newsgroup:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.update_services


Or use a newsgroup reader (default Outlook Express) to access this new
group:

Clicking on this link should open this group in OE:

news://msnews.microsoft.com/microsoft.public.windows.server.update_services



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top

Re: Force reboot in WSUS by JonYiesla

JonYiesla
Fri Sep 23 09:50:04 CDT 2005

Sorry...I looked for a WSUS specific group, but must have missed it in the
list.

The registry settings is NoAutoRebootWithLoggedOnUsers. There doesn't appear
to be a corresponding adm setting for the GPO.
Jon

"Torgeir Bakken (MVP)" wrote:

> Jon Yiesla wrote:
>
> > Thanx for the reply. I have another question based on your answer. I see in
> > the deployment guide that there is indeed a registry key that will force the
> > updated computer to reboot and that the user has no ability to stop. I had
> > missed it on my original read since I was concentrating on the GPO settings.
> > However, I don't see a corresponding option in the GPO choices. Is there a
> > simple way to force the appropriate registry key out to the users via GPO?
> > Thanx...Jon
> >
> Hi,
>
> What registry value is it that you have found?
>
>
> And a fyi:
>
> In the future, please post WSUS related issues to the newsgroup
> dedicated to WSUS:
> microsoft.public.windows.server.update_services
>
> WebNews link to the WSUS newsgroup:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.update_services
>
>
> Or use a newsgroup reader (default Outlook Express) to access this new
> group:
>
> Clicking on this link should open this group in OE:
>
> news://msnews.microsoft.com/microsoft.public.windows.server.update_services
>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>
Top

Re: Force reboot in WSUS by Torgeir

Torgeir
Fri Sep 23 10:10:50 CDT 2005

Jon Yiesla wrote:

> Sorry...I looked for a WSUS specific group, but must have missed
> it in the list.
>
> The registry settings is NoAutoRebootWithLoggedOnUsers. There
> doesn't appear to be a corresponding adm setting for the GPO.
Hi,

The policy for that registry value is "No auto-restart for scheduled
Automatic Updates installations"

(to have the most up to date wuau.adm file, use the wuau.adm file that
the WSUS installation places in the folder %windir%\inf\ on the WSUS
server)


From the help listing for this policy:

"Specifies that to complete a scheduled installation, Automatic
Updates will wait for the computer to be restarted by any user
who is logged on, instead of causing the computer to restart
automatically.

If the status is set to Enabled, Automatic Updates will not
restart a computer automatically during a scheduled installation
if a user is logged in to the computer. Instead, Automatic Updates
will notify the user to restart the computer.

Be aware that the computer needs to be restarted for the updates
to take effect.

If the status is set to Disabled or Not Configured, Automatic
Updates will notify the user that the computer will automatically
restart in 5 minutes to complete the installation.

Note: This policy applies only when Automatic Updates is
configured to perform scheduled installations of updates. If the
"Configure Automatic Updates" policy is disabled, this policy has
no effect."



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top

Re: Force reboot in WSUS by JonYiesla

JonYiesla
Fri Sep 23 10:35:05 CDT 2005

We've used that GPO setting before and have it set to not configured because
the 5 minute restart was OK. However, from what I've seen, at least with
SUS, the user has an option to stop the countdown which can in effect keep
the PC from ever being rebooted. The explanation for the registry key leads
me to believe that the user can't stop the countdown.
Jon

"Torgeir Bakken (MVP)" wrote:

> Jon Yiesla wrote:
>
> > Sorry...I looked for a WSUS specific group, but must have missed
> > it in the list.
> >
> > The registry settings is NoAutoRebootWithLoggedOnUsers. There
> > doesn't appear to be a corresponding adm setting for the GPO.
> Hi,
>
> The policy for that registry value is "No auto-restart for scheduled
> Automatic Updates installations"
>
> (to have the most up to date wuau.adm file, use the wuau.adm file that
> the WSUS installation places in the folder %windir%\inf\ on the WSUS
> server)
>
>
> From the help listing for this policy:
>
> "Specifies that to complete a scheduled installation, Automatic
> Updates will wait for the computer to be restarted by any user
> who is logged on, instead of causing the computer to restart
> automatically.
>
> If the status is set to Enabled, Automatic Updates will not
> restart a computer automatically during a scheduled installation
> if a user is logged in to the computer. Instead, Automatic Updates
> will notify the user to restart the computer.
>
> Be aware that the computer needs to be restarted for the updates
> to take effect.
>
> If the status is set to Disabled or Not Configured, Automatic
> Updates will notify the user that the computer will automatically
> restart in 5 minutes to complete the installation.
>
> Note: This policy applies only when Automatic Updates is
> configured to perform scheduled installations of updates. If the
> "Configure Automatic Updates" policy is disabled, this policy has
> no effect."
>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>
Top

Re: Force reboot in WSUS by Torgeir

Torgeir
Fri Sep 23 10:47:02 CDT 2005

Hi,

Try to set it to "Disabled"...

Torgeir

Jon Yiesla wrote:

> We've used that GPO setting before and have it set to not configured because
> the 5 minute restart was OK. However, from what I've seen, at least with
> SUS, the user has an option to stop the countdown which can in effect keep
> the PC from ever being rebooted. The explanation for the registry key leads
> me to believe that the user can't stop the countdown.
> Jon
>
> "Torgeir Bakken (MVP)" wrote:
>
>
>>Jon Yiesla wrote:
>>
>>
>>>Sorry...I looked for a WSUS specific group, but must have missed
>>>it in the list.
>>>
>>>The registry settings is NoAutoRebootWithLoggedOnUsers. There
>>>doesn't appear to be a corresponding adm setting for the GPO.
>>
>>Hi,
>>
>>The policy for that registry value is "No auto-restart for scheduled
>>Automatic Updates installations"
>>
>>(to have the most up to date wuau.adm file, use the wuau.adm file that
>>the WSUS installation places in the folder %windir%\inf\ on the WSUS
>>server)
>>
>>
>> From the help listing for this policy:
>>
>>"Specifies that to complete a scheduled installation, Automatic
>>Updates will wait for the computer to be restarted by any user
>>who is logged on, instead of causing the computer to restart
>>automatically.
>>
>>If the status is set to Enabled, Automatic Updates will not
>>restart a computer automatically during a scheduled installation
>>if a user is logged in to the computer. Instead, Automatic Updates
>>will notify the user to restart the computer.
>>
>>Be aware that the computer needs to be restarted for the updates
>>to take effect.
>>
>>If the status is set to Disabled or Not Configured, Automatic
>>Updates will notify the user that the computer will automatically
>>restart in 5 minutes to complete the installation.
>>
>>Note: This policy applies only when Automatic Updates is
>>configured to perform scheduled installations of updates. If the
>>"Configure Automatic Updates" policy is disabled, this policy has
>>no effect."
>>
>>
>>
>>--
>>torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
>>Administration scripting examples and an ONLINE version of
>>the 1328 page Scripting Guide:
>>http://www.microsoft.com/technet/scriptcenter/default.mspx
>>


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top

Re: Force reboot in WSUS by JonYiesla

JonYiesla
Fri Sep 23 14:36:02 CDT 2005

OK...I'll give that a shot.,..thanx.

"Torgeir Bakken (MVP)" wrote:

> Hi,
>
> Try to set it to "Disabled"...
>
> Torgeir
>

Top

Re: Force reboot in WSUS by JonYiesla

JonYiesla
Thu Oct 27 12:32:14 CDT 2005

OK, I've finally managed to test this. When I set the No Auto-restart for
scheduled Automatic Updates Installations to Not Configured or to Disabled it
does give me a 5 minute warning that a restart will occur, but I always get
the option to delay the restart. What I want is a five minute warning that a
restart will occur, but I don't want a way for the user to stop the
countdown. Can I do what with WSUS?
Jon
Top