none
Reboot behavior - WSUS Clients RRS feed

  • Question

  • Hello,

    We are using WSUS 3.0 SP2 to monitor and deploy updates on the servers of our clients. Everything is working very well. The only problem is that some of them are rebooting, we don't want this.

    Normally we have a users on the server that's always logged in, but when he logs out, the server reboots (we think). Below you see the registry settings of the clients.

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    "WUServer"="http://WSUSServer:xxxx"
    "WUStatusServer"="http://WSUSServer:xxxx"
    "ElevateNonAdmins"=dword:00000000 
    "AcceptTrustedPublisherCerts"=dword:00000001
    "DisableWindowsUpdateAccess"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "NoAutoUpdate"=dword:00000000
    "AUOptions"=dword:00000004
    "ScheduledInstallDay"=dword:00000000
    "ScheduledInstallTime"=dword:00000003
    "NoAutoRebootWithLoggedOnUsers"=dword:00000001
    "AutoInstallMinorUpdates"=dword:00000001
    "RebootRelaunchTimeoutEnabled"=dword:00000001
    "RebootRelaunchTimeout"=dword:0000003c
    "RescheduleWaitTimeEnabled"=dword:00000001
    "RescheduleWaitTime"=dword:0000000f
    "DetectionFrequencyEnabled"=dword:00000001
    "RebootWarningTimeoutEnabled"=dword:00000001
    "RebootWarningTimeout"=dword:0000001e
    "UseWUServer"=dword:00000001
    "NoAUShutdownOption"=dword:00000000
    "NoAUAsDefaultShutdownOption"=dword:00000000

    "NoAutoRebootWithLoggedOnUsers"=dword:00000001

    Range = 0|1

    • 1 = Logged-on user can decide whether to restart the client computer.
    • 0 = Automatic Updates notifies the user that the computer will restart in 15 minutes.

    I Think this one is causing the problem, is this possible? Is there anyway to disable automatic reboots completely?

    Thank you very much.


    Thank you very much, Jente


    • Edited by Nqfmekdjf Friday, May 10, 2013 12:26 PM
    Friday, May 10, 2013 9:54 AM

Answers

  • The only problem is that some of them are rebooting, we don't want this.

    Rebooting is a requirement of installing an update. You don't control the reboot; you control the installation of the updates.

    Normally we have a users on the server that's always logged in

    Hmmm.. I'd argue this is a non-optimal approach for two reasons:

    One, that you've already noticed -- a console user logging out and ignoring the dialogs can wreak havoc on the server (read: it DOES reboot when the console user logs off after updates have been installed).

    Two, users ought not to be logging onto servers from the *console* anyway.. but I'm just a pedantic purist, so take that with a grain of salt (but #1 is a major reason why #2 is a true statement).

    "DisableWindowsUpdateAccess"=dword:00000001

    Ahhh, so the logged in administrator isn't even seeing the dialogs!

    "AUOptions"=dword:00000004

    Why do your servers have *scheduled* installation events?

    "ScheduledInstallDay"=dword:00000000

    "ScheduledInstallTime"=dword:00000003

    Are you copasetic with your servers being able to install updates on any day of the week at 3am and rebooting? That is how they're currently configured.

    "NoAutoRebootWithLoggedOnUsers"=dword:00000001

    This setting is designed for desktop users. Somewhat pointless on a server, since presumably the administrator logged onto that server has not been blocked from getting reboot notifications, and thus could (but not in this case) simply defer the reboot. In this case, though, you've granted an ability to use a feature with this setting, and then overridden it (taking it away with Turn off access to all Windows Update features).

    Which begs the question about admins who are logging off the servers after installations and causing reboots. The only way this could happen is if administrators stay LOGGED IN to the server overnight .... to my point above, THREE -- Administrators should always LOG OFF of a server console when they walk away from that console. (Although see point #2.)

    "RebootRelaunchTimeoutEnabled"=dword:00000001

    "RebootRelaunchTimeout"=dword:0000003c

    "RebootWarningTimeoutEnabled"=dword:00000001

    "RebootWarningTimeout"=dword:0000001e

    Pointless settings since Turn off access to all Windows Update features is preventing a user from using these features anyway.

    "RescheduleWaitTimeEnabled"=dword:00000001

    "RescheduleWaitTime"=dword:0000000f

    Also a pointless setting for a server ... servers should *never* be allowed to install updates at POWER-ON! (This particular configuration actually initiates the installation 15 minutes after power-on, maybe even an uglier scenario when you consider the implications.)

    Is there anyway to disable automatic reboots completely?

    Don't install the updates.  


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by Nqfmekdjf Thursday, May 16, 2013 8:08 AM
    Friday, May 10, 2013 9:39 PM
    Moderator

All replies

  • Hello,

    I'm trying to reproduce the problem on a test server, and gues what; I Can't reproduce it.


    Thank you very much, Jente

    Friday, May 10, 2013 11:15 AM
  • Hello,

    I'm trying to reproduce the problem on a test server, and gues what; I Can't reproduce it.


    Thank you very much, Jente

    A good configure guide for setting up clients for WSUS is located at Thwack.

    Configuring your first WSUS Client

    Hope this helps.

    Friday, May 10, 2013 4:01 PM
  • The only problem is that some of them are rebooting, we don't want this.

    Rebooting is a requirement of installing an update. You don't control the reboot; you control the installation of the updates.

    Normally we have a users on the server that's always logged in

    Hmmm.. I'd argue this is a non-optimal approach for two reasons:

    One, that you've already noticed -- a console user logging out and ignoring the dialogs can wreak havoc on the server (read: it DOES reboot when the console user logs off after updates have been installed).

    Two, users ought not to be logging onto servers from the *console* anyway.. but I'm just a pedantic purist, so take that with a grain of salt (but #1 is a major reason why #2 is a true statement).

    "DisableWindowsUpdateAccess"=dword:00000001

    Ahhh, so the logged in administrator isn't even seeing the dialogs!

    "AUOptions"=dword:00000004

    Why do your servers have *scheduled* installation events?

    "ScheduledInstallDay"=dword:00000000

    "ScheduledInstallTime"=dword:00000003

    Are you copasetic with your servers being able to install updates on any day of the week at 3am and rebooting? That is how they're currently configured.

    "NoAutoRebootWithLoggedOnUsers"=dword:00000001

    This setting is designed for desktop users. Somewhat pointless on a server, since presumably the administrator logged onto that server has not been blocked from getting reboot notifications, and thus could (but not in this case) simply defer the reboot. In this case, though, you've granted an ability to use a feature with this setting, and then overridden it (taking it away with Turn off access to all Windows Update features).

    Which begs the question about admins who are logging off the servers after installations and causing reboots. The only way this could happen is if administrators stay LOGGED IN to the server overnight .... to my point above, THREE -- Administrators should always LOG OFF of a server console when they walk away from that console. (Although see point #2.)

    "RebootRelaunchTimeoutEnabled"=dword:00000001

    "RebootRelaunchTimeout"=dword:0000003c

    "RebootWarningTimeoutEnabled"=dword:00000001

    "RebootWarningTimeout"=dword:0000001e

    Pointless settings since Turn off access to all Windows Update features is preventing a user from using these features anyway.

    "RescheduleWaitTimeEnabled"=dword:00000001

    "RescheduleWaitTime"=dword:0000000f

    Also a pointless setting for a server ... servers should *never* be allowed to install updates at POWER-ON! (This particular configuration actually initiates the installation 15 minutes after power-on, maybe even an uglier scenario when you consider the implications.)

    Is there anyway to disable automatic reboots completely?

    Don't install the updates.  


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by Nqfmekdjf Thursday, May 16, 2013 8:08 AM
    Friday, May 10, 2013 9:39 PM
    Moderator
  • Hello,

    This is a very helpful answer. Thank you very much! I definitely will change my registry settings and test it.


    Thank you very much, Jente

    Thursday, May 16, 2013 8:09 AM
  • "DisableWindowsUpdateAccess"=dword:00000000

    When I have this settings; Are normal users (no Admins) able to access Windows Update?


    Thank you very much, Jente

    Friday, May 17, 2013 3:14 PM
  • "DisableWindowsUpdateAccess"=dword:00000000

    When I have this settings; Are normal users (no Admins) able to access Windows Update?

    It depends. :-)

    On Windows XP/2003, no. Standard users have no privileges to interact with the WindowsUpdateAgent, unless the option "Allow non-admins to receive update notifications" has been enabled, which you have not. (The "ElevateNonAdmins" value controls this.)

    On Windows Vista/7, yes. All standard users have full privileges to interact with the Control Panel | Windows Update applet, unless explicitly blocked by policy. (Which is what "DisableWindowsUpdateAccess" was doing.)

    On Windows 2008/2008R2, there are a couple factors at play. Fundamentaly, all standard users have full privileges, but it turns out that on the Server OS, the setting for "Allow all users to install updates on this computer", found in the Windows Update | Change Settings screen, is unchecked. If that option is enabled, then non-admin users will have privileges; otherwise, only the Administrator account has privileges.

    Generally on the server operating systems, though, the only time non-admin users are part of the picture is on a Terminal Services/Remote Desktop Services server; otherwise, people logged onto the server are almost univerally administrators in their own right.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Wednesday, May 29, 2013 11:21 PM
    Moderator
  • Hi Lawrence,

    We are believing Microsoft in that much level. So can't stop the update installation. Considering the server availability we administrators not getting downtime as we desired. So, Microsoft should give the support for server OS to prevent the reboot the server in logged-off mode after windows update installation. I have a suggestion that I'm giving below. If it is possible, it is very helpful to the world of Windows administrators. 

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

    "NoAutoRebootWithLoggedOffUsers"=dword:00000001

    Expecting a positive feedback from Microsoft.


    jackril

    Friday, September 9, 2016 8:20 AM
  • Hi Lawrence,

    We are believing Microsoft in that much level. So can't stop the update installation. Considering the server availability we administrators not getting downtime as we desired. So, Microsoft should give the support for server OS to prevent the reboot the server in logged-off mode after windows update installation. I have a suggestion that I'm giving below. If it is possible, it is very helpful to the world of Windows administrators. 

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

    "NoAutoRebootWithLoggedOffUsers"=dword:00000001

    Expecting a positive feedback from Microsoft.


    jackril

    Hi, Microsoft I'm waiting for your prompt reply, to my suggestion given above.

    jackril

    Sunday, April 23, 2017 11:43 AM
  • I do not think Microsoft monitors this newsgroup.

    • Edited by antwesor Tuesday, April 25, 2017 4:34 PM
    Tuesday, April 25, 2017 4:33 PM