Has anyone found a way to automatically send email notification to users who have not updated their PCs?
Our network security doesn't allow access to WSUS remotely, even via VPN, so users must bring their laptops in to the LAN at least monthly for Windows Updates.
An email goes out to all the users via distribution lists telling them when updates are ready and that they are to come in as soon as possible (within a week or so) to get updates on the LAN.
There are always many users who "forget" and we then have to manually send individual hand-typed email reminders to those users after manually looking up who the machines still missing approved updates are assigned to.
Has anyone developed a way to automate sending email reminders to the assigned users of computers that missed installation deadlines?
For instance, if we add the assigned user's email address to the computer account's description field in AD, is there a way to pull reports from WSUS of machines needing updates or with no status and send automatic form letter emails to the assigned user every day until the computer sends an updated status report reflecting it is has installed all approved updates?
Answers
- I can think of two ways to do this, depending on how your machines are set up.
If your mobile user's PCs are set up such that you can schedule a process to run every day without them being able to disable it, you could schedule a local script to simply check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect\LastSuccessTime registry value. A VBScript to perform a DateDiff of that value versus today's date resulting in more than 30 days would cause a popup box to come up telling the user that they must come in for updates. You could even get really annoying that if it was more than 45 days, for example, it would pop up every 4 hours or even more frequently.
If you can't ensure that the scheduled task would not be able to be disabled, then I would suggest looking at a PowerShell script to run on an administrative machine. The script would (using the "Microsoft.UpdateServices.Administration" assembly, I think) would Query your WSUS system, look at the "Last Status Report" field and then somehow figure out from the Name of the computer in WSUS to reference that to a User's email address then send a form email to them telling them to bring the machine in for updates.
I could make the VBScript to run on the machines needing updates pretty easily but I'm a raw beginner with PowerShell so I'd have to pass on that. I suppose there's probably a way to do it with VBScript as well but I don't know how to connect to a WSUS system with VBScript. Probably the best way would be SQL requests to the SUSDB database on your WSUS server.
- Marked As Answer byEric Zhang - MSFTMSFT, ModeratorMonday, November 16, 2009 4:03 AM
All Replies
- Not that I know of; I suspect this is a futile pursuit. For laptop users, I'd just have them use Microsoft Update instead of WSUS - or, adjust your network security to permit the access. I don't see why that can't be allowed, especially via VPN!
Lanwench [MVP - Exchange] ** Do not fold, spindle or mutilate. Fill in the box completely and erase any stray marks. Use only a #2 pencil. There is no outside access to the LAN allowed other than RDP, period. Also, we do not have the available bandwitdth for users to download updates on our LAN from the WAN and management will not buy an additional Windows Server license that would be required for a downstream WSUS server to make different approvals for remote users to pull updates from the web, but this is moot because of the fact that Security will not allow any remote traffic to enter other than RDP through VPN anyway.
So WSUS access for remote users will never be allowed in our environment for several reasons.
MSUpdate is not satisfcatory because it cannot be verified. The manadate is for users to bring their laptops in every month when they are notified via email that updates are available.
The way we do it does work and the users do eventually bring their laptops in or else their accounts are disabled, but it is very labor intensive to deal with determining the assigned user and then looking up their email address and sending repeated emails manually, so we are looking for some way to automate email notifications, just like fully automated email notices go out to users reminding them when their passwords are about to expire.- I can think of two ways to do this, depending on how your machines are set up.
If your mobile user's PCs are set up such that you can schedule a process to run every day without them being able to disable it, you could schedule a local script to simply check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect\LastSuccessTime registry value. A VBScript to perform a DateDiff of that value versus today's date resulting in more than 30 days would cause a popup box to come up telling the user that they must come in for updates. You could even get really annoying that if it was more than 45 days, for example, it would pop up every 4 hours or even more frequently.
If you can't ensure that the scheduled task would not be able to be disabled, then I would suggest looking at a PowerShell script to run on an administrative machine. The script would (using the "Microsoft.UpdateServices.Administration" assembly, I think) would Query your WSUS system, look at the "Last Status Report" field and then somehow figure out from the Name of the computer in WSUS to reference that to a User's email address then send a form email to them telling them to bring the machine in for updates.
I could make the VBScript to run on the machines needing updates pretty easily but I'm a raw beginner with PowerShell so I'd have to pass on that. I suppose there's probably a way to do it with VBScript as well but I don't know how to connect to a WSUS system with VBScript. Probably the best way would be SQL requests to the SUSDB database on your WSUS server.
- Marked As Answer byEric Zhang - MSFTMSFT, ModeratorMonday, November 16, 2009 4:03 AM
- I've had a little luck in finding some relevant info. I've recently taken a PowerShell class and the possibilities are quite remarkable.
On this blog post: http://lucifist.spaces.live.com/blog/cns!EE1D58B49769505A!157.entry
is a WSUS-querying PowerShell script that I've adapted for use with my system. As it is, the script will query my WSUS system (from my remote workstation) and email me a report of all machines in my WSUS system that have outstanding updates pending.
I've been referencing the Microsoft.UpdateServices.Administration Namespace (at http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration%28VS.85%29.aspx) for options on how to modify it to fit other uses such at the ones you've described but it's just a side project for me so I haven't devoted much time to it. Perhaps you may be able to use this to make something to fit your purposes.
The PowerShell script also contains a simple routine to email an HTML-based email message. You could use a list of computer names cross references to user's email addresses to make the script send email to each user.
Sorry this is so vague, but I don't know enough yet to put it all together and sometimes you just have to work for your answers. Good luck!
