Getting to 100 percent update compliance requires two basic steps: First, you have to install the update; second, you have to reboot the computer. You must accomplish both steps for the computer to be considered compliant. WSUS falls short in how it handles the reboot step.
Most of you don’t want to bother users with a post-update reboot. Kicking off a reboot during the workday irritates users and can cause lost work. That’s why there’s always the option to let users postpone the reboot. Postponing a reboot gives a user time to finish what they’re doing and shut the computer down gracefully. However, postponing the reboot can delay achieving 100 percent compliance.
Another option is to attach a deadline to each approved update. That establishes a date and time when the installation and reboot must be complete. You’ll absolutely force computers to restart after the deadline passes. The problem here is with computers that were powered down or off the network during the deadline period. Those computers will get patched and subsequently rebooted after they’re powered back on or when they reconnect to the network. That’s not a good solution.
A better way to control reboots is to remove them from WSUS altogether. Build a script that reboots every computer all at once. Schedule that script to run after users leave for the day. You can update systems whenever you want, knowing your external reboot script will finish the process.
For example, identify a window of time when you’ll restart every desktop on the network—let’s say Wednesday and Saturday mornings between 2:00 a.m. and 4:00 a.m. Socialize this “reboot window” to users, so they know to save their work. Then, build yourself a little script that reboots every desktop all at once. You can download a sample one from concentratedtech.com/download. Use Task Scheduler to run that script every week during your reboot windows.
A few Group Policy settings can help with this situation: Enable the policy setting “No auto-restart with logged on users for scheduled automatic updates installations.” This will prevent an update installation from restarting the computer.
In the policy setting “Configure Automatic Updates,” set the value to 4 and make sure the installation time occurs before your reboot window. Enabling the policy “Allow Automatic Updates Immediate Installation” also helps, as it immediately installs updates that don’t require a reboot. Last, if you want to lock these settings down even for administrators, you can enable the User Configuration policy “Remove access to use all Windows Update features.”
Reconfiguring WSUS in this way separates the reboot step from the install step and gives you much better control over reaching 100 percent compliance overnight.
Most of you don’t want to bother users with a post-update reboot. Kicking off a reboot during the workday irritates users and can cause lost work. That’s why there’s always the option to let users postpone the reboot. Postponing a reboot gives a user time to finish what they’re doing and shut the computer down gracefully. However, postponing the reboot can delay achieving 100 percent compliance.
Another option is to attach a deadline to each approved update. That establishes a date and time when the installation and reboot must be complete. You’ll absolutely force computers to restart after the deadline passes. The problem here is with computers that were powered down or off the network during the deadline period. Those computers will get patched and subsequently rebooted after they’re powered back on or when they reconnect to the network. That’s not a good solution.
A better way to control reboots is to remove them from WSUS altogether. Build a script that reboots every computer all at once. Schedule that script to run after users leave for the day. You can update systems whenever you want, knowing your external reboot script will finish the process.
For example, identify a window of time when you’ll restart every desktop on the network—let’s say Wednesday and Saturday mornings between 2:00 a.m. and 4:00 a.m. Socialize this “reboot window” to users, so they know to save their work. Then, build yourself a little script that reboots every desktop all at once. You can download a sample one from concentratedtech.com/download. Use Task Scheduler to run that script every week during your reboot windows.
A few Group Policy settings can help with this situation: Enable the policy setting “No auto-restart with logged on users for scheduled automatic updates installations.” This will prevent an update installation from restarting the computer.
In the policy setting “Configure Automatic Updates,” set the value to 4 and make sure the installation time occurs before your reboot window. Enabling the policy “Allow Automatic Updates Immediate Installation” also helps, as it immediately installs updates that don’t require a reboot. Last, if you want to lock these settings down even for administrators, you can enable the User Configuration policy “Remove access to use all Windows Update features.”
Reconfiguring WSUS in this way separates the reboot step from the install step and gives you much better control over reaching 100 percent compliance overnight.
0 comments:
Post a Comment