Okay, first, if you /schedule/ installations for midnight, then there are
only two ways an update can be installed at any other time than midnight.
One is if the user is a local administrator and they /choose/ to install the
update. If that happens, that user should be prepared to restart their
system, and the rest really should not be of any concern.
The second is if the machine was powered down the night before, an update
was scheduled to be installed, but did not, and the machine is then powered
up the next day. By default, the WUA will attempt to install the missed
scheduled installation when the system powers up. You can change this
behavior in policy by setting the policy "Reschedule Automatic Updates
scheduled installations" to DISABLED, which will prohibit updates from being
installed at powerup, and they will only be installed at /scheduled/
Second, even if a user does get a Reboot Pending popup.. it will give them
five minutes to save their work, close their applications, and during this
time they'll be presented with a visual countdown to the reboot. And,
notwithstanding all of that, it's a rare application that will not
gracefully save open work and close normally in response to a system
initiated reboot. This has been a feature of Windows since the days of
As far as "restarting at a later time...", I would strongly discourage any
such practice. An update that requires a restart is not fully installed
until the restart happens. (The files are actually copied into the system
folders at /startup/.) As a result, until the restart happens, the system is
(a) not patched, and thus still insecure or unstable (depending on the
reason for the update), and (b) additionally "unstable" because some of the
update files may have been copied to their final destinations, while others
were not, potentially resulting in mismatched code modules.
Post by ANDY
Thank you for your prompt reply,I appreciate it.
As you said, even if i choose option 4, and give the update time to run at
but still some clients run afternoon and I do not want to happen as some
users are working and this message pops up and cannot even save and it just
How to really make sure this never happens, also Is there any way clients can
have ability to restart the computer at later time.Please let me know.
Post by Lawrence Garvin
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.
Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update, except that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers, as it
allows the Server Administrator to have control over when the
occurs, as well as when the server is restarted.
Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this delay. You
can also delay the restart of the system /IF/ a user is currently logged on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.
In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".
There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please
what is the best option I need to choose in Active Directory Group policy
Automatic updates for clients (is it option 3 or 4),I do not want the
to restart themself?I want to give them ability to restart the computer once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc)
to push the updates from WSUS Console to certain computers