|
|
When using GPO with WSUS 2, I was able to prevent non-admins from clicking
"Restart Later" after patching. It appears the v3 client allows non-admns to
click "Restart Later," because now I have a thousand PCs awaiting reboot for
several weeks. Is there a new reg key or GP option to prevent users from
clicking "Restart Later?"
|
|
"AG" <AG[ at ]discussions.microsoft.com> wrote in message
news:D9DF357C-1BC5-4A5A-9C5C-B3F0A1BB9223[ at ]microsoft.com...
[Quoted Text] > When using GPO with WSUS 2, I was able to prevent non-admins from clicking
> "Restart Later" after patching.
Non-admins *cannot* click on "Restart Later" after patching because that
option is not available to non-admins!
Unless it's been enabled.
> It appears the v3 client allows non-admns to
> click "Restart Later," because now I have a thousand PCs awaiting reboot
> for
> several weeks. Is there a new reg key or GP option to prevent users from
> clicking "Restart Later?"
If you *enabled* the policy "Allow non-admins to receive update
notifications", then all users will have admin-equivalent permissions as
relates to the Windows Update Agent, and that includes the enabling of the
"Restart Later" button.
This is, of course, assuming that your users are not members of the local
Administrators group to begin with.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
AG wrote:
[Quoted Text] > When using GPO with WSUS 2, I was able to prevent non-admins from clicking
> "Restart Later" after patching. It appears the v3 client allows non-admns to
> click "Restart Later," because now I have a thousand PCs awaiting reboot for
> several weeks. Is there a new reg key or GP option to prevent users from
> clicking "Restart Later?"
The first thing to do is to try to determine whether or not the "Restart Later"
button is actually responsible for the symptoms you are seeing. Do you have a
test machine you can log into with a non-administrative account to see what
happens? Or a user you can trust to report accurately what happened?
If I recall correctly (I did some experiments a year or so back) WSUS will not
forcibly reboot the clients - that is, if one of the running applications says
"no, don't reboot" the system won't reboot. However, if this was your problem
it wouldn't have changed between WSUS 2 and WSUS 3; is there anything else that
has changed at the same time, say a new client application?
Harry.
|
|
Lawrence,
Below is my client config.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\windowsupdate\au]
"UseWUServer"=dword:00000001
"scheduledinstalltime"=dword:0000000c
"scheduledinstallday"=dword:00000000
"reschedulewaittime"=dword:00000003
"NoAutoUpdate"=dword:00000000
"NoAutorebootwithloggedonusers"=dword:00000001
"AUOptions"=dword:00000004
"AutoInstallMinorUpdates"=dword:00000001
I reviewed my WSUS and remoted to several client PCs this morning after
reading your reply, and they were all still waiting to reboot with the option
to click Restart Later enabled. (I'd paste a screen shot if I could.) Users
are not admins.
I realize it should not be happening, but it is. I'd be happy work off-line
with you.
|
|
AG wrote:
[Quoted Text] > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\windowsupdate\au]
> "UseWUServer"=dword:00000001
> "scheduledinstalltime"=dword:0000000c
> "scheduledinstallday"=dword:00000000
> "reschedulewaittime"=dword:00000003
> "NoAutoUpdate"=dword:00000000
> "NoAutorebootwithloggedonusers"=dword:00000001
> "AUOptions"=dword:00000004
> "AutoInstallMinorUpdates"=dword:00000001
>
> I reviewed my WSUS and remoted to several client PCs this morning after
> reading your reply, and they were all still waiting to reboot with the option
> to click Restart Later enabled. (I'd paste a screen shot if I could.) Users
> are not admins.
I don't know whether this is new behaviour with the v3 client, but it seems
harmless to me; all the "Restart Later" button does is dismiss the dialog box
for ten minutes. The user could always move the dialog box off the screen
anyway, which has virtually the same effect and no time limit.
You could set RebootRelaunchTimeout and RebootRelaunchTimeoutEnabled to reduce
the period of time the dialog box is dismissed for, or you could turn off
NoAutorebootwithloggedonusers if you want to force the reboot to happen even if
the user is noncooperative.
Harry.
|
|
I support a hospital, so I can't have the PCs automatically reboot while the
nurses are charting on a patient. But if they cannot click "Later" at least
they get bothered until they do it. I may just have to reduce the timeout to
bother them as much as I can.
|
|
|
|
Well, Lawrence, as I said, I support a hospital. I don't have the luxery of
updating PCs when there are no users here. I'd rather the updates apply at
noon when I have staff here to deal with problems instead of at 2am, when
nurses are still treating patients, but minimal IS staff is here. All our
clinical care is computerized, so I'm not just talking about people using
Word and IE, I'm talking about patient care.
Regardless, do you have a suggestion as to why the "Restart Later" option is
available for non-admins?
Thanks
|
|
"AG" <AG[ at ]discussions.microsoft.com> wrote in message
news:68A05268-CA58-4723-955D-DD9317F59CE4[ at ]microsoft.com...
[Quoted Text] > Well, Lawrence, as I said, I support a hospital. I don't have the luxery
> of
> updating PCs when there are no users here.
I've heard this argument a gazillion times.
Walk down the hall and ask the guys that maintain the MRI machine how they
deal with scheduling maintenance for the MRI, which *never* has any free
time. I suspect you'll find this is the answer: We *schedule* downtime for
the MRI machine. No appointment can be booked during that maintenance time
block.
So... do the same thing for computers!
> I'd rather the updates apply at
> noon when I have staff here to deal with problems
Or cause *them* problems... <???>
> instead of at 2am, when
> nurses are still treating patients, but minimal IS staff is here.
If the system is properly configured and managed, there will be *NO*
problems to deal with! The whole environment, WSUS, is designed to be 100%
hands off at the client side. If you find you need somebody on the client
side to "deal with problems", then, honestly, you probably want to deal with
those problems before you deploy the updates.
> All our
> clinical care is computerized, so I'm not just talking about people using
> Word and IE, I'm talking about patient care.
See the MRI example above.
> Regardless, do you have a suggestion as to why the "Restart Later" option
> is
> available for non-admins?
It's not. The most likely reason is you have a security authorization in
place that you don't realize exists.
The ONLY WAY for the "Restart Later" button to be enabled is if the logged
in user has ADMINISTRATOR privileges.
There are four ways this can happen in a WSUS environment. Only one has
anything at all to do with WSUS.
[a] You've enabled the policy setting "Allow non-admins to receive
update notifications".
[b] The logged in user's DOMAIN account is a member of the
BUILTIN\Administrators group on the PC.
[c] The logged in user's DOMAIN account is a member of the DOMAIN\Domain
Admins group on the PC.
[d] The logged in user's DOMAIN account is a member of some group that
is a member of one of the groups in [b] and [c].
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
Thank you, Lawrence. As you said, I don't really have any problems to deal
with, other than PCs not rebooting after the update. I know the users are
not admins, so I'll focus on the "receive notifications" setting. I have not
changed the client settings with the upgrade to 3.0. You saw my client
settings, so where am I missing this one?
|
|
On Tue, 5 Jun 2007 08:19:02 -0700, AG <AG[ at ]discussions.microsoft.com> wrote:
[Quoted Text] >Thank you, Lawrence. As you said, I don't really have any problems to deal
>with, other than PCs not rebooting after the update. I know the users are
>not admins, so I'll focus on the "receive notifications" setting. I have not
>changed the client settings with the upgrade to 3.0. You saw my client
>settings, so where am I missing this one?
"Allow non-admins to receive update notifications" is HKCU not HKLM
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.
|
|
"AG" <AG[ at ]discussions.microsoft.com> wrote in message
news:CF5A6422-7674-40F2-AF03-FFBE09FB0D0A[ at ]microsoft.com...
[Quoted Text] > Thank you, Lawrence. As you said, I don't really have any problems to
> deal
> with, other than PCs not rebooting after the update. I know the users are
> not admins, so I'll focus on the "receive notifications" setting. I have
> not
> changed the client settings with the upgrade to 3.0. You saw my client
> settings, so where am I missing this one?
I'd need to know the exact registry settings *and* the complete group
memberships (local and domain) for a selected login account experiencing
this issue.
If you'd prefer to email the specs (I can understand so, given the
sensitivity of account information),
send it to l r g a r v i n a t s w b e l l d o t n e t
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
>
|
|
"DaveMills" <DaveMills[ at ]newsgroup.nospam> wrote in message
news:4dnb63hnv4foefvhqcoodamdkcpa5rsdjd[ at ]4ax.com...
[Quoted Text] > On Tue, 5 Jun 2007 08:19:02 -0700, AG <AG[ at ]discussions.microsoft.com>
> wrote:
>
>>Thank you, Lawrence. As you said, I don't really have any problems to
>>deal
>>with, other than PCs not rebooting after the update. I know the users are
>>not admins, so I'll focus on the "receive notifications" setting. I have
>>not
>>changed the client settings with the upgrade to 3.0. You saw my client
>>settings, so where am I missing this one?
> "Allow non-admins to receive update notifications" is HKCU not HKLM
It does *not* exist in HKCU. The setting is only available via "Computer
Configuration" in the policy editor, which will place it in the HKLM hive.
There are settings available via "User Configuration" but this is not one of
them.
I do not know what would happen if somebody forced a "ElevateNonAdmins"
registry value into the HKCU\Software\Policies tree.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
> --
> Dave Mills
> There are 10 type of people, those that understand binary and those that
> don't.
|
|
Lawrence Garvin (MVP) wrote:
[Quoted Text] >> Regardless, do you have a suggestion as to why the "Restart Later" option
>> is available for non-admins?
>
> It's not. The most likely reason is you have a security authorization in
> place that you don't realize exists.
>
> The ONLY WAY for the "Restart Later" button to be enabled is if the logged
> in user has ADMINISTRATOR privileges.
Actually this isn't true any more. I've just done the experiment: I started
with two identical machines (using a scripted install) and upgraded one to the
v3 client. I logged in as a non-administrative user at the scheduled install
time. The "No auto restart" option was enabled.
When the updates finished installing, the machine with the v3 client displayed a
dialog box with both buttons ("Restart Now" and "Restart Later") enabled. On
the machine with the v2 client, "Restart Later" was disabled. I checked and on
the v3 client the "Restart Later" button behaved as expected, dismissing the dialog.
I'm about to repeat the experiment with "no auto restart" turned off. It'll
take an hour or so to reinstall the machines. I'll report back.
Harry.
|
|
|
|
Lawrence Garvin (MVP) wrote:
[Quoted Text] >> When the updates finished installing, the machine with the v3 client
>> displayed a dialog box with both buttons ("Restart Now" and "Restart
>> Later") enabled. On the machine with the v2 client, "Restart Later" was
>> disabled. I checked and on the v3 client the "Restart Later" button
>> behaved as expected, dismissing the dialog.
>
> <sigh>.... if that be true..... this is *not* a good thing.
I've done the second experiment as promised and can confirm that this behaviour
has changed only if "No automatic restart with logged on users" is enabled. If
it is disabled, i.e., if the countdown timer is present, "Reboot Later" is still
disabled for non-administrative users in the new client.
Given this, I don't see the change as an issue. The difference between being
able to temporarily dismiss the dialog and being able to simply ignore it seems
trivial. In either case, if the user is noncooperative, the reboot won't happen.
In fact, having the dialog keep popping up at you may be a better reminder than
having it sit there doing nothing!
Harry.
|
|
Thought I'd port this direcet reply from Lawrence for anyone else reading
this post:
"Additional information I received this morning suggests that the "Restart
Later" option is now enabled for *all* users. If so, this is is a radical
change from the previous version of WSUS. I'm working to confirm this fact
with the dev team.
Lawrence Garvin, M.S., MCTS, MCP"
|
|
|