Windows 7 WSUS updates
-
I'm posting because I said I would -
About 2-3 times a year I get someone complaining that their computer just rebooted on them when they were in the middle of something. 99% of the the reboot is caused by Windows updates.
Here are my WSUS setting. As far as I can tell Windows 7 and 8.1 should all prompt the user to reboot when the system is done installing update, it should not reboot until either the user reboots, the 10 min prompted timer runs out or in the case of Windows 8(.1) the user hasn't rebooted after 3 days.
Today one of my docs was documenting when "all of a sudden, right in the middle of me typing, the applications closed, and Windows was saying it was installing updates. Then the screen was black."
My boss is pretty frustrated by this. Other than sending out daily reminders that they might have to reboot their computer today due to Windows updates (you never know when an out of cycle patch is coming), I'm not sure what else to do.
In the case of my doc, I'm wondering if the prompt popped up while he was typing, the default action on that window is Reboot Now and his continued typing pressed the button so fast that he didn't even have a chance to notice the popup before his computer was rebooting. I've had this happen to me on other issues, where Windows decides to steal focus from what I'm working while I'm typing and before I can stop the default selection is picked from the new window.
Thoughts?
-
There is a registry setting that you can add to force the "Now auto-restart with logged on users" option. I would check that system and make sure the registry entry is there and that the setting is indeed being applied to that workstation in question.
Beyond that I would maybe turn off the "Allow automatic update installation" option and see what happens.
-
Here's an example of what I was talking about:
http://www.makeuseof.com/tag/disable-forced-restarts-windows-update/ -
This seems a bit extreme.
If my users don't reboot, which many don't often - how do I know they are updated?
-
Are you users using PCs 24/7? I have Windows update reboot all of our PCs between 12AM and 2AM
-
@IRJ said:
Are you users using PCs 24/7? I have Windows update reboot all of our PCs between 12AM and 2AM
This assumes the PC's are on, I've never gotten WOL to work.
Not to mention that users leave things open overnight and don't save their work.. coming in in the morning to a rebooted machine is generally unacceptable.
-
@Dashrender said:
@IRJ said:
Are you users using PCs 24/7? I have Windows update reboot all of our PCs between 12AM and 2AM
This assumes the PC's are on, I've never gotten WOL to work.
Not to mention that users leave things open overnight and don't save their work.. coming in in the morning to a rebooted machine is generally unacceptable.
Then a policy needs to be in place that at the end of the day, once they've left, anything left open but unsaved isn't your problem. After-hours or off-hours are always maintenance windows. By letting them do this, you're basically giving them all the power and eliminating your ability to properly do your job.
-
@IRJ said:
Are you users using PCs 24/7? I have Windows update reboot all of our PCs between 12AM and 2AM
Yeah, unless it's a 24/7 call center where people share PCs, this is pretty common and works well.
-
@Dashrender said:
This seems a bit extreme.
If my users don't reboot, which many don't often - how do I know they are updated?
What's extreme is that your user thinks that you are not allowed to keep the systems secure by keeping them updated.
I would rely on the reboot schedule IRJ references or if you really want to be sure they are rebooting on a schedule, I have a short powershell script that will do just that.
-
We never allow our users to turn their PCs off. We tell them we perform updates at night so they don't need to be done during the day. It works well for the IT department and the users. Who wants their PC to updated and/or reboot in the middle of the day while they are working?
-
I believe we've had discussions on WSUS Deployment groups before.
I have over 20 different groups each with 7-20 PCs. This makes staggering deployments easy because I can tell them to reboot at different times via GPO. I can also allow updates for specific PCs and not allow them on others. Its much easier to manage this way.
This also makes testing easier. You dont have to rollback everything when there is an issue. Only 7-20 PCs at a time.
-
I also disable all the update notifications. My users don't even know their PCs have been updated. Every night each PC checks WSUS, downloads and installs updates then reboots
-
@IRJ said:
We never allow our users to turn their PCs off. We tell them we perform updates at night so they don't need to be done during the day. It works well for the IT department and the users. Who wants their PC to updated and/or reboot in the middle of the day while they are working?
Here we are not allowed to leave computers turn on, specially if nobody is using.
We are using offline updates.
And Production computers are up 24/7. -
How do you do offline updates?
-
WSUS are a type of offline updates.
-
@Dashrender said:
WSUS are a type of offline updates.
Well, not really. WSUS can be used if the client is offline from the Internet but not if it is offline from the network or turned off.