Should you force a reboot after pushing out Windows updates?
Solution 1:
I would just like to get on my auto-reboot soapbox for a second: it's been my experience that automatically/forcing a reboot is generally a bad idea.
We system admins often have somewhat of a complex about making sure the latest patch has been applied the second it's installed because OMG until then the system is unpatched. However, you must realize that system admins at least theoretically are there to enable the people who use the system to do their work.
If you automatically reboot once a patch is installed, and, say, the workstation's system clock has been reset, thinking it's 2 AM, and some poor Dilbert loses work, you've made a huge gaff. In my opinion, it's a much bigger gaff than having a temporarily unpatched system on the network.
In my experience, having some sort of un-dismissable message telling the user to reboot is usually a better idea. Let them finish their work and reboot over lunch, or ask them to shut down their workstation at night, or something that fits into your organization nicely.
That being said, when I helped to administer 12 computer labs in a college, we had defined downtime when we knew for certain that nobody was going to be using any of the machines because the doors were locked. That is a situation in which autorebooting is surely ok; it's just the autonomous forced automatic work stoppage that irks me.
Solution 2:
We auto install then delay the restart for the install for 30 mins - prompts the user to reboot now and if there is no response in 30 mins then it reboots the machine. There was some initial grumbling but that have gotten used to it. If they are in the middle of something they can click "reboot later" to delay the reboot until a good time. But they will be prompted every 30 mins. It is a nice balance between just rebooting on the users and having them never install the updates.
EDIT:
Update - sorry missed the setting when i was double checking my GPO setting, the Re prompt for reboot is independently configurable. So you can set the delay before it prompts again. Also this is for a 2003 enviroment, they may have added/changed options in 2008