Discussion:
WSUS Update Issue
(too old to reply)
ANDY
2005-10-03 16:26:01 UTC
Permalink
I have Installed WSUS Server on win2k3 Server. Now could anyone please tell me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the computer once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc) computers?Is
there ability
to push the updates from WSUS Console to certain computers manually?Please
help.
Lawrence Garvin
2005-10-03 16:47:29 UTC
Permalink
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.

Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update, except that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers, as it
allows the Server Administrator to have control over when the installation
occurs, as well as when the server is restarted.

Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this delay. You
can also delay the restart of the system /IF/ a user is currently logged on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
restart.

The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.

In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS Administration
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".

There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please tell me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the computer once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc) computers?Is
there ability
to push the updates from WSUS Console to certain computers manually?Please
help.
ANDY
2005-10-03 17:11:04 UTC
Permalink
Hi Lawrence,

Thank you for your prompt reply,I appreciate it.
As you said, even if i choose option 4, and give the update time to run at
mid night
but still some clients run afternoon and I do not want to happen as some
users are working and this message pops up and cannot even save and it just
reboots.
How to really make sure this never happens, also Is there any way clients can
have ability to restart the computer at later time.Please let me know.
Post by Lawrence Garvin
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.
Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update, except that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers, as it
allows the Server Administrator to have control over when the installation
occurs, as well as when the server is restarted.
Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this delay. You
can also delay the restart of the system /IF/ a user is currently logged on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
restart.
The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.
In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS Administration
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".
There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please tell me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the computer once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc) computers?Is
there ability
to push the updates from WSUS Console to certain computers manually?Please
help.
Lawrence Garvin
2005-10-04 01:07:36 UTC
Permalink
Okay, first, if you /schedule/ installations for midnight, then there are
only two ways an update can be installed at any other time than midnight.

One is if the user is a local administrator and they /choose/ to install the
update. If that happens, that user should be prepared to restart their
system, and the rest really should not be of any concern.

The second is if the machine was powered down the night before, an update
was scheduled to be installed, but did not, and the machine is then powered
up the next day. By default, the WUA will attempt to install the missed
scheduled installation when the system powers up. You can change this
behavior in policy by setting the policy "Reschedule Automatic Updates
scheduled installations" to DISABLED, which will prohibit updates from being
installed at powerup, and they will only be installed at /scheduled/
installation times.

Second, even if a user does get a Reboot Pending popup.. it will give them
five minutes to save their work, close their applications, and during this
time they'll be presented with a visual countdown to the reboot. And,
notwithstanding all of that, it's a rare application that will not
gracefully save open work and close normally in response to a system
initiated reboot. This has been a feature of Windows since the days of
Windows v3.1.

As far as "restarting at a later time...", I would strongly discourage any
such practice. An update that requires a restart is not fully installed
until the restart happens. (The files are actually copied into the system
folders at /startup/.) As a result, until the restart happens, the system is
(a) not patched, and thus still insecure or unstable (depending on the
reason for the update), and (b) additionally "unstable" because some of the
update files may have been copied to their final destinations, while others
were not, potentially resulting in mismatched code modules.
Post by ANDY
Hi Lawrence,
Thank you for your prompt reply,I appreciate it.
As you said, even if i choose option 4, and give the update time to run at
mid night
but still some clients run afternoon and I do not want to happen as some
users are working and this message pops up and cannot even save and it just
reboots.
How to really make sure this never happens, also Is there any way clients can
have ability to restart the computer at later time.Please let me know.
Post by Lawrence Garvin
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.
Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update, except that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers, as it
allows the Server Administrator to have control over when the
installation
occurs, as well as when the server is restarted.
Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this delay. You
can also delay the restart of the system /IF/ a user is currently logged on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
restart.
The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.
In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS
Administration
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".
There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please
tell
me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the computer once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc)
computers?Is
there ability
to push the updates from WSUS Console to certain computers
manually?Please
help.
ANDY
2005-10-04 15:22:09 UTC
Permalink
Is there any way I can configure in Group policy to give users time to rebbot
the computers after update to change from 5 mts to 25 minutes, as some users
over
here have registers and it is reallly annoying & frustrating to restart on
its own
while doing transaction.I truely appreciate if you can answer this question.
Post by Lawrence Garvin
Okay, first, if you /schedule/ installations for midnight, then there are
only two ways an update can be installed at any other time than midnight.
One is if the user is a local administrator and they /choose/ to install the
update. If that happens, that user should be prepared to restart their
system, and the rest really should not be of any concern.
The second is if the machine was powered down the night before, an update
was scheduled to be installed, but did not, and the machine is then powered
up the next day. By default, the WUA will attempt to install the missed
scheduled installation when the system powers up. You can change this
behavior in policy by setting the policy "Reschedule Automatic Updates
scheduled installations" to DISABLED, which will prohibit updates from being
installed at powerup, and they will only be installed at /scheduled/
installation times.
Second, even if a user does get a Reboot Pending popup.. it will give them
five minutes to save their work, close their applications, and during this
time they'll be presented with a visual countdown to the reboot. And,
notwithstanding all of that, it's a rare application that will not
gracefully save open work and close normally in response to a system
initiated reboot. This has been a feature of Windows since the days of
Windows v3.1.
As far as "restarting at a later time...", I would strongly discourage any
such practice. An update that requires a restart is not fully installed
until the restart happens. (The files are actually copied into the system
folders at /startup/.) As a result, until the restart happens, the system is
(a) not patched, and thus still insecure or unstable (depending on the
reason for the update), and (b) additionally "unstable" because some of the
update files may have been copied to their final destinations, while others
were not, potentially resulting in mismatched code modules.
Post by ANDY
Hi Lawrence,
Thank you for your prompt reply,I appreciate it.
As you said, even if i choose option 4, and give the update time to run at
mid night
but still some clients run afternoon and I do not want to happen as some
users are working and this message pops up and cannot even save and it just
reboots.
How to really make sure this never happens, also Is there any way clients can
have ability to restart the computer at later time.Please let me know.
Post by Lawrence Garvin
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.
Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update, except that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers, as it
allows the Server Administrator to have control over when the installation
occurs, as well as when the server is restarted.
Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this delay. You
can also delay the restart of the system /IF/ a user is currently logged on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
restart.
The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.
In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS Administration
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".
There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please
tell
me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the computer once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc) computers?Is
there ability
to push the updates from WSUS Console to certain computers manually?Please
help.
Torgeir Bakken (MVP)
2005-10-04 16:11:02 UTC
Permalink
Post by ANDY
Is there any way I can configure in Group policy to give users time to rebbot
the computers after update to change from 5 mts to 25 minutes, as some users
over
here have registers and it is reallly annoying & frustrating to restart on
its own
while doing transaction.I truely appreciate if you can answer this question.
Hi,

Enable the setting "Delay Restart for scheduled installations", and
specify 25 minutes in it. You will find the setting under
"Windows Update" in Group Policy.
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Lawrence Garvin
2005-10-04 18:06:58 UTC
Permalink
Absolutely, Andy.

Change the policy "Delay Restart for scheduled installations" to ENABLED,
and set the delay time to 25 minutes.

But if we're talking about POS terminals, there are even better options to
consider than just delaying the restart time after an installation.

For starters, I would strongly discourage installing updates on a POS
terminal during normal store operations. If that's your only choice, or the
store is a 24x7 operation, then I'd suggest looking at a defined
"maintenance window" when the POS terminals can rotate through a 30 minute
period of being unused, to facilitate installation of updates and a reboot.

Second, if the stores are not 24x7, and the /system/ can be left powered up
and logged off overnight, the installation of updates with restart during
overnight hours would be the best option. Combine this with the "Reschedule
Automatic Updates scheduled installations" = DISABLED to prevent update
installation at powerup, in the event a system is inadvertently powered down
on the night the updates are scheduled to be installed.

A third variation is rather than scheduling updates to occur on any day at a
specified time, you could actually schedule them to occur on a specified day
and time, when the store is fully closed and no activity is taking place at
all.

Finally, if the POS terminals are not yet running XP SP2 -- seriously
consider upgrading them, so that you can take advantage of the "Install
Updates and Shutdown" option, which is a great way to facilitate updating of
POS terminals. It simply becomes part of the cashier's daily close-out
procedures.

Most importantly, remember that in normal operations, this process is only
going to occur /monthly/, and predictably starting on the second Tuesday of
each month. The imposition on the users/cashiers should be absolutely
transparent if the processes are designed appropriately.
Post by ANDY
Is there any way I can configure in Group policy to give users time to rebbot
the computers after update to change from 5 mts to 25 minutes, as some users
over
here have registers and it is reallly annoying & frustrating to restart on
its own
while doing transaction.I truely appreciate if you can answer this question.
Post by Lawrence Garvin
Okay, first, if you /schedule/ installations for midnight, then there are
only two ways an update can be installed at any other time than midnight.
One is if the user is a local administrator and they /choose/ to install the
update. If that happens, that user should be prepared to restart their
system, and the rest really should not be of any concern.
The second is if the machine was powered down the night before, an update
was scheduled to be installed, but did not, and the machine is then powered
up the next day. By default, the WUA will attempt to install the missed
scheduled installation when the system powers up. You can change this
behavior in policy by setting the policy "Reschedule Automatic Updates
scheduled installations" to DISABLED, which will prohibit updates from being
installed at powerup, and they will only be installed at /scheduled/
installation times.
Second, even if a user does get a Reboot Pending popup.. it will give them
five minutes to save their work, close their applications, and during this
time they'll be presented with a visual countdown to the reboot. And,
notwithstanding all of that, it's a rare application that will not
gracefully save open work and close normally in response to a system
initiated reboot. This has been a feature of Windows since the days of
Windows v3.1.
As far as "restarting at a later time...", I would strongly discourage any
such practice. An update that requires a restart is not fully installed
until the restart happens. (The files are actually copied into the system
folders at /startup/.) As a result, until the restart happens, the system is
(a) not patched, and thus still insecure or unstable (depending on the
reason for the update), and (b) additionally "unstable" because some of the
update files may have been copied to their final destinations, while others
were not, potentially resulting in mismatched code modules.
Post by ANDY
Hi Lawrence,
Thank you for your prompt reply,I appreciate it.
As you said, even if i choose option 4, and give the update time to run at
mid night
but still some clients run afternoon and I do not want to happen as some
users are working and this message pops up and cannot even save and it just
reboots.
How to really make sure this never happens, also Is there any way
clients
can
have ability to restart the computer at later time.Please let me know.
Post by Lawrence Garvin
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.
Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update,
except
that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers,
as
it
allows the Server Administrator to have control over when the installation
occurs, as well as when the server is restarted.
Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this
delay.
You
can also delay the restart of the system /IF/ a user is currently
logged
on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
restart.
The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.
In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS Administration
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".
There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please
tell
me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the
computer
once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc) computers?Is
there ability
to push the updates from WSUS Console to certain computers manually?Please
help.
ANDY
2005-10-05 00:01:01 UTC
Permalink
Hi Lawrence,

In Active directory group policy I have enabled under user configuration the
option "
Remove access to use all windows update features" which works fine for all my
clients on the Network and they cannot see the windows update button.
And I can see the windows update on all my Servers,
But the problem when i start update on update on the Servers it gives me
error and fails(saying Network problems preventin..). I have made sure that
server OU is not overriding with any other group policy. Please let me know
what is the best solution for doing updates on Servers?
Post by Lawrence Garvin
Absolutely, Andy.
Change the policy "Delay Restart for scheduled installations" to ENABLED,
and set the delay time to 25 minutes.
But if we're talking about POS terminals, there are even better options to
consider than just delaying the restart time after an installation.
For starters, I would strongly discourage installing updates on a POS
terminal during normal store operations. If that's your only choice, or the
store is a 24x7 operation, then I'd suggest looking at a defined
"maintenance window" when the POS terminals can rotate through a 30 minute
period of being unused, to facilitate installation of updates and a reboot.
Second, if the stores are not 24x7, and the /system/ can be left powered up
and logged off overnight, the installation of updates with restart during
overnight hours would be the best option. Combine this with the "Reschedule
Automatic Updates scheduled installations" = DISABLED to prevent update
installation at powerup, in the event a system is inadvertently powered down
on the night the updates are scheduled to be installed.
A third variation is rather than scheduling updates to occur on any day at a
specified time, you could actually schedule them to occur on a specified day
and time, when the store is fully closed and no activity is taking place at
all.
Finally, if the POS terminals are not yet running XP SP2 -- seriously
consider upgrading them, so that you can take advantage of the "Install
Updates and Shutdown" option, which is a great way to facilitate updating of
POS terminals. It simply becomes part of the cashier's daily close-out
procedures.
Most importantly, remember that in normal operations, this process is only
going to occur /monthly/, and predictably starting on the second Tuesday of
each month. The imposition on the users/cashiers should be absolutely
transparent if the processes are designed appropriately.
Post by ANDY
Is there any way I can configure in Group policy to give users time to rebbot
the computers after update to change from 5 mts to 25 minutes, as some users
over
here have registers and it is reallly annoying & frustrating to restart on
its own
while doing transaction.I truely appreciate if you can answer this question.
Post by Lawrence Garvin
Okay, first, if you /schedule/ installations for midnight, then there are
only two ways an update can be installed at any other time than midnight.
One is if the user is a local administrator and they /choose/ to install the
update. If that happens, that user should be prepared to restart their
system, and the rest really should not be of any concern.
The second is if the machine was powered down the night before, an update
was scheduled to be installed, but did not, and the machine is then powered
up the next day. By default, the WUA will attempt to install the missed
scheduled installation when the system powers up. You can change this
behavior in policy by setting the policy "Reschedule Automatic Updates
scheduled installations" to DISABLED, which will prohibit updates from being
installed at powerup, and they will only be installed at /scheduled/
installation times.
Second, even if a user does get a Reboot Pending popup.. it will give them
five minutes to save their work, close their applications, and during this
time they'll be presented with a visual countdown to the reboot. And,
notwithstanding all of that, it's a rare application that will not
gracefully save open work and close normally in response to a system
initiated reboot. This has been a feature of Windows since the days of
Windows v3.1.
As far as "restarting at a later time...", I would strongly discourage any
such practice. An update that requires a restart is not fully installed
until the restart happens. (The files are actually copied into the system
folders at /startup/.) As a result, until the restart happens, the system is
(a) not patched, and thus still insecure or unstable (depending on the
reason for the update), and (b) additionally "unstable" because some of the
update files may have been copied to their final destinations, while others
were not, potentially resulting in mismatched code modules.
Post by ANDY
Hi Lawrence,
Thank you for your prompt reply,I appreciate it.
As you said, even if i choose option 4, and give the update time to run at
mid night
but still some clients run afternoon and I do not want to happen as some
users are working and this message pops up and cannot even save and it just
reboots.
How to really make sure this never happens, also Is there any way
clients
can
have ability to restart the computer at later time.Please let me know.
Post by Lawrence Garvin
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.
Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update,
except
that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers,
as
it
allows the Server Administrator to have control over when the installation
occurs, as well as when the server is restarted.
Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this
delay.
You
can also delay the restart of the system /IF/ a user is currently
logged
on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
restart.
The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.
In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS Administration
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".
There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please
tell
me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the
computer
once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc) computers?Is
there ability
to push the updates from WSUS Console to certain computers manually?Please
help.
ANDY
2005-10-03 23:35:01 UTC
Permalink
Apart from changing option 4 in Active directory,Is there any other option I
need to change, also I do not want any of the systems to update during
working hours
and reboot themsleves.

How to make sure that all the updates are running midnight and not during
working hours? PLEASE EXPLAIN. THIS IS REALLY IMP.

THANKS
Post by Lawrence Garvin
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.
Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update, except that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers, as it
allows the Server Administrator to have control over when the installation
occurs, as well as when the server is restarted.
Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this delay. You
can also delay the restart of the system /IF/ a user is currently logged on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
restart.
The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.
In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS Administration
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".
There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please tell me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the computer once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc) computers?Is
there ability
to push the updates from WSUS Console to certain computers manually?Please
help.
Nick Payne
2005-10-03 23:50:01 UTC
Permalink
Just choose option 4 and set it to happen at 00:00.

But if your users leave their workstations powered off that night the
updates will install the next time they power on the machine. The delay
before reboot is also configurable in group policy.

Nick
Post by ANDY
Apart from changing option 4 in Active directory,Is there any other option I
need to change, also I do not want any of the systems to update during
working hours
and reboot themsleves.
How to make sure that all the updates are running midnight and not during
working hours? PLEASE EXPLAIN. THIS IS REALLY IMP.
THANKS
Post by Lawrence Garvin
Whether the client computers restart themselves is totally separate from
which Option (3 or 4) you select for installation.
Option 3 does not schedule installation of updates at all, and /requires/
that a local administrator initiate an installation of the updates
interactively. This is equivalent to browsing to Windows Update, except that
the WUA has already downloaded the updates, so you don't have to wait for
the download to complete. This option is normally chosen for servers, as it
allows the Server Administrator to have control over when the installation
occurs, as well as when the server is restarted.
Option 4 does schedule updates, and in conjunction with the scheduling of
the updates, by default, will initiate a restart of the system 5 minutes
after the completion of the installation. You can configure this delay. You
can also delay the restart of the system /IF/ a user is currently logged on
and that user has administrative privileges. A non-administrative user will
be warned of a pending restart, but they cannot delay or prevent the
restart.
The /best/ option is to leave computers powered on overnight, but logged
off, and install updates during non-working hours, using Option #4.
In order to ensure that all updates are being properly installed, you should
use the monitoring and reporting tools contained in the WSUS Administration
Console, and investigate any client that shows updates as "Needed" for more
than 48 hours, or "Failed".
There is no facility to 'push' updates from the server, and the server does
not initiate any activity in the update process. All activity is initiated
by the client; the server is a passive partner, merely a database and file
repository for the use of the clients.
Post by ANDY
I have Installed WSUS Server on win2k3 Server. Now could anyone please tell me
what is the best option I need to choose in Active Directory Group policy
for getting
Automatic updates for clients (is it option 3 or 4),I do not want the
clients computer
to restart themself?I want to give them ability to restart the computer once
the updates are Installed?
Also my other question is, how to make sure that all the updates are
getting installed on clients (winxp,windowws 200 proff,etc) computers?Is
there ability
to push the updates from WSUS Console to certain computers manually?Please
help.
Continue reading on narkive:
Loading...