Servers reboot after applying Windows Updates

  • Thread starter Thread starter Jeff Whitehead
  • Start date Start date
J

Jeff Whitehead

Hi guys,

I have a number of 2003 (Standard) servers, which force reboot after doing
some of the Windows Updates.
All our PCs and servers are set to check daily at 13:00 for any new updates
[a company policy] and some of these require a reboot.

All machines get updates DIRECT using Windows Update (we are not using WSUS
yet but will be in the future)

I've set the GP option to NOT reboot after automatic update, but apparently
this only works if a user is logged in at the console.
['Computer Configuration/Administrative Templates/Windows Components/Windows
Update\No auto-restart for scheduled Automatic Updates installations' option
is set to Enabled and works if a user is logged in, but by design, is
ignored if user logs out]

I NEVER leave my servers logged in (not even with the screen locked - for
security purposes) so they spontaneously reboot if there's an update that
requires it.

Surely I can't be the only one having this problem? Anybody know of a way to
stop it?
It only happens on the major updates, but it's annoying when users are
halfway through something and the server dissappears.


[ I realise I could make the servers update out of hours, but then someone
has to be here in case they DON'T come back up.
And night times is my backup Window anyway etc, etc....]


Thanks,

Jeff.
 
Thats not the policy you want to set. You want to set the policy for AU
Options to 3 (download and notify). The policy is:
Computer Configuration\Administrative Templates\Windows Componants\Windows
Update\Configure Automatic Updates

This will require user interaction (or a script) to install all updates.

You may want to set this just for your servers so that the other users will
get the updates installed automatically.

Eddie Bowers
Security Support
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Eddie, do us a favor and QUOTE the post you're replying to, please. Thanks.

Eddie Bowers [MSFT] wrote:
> Thats not the policy you want to set. You want to set the policy for AU
> Options to 3 (download and notify). The policy is:
> Computer Configuration\Administrative Templates\Windows Componants\Windows
> Update\Configure Automatic Updates
>
> This will require user interaction (or a script) to install all updates.
>
> You may want to set this just for your servers so that the other users
> will
> get the updates installed automatically.
>
> Eddie Bowers
> Security Support
> Microsoft Corporation
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
 
Hi Eddie, thanks for your comments...

> Thats not the policy you want to set. You want to set the policy for AU
> Options to 3 (download and notify). The policy is:
> Computer Configuration\Administrative Templates\Windows Componants\Windows
> Update\Configure Automatic Updates
>
> This will require user interaction (or a script) to install all updates.

Actually, I had this set to 4. What I'd really like is for the servers to
download updates on a DAILY basis (according to a company policy), then
reboot at a time specified by me, hopefully when I'm not around.... e.g.
3AM.

Unfortunately, our policy dictates a DAILY update (whether or not updates
are released) which means using option 3, I have to manually check and maybe
reboot 20 servers. In a single-man IT outfit, I don't really have the time.

I thought option 4 with the 'don't restart' option might get round this, but
clearly not. My misunderstanding now I've re-read the help docs.

We'll stick with option 3 for now. As suggested have applied this to my
servers only.
Desktops still run option 4.

Thanks for your input....

Jeff.

"Eddie Bowers [MSFT]" <eddieb@online.microsoft.com> wrote in message
news:HB$uJgOwIHA.2252@TK2MSFTNGHUB02.phx.gbl...
> Thats not the policy you want to set. You want to set the policy for AU
> Options to 3 (download and notify). The policy is:
> Computer Configuration\Administrative Templates\Windows Componants\Windows
> Update\Configure Automatic Updates
>
> This will require user interaction (or a script) to install all updates.
>
> You may want to set this just for your servers so that the other users
> will
> get the updates installed automatically.
>
> Eddie Bowers
> Security Support
> Microsoft Corporation
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
 
>Actually, I had this set to 4. What I'd really like is for the servers to
>download updates on a DAILY basis (according to a company policy), then
>reboot at a time specified by me, hopefully when I'm not around.... e.g.
>3AM.

This is a bit problematic because when we do an update we consider the
system to be in a quasi updated state and the idea is not not allow it to
be in that state for very long. Thats why we force a reboot unless there is
someone there to prevent it (with the idea that they might need to save
some work first).

You should consider the update and the restart as a single event really. I
usually suggest that you use option 3 for the servers and schedual a script
to install the pending updates and reboot if needed.

The script I suggest would look something like this (installs updates if
download and reboots only if needed):
------------------------------------



Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
Counter = 0 ' Initialize Counter.

WScript.Echo vbCRLF & _
"__________________________________"
WScript.Echo NOW()
WScript.Echo "Searching for approved updates..." & vbCRLF

Set searchResult = _
updateSearcher.Search("IsInstalled=0 and Type='Software'")

WScript.Echo "List of applicable and approved items for this machine:"

For I = 0 To searchResult.Updates.Count-1
Set update = searchResult.Updates.Item(I)
WScript.Echo I + 1 & "> " & update.Title
Next

'quit the script if there are no updates found for this machine
If searchResult.Updates.Count = 0 Then
WScript.Echo "There are no applicable updates."
WScript.Quit
End If


WScript.Echo vbCRLF & "List of downloaded updates ready for install:"


For I = 0 To searchResult.Updates.Count-1
Set update = searchResult.Updates.Item(I)
If update.IsDownloaded Then
WScript.Echo I + 1 & "> " & update.Title
End If
Next


Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")


For I = 0 To searchResult.Updates.Count-1
set update = searchResult.Updates.Item(I)
If update.IsDownloaded = true Then
updatesToInstall.Add(update)
Counter = Counter + 1 ' Increment Counter to count downloaded
updates.
End If
Next

If Counter = 0 Then ' If There are no downloaded updates...
WScript.Echo vbCRLF & _
"There are no downloaded updates to install."
WScript.Quit
End If


'install the udpates
WScript.Echo vbCRLF & _
"Installing updates..."
Set installer = updateSession.CreateUpdateInstaller()
installer.Updates = updatesToInstall
Set installationResult = installer.Install()

'Output results of install
WScript.Echo vbCRLF & _
"Installation Result: " & _
installationResult.ResultCode
WScript.Echo "Reboot Required: " & _
installationResult.RebootRequired & vbCRLF
WScript.Echo "Listing of updates installed " & _
"and individual installation results:"

For I = 0 to updatesToInstall.Count - 1
WScript.Echo I + 1 & "> " & _
updatesToInstall.Item(i).Title & _
": " & installationResult.GetUpdateResult(i).ResultCode
Next

'reboot the machine, if needed
if installationResult.RebootRequired = true then

WScript.Echo vbCRLF & _
"Reboot Required. Rebooting..."

sComputer = "."

Set oWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Shutdown)}!\\" _
& sComputer & "\root\cimv2")

Set colOperatingSystems = oWMI.ExecQuery _
("Select * from Win32_OperatingSystem")
For Each obj in colOperatingSystems
Set oOS = obj : Exit For
Next

Const EWX_LOGOFF = 0
Const EWX_SHUTDOWN = 1
Const EWX_REBOOT = 2
Const EWX_FORCE = 4
Const EWX_POWEROFF = 8
'
'oOS.Win32shutdown EWX_blablah
' FORCE a REBOOT = 6
oOS.Win32shutdown 6

End If




--------------------------------------------------------
Just run this with cscript so it wont popup dialog boxes.

Eddie Bowers
Security Support
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top