Discussion:
My WSUS policy
(too old to reply)
Jake
2010-03-16 14:40:48 UTC
Permalink
Hi,

Below is a copy of my domain-wide WSUS policy.

I want that the updates should be downloaded and installed on the client
computers once the user has logged in to the domain. However I do NOT
want the client computer to be restarted after an update without the
user's confirmation.

I felt I was forced to set a time (11AM) when updates were to be
installed. Can I get around this somehow to have the updates to be
immediately installed at any time once the download is finished?

Are the GPO settings below correct in this scenarion, and if not, what
should I correct?

Also I see that the yellow 'updates available' systray shield icon does
not appear whene there are updates available. Why does it not appear on
every computer as expected?

Thanks a lot for comments and advice.

reghards
jake


My WSUS policy:

Policy Setting Comment
Allow Automatic Updates immediate installation Enabled
Allow non-administrators to receive update notifications Disabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 3

Policy Setting Comment
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 11:00

Policy Setting Comment
Delay Restart for scheduled installations Disabled
Do not adjust default option to 'Install Updates and Shut Down' in Shut
Down Windows dialog box Disabled
Do not display 'Install Updates and Shut Down' option in Shut Down
Windows dialog box Disabled
No auto-restart with logged on users for scheduled automatic updates
installations Enabled
Re-prompt for restart with scheduled installations Disabled
Reschedule Automatic Updates scheduled installations Disabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://192.168.100.45
Set the intranet statistics server: http://192.168.100.45
(example: http://IntranetUpd01)
Lawrence Garvin [MVP]
2010-03-16 16:13:07 UTC
Permalink
Post by Jake
I want that the updates should be downloaded and installed on the client
computers once the user has logged in to the domain.
This is not a configuration option, Jake.

Updates can be *installed* at a scheduled time, or updates can be
*installed* when a machine is powered ON.

There are no provisions for scheduling downloads, and there are no
provisions for scheduling installations when a user logs on.
Post by Jake
However I do NOT want the client computer to be restarted after an update
without the user's confirmation.
Then you'll need to enable the policy "No auto-reboot with logged on user"
Post by Jake
I felt I was forced to set a time (11AM) when updates were to be
installed.
You were. That's been how the Windows Update Agent operates for ten years
now.
Post by Jake
Can I get around this somehow to have the updates to be immediately
installed at any time once the download is finished?
Absolutely. Use deadlines. The deadline will cause an immediate installation
of the update if the deadline has expired. However, deadlines also cause
immediate restarts of computer systems ,and do not allow users to 'confirm'
the action.
Post by Jake
Are the GPO settings below correct in this scenarion, and if not, what
should I correct?
Allow non-administrators to receive update notifications Disabled
This is the policy you want to enable to allow users to confirm system
restarts.
Post by Jake
Also I see that the yellow 'updates available' systray shield icon does
not appear whene there are updates available. Why does it not appear on
every computer as expected?
Because it does not appear for non-administrative users at all, and it does
not appear when you have disabled the policy setting above.

You may find it useful to review the section of the WSUS Deployment Guide
that covers configuring clients.

See: Update and Configure the Automatic Updates Client
http://technet.microsoft.com/en-us/library/dd939900(WS.10).aspx
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Jake
2010-03-17 07:22:01 UTC
Permalink
Post by Lawrence Garvin [MVP]
Updates can be *installed* at a scheduled time, or updates can be
*installed* when a machine is powered ON.
There are no provisions for scheduling downloads, and there are no
provisions for scheduling installations when a user logs on.
I just hoped that there was a possibility to have updates installed
immediately after the download had finished. What about users that
never happen to be connected at the office around 11am. Will they have
all downloaded updates installed the first succeeding time they log on?
Post by Lawrence Garvin [MVP]
Post by Jake
However I do NOT want the client computer to be restarted after an
update without the user's confirmation.
Then you'll need to enable the policy "No auto-reboot with logged on user"
In my policy copy I thought it was already enabled.
Post by Lawrence Garvin [MVP]
Post by Jake
Can I get around this somehow to have the updates to be immediately
installed at any time once the download is finished?
Absolutely. Use deadlines. The deadline will cause an immediate
installation of the update if the deadline has expired. However,
deadlines also cause immediate restarts of computer systems ,and do not
allow users to 'confirm' the action.
Ah, the deadlines are mnot an option for me...
Post by Lawrence Garvin [MVP]
Post by Jake
Are the GPO settings below correct in this scenarion, and if not, what
should I correct?
Allow non-administrators to receive update notifications Disabled
This is the policy you want to enable to allow users to confirm system
restarts.
OK, will do that.
Post by Lawrence Garvin [MVP]
Post by Jake
Also I see that the yellow 'updates available' systray shield icon
does not appear whene there are updates available. Why does it not
appear on every computer as expected?
Because it does not appear for non-administrative users at all, and it
does not appear when you have disabled the policy setting above.
It appears for around 2/3 of my users. They all use the same
system-wide wsus policy. That's why it puzzled me. I hope it will be
more consistent when I enable the 'Allow non-administrators...' setting
above.

Thanks for valuable comments and tips.

regards jake
Harry Johnston [MVP]
2010-03-17 19:06:17 UTC
Permalink
Post by Jake
Post by Lawrence Garvin [MVP]
There are no provisions for scheduling downloads, and there are no
provisions for scheduling installations when a user logs on.
I just hoped that there was a possibility to have updates installed
immediately after the download had finished. What about users that never
happen to be connected at the office around 11am. Will they have all
downloaded updates installed the first succeeding time they log on?
Being logged on or off makes no difference to the WUA.

Once the updates are downloaded, they will install at the scheduled time if the
computer is on. It doesn't matter whether the computer is connected to the
network or not at the scheduled time.

If the computer is off at the scheduled time, then by default the updates will
install shortly after it is next turned on. However, the policy settings you
defined disable this ("Reschedule Automatic Updates scheduled installations") so
you would probably want to change that setting.

Also by default the computer will install downloaded updates when it is turned
off, but this can be overridden by the user.

Harry.
Post by Jake
Post by Lawrence Garvin [MVP]
Post by Jake
However I do NOT want the client computer to be restarted after an
update without the user's confirmation.
Then you'll need to enable the policy "No auto-reboot with logged on user"
In my policy copy I thought it was already enabled.
Post by Lawrence Garvin [MVP]
Post by Jake
Can I get around this somehow to have the updates to be immediately
installed at any time once the download is finished?
Absolutely. Use deadlines. The deadline will cause an immediate
installation of the update if the deadline has expired. However,
deadlines also cause immediate restarts of computer systems ,and do not
allow users to 'confirm' the action.
Ah, the deadlines are mnot an option for me...
Post by Lawrence Garvin [MVP]
Post by Jake
Are the GPO settings below correct in this scenarion, and if not, what
should I correct?
Allow non-administrators to receive update notifications Disabled
This is the policy you want to enable to allow users to confirm system
restarts.
OK, will do that.
Post by Lawrence Garvin [MVP]
Post by Jake
Also I see that the yellow 'updates available' systray shield icon
does not appear whene there are updates available. Why does it not
appear on every computer as expected?
Because it does not appear for non-administrative users at all, and it
does not appear when you have disabled the policy setting above.
It appears for around 2/3 of my users. They all use the same system-wide
wsus policy. That's why it puzzled me. I hope it will be more consistent
when I enable the 'Allow non-administrators...' setting above.
Thanks for valuable comments and tips.
regards jake
--
Harry Johnston
http://harryjohnston.wordpress.com
Loading...