Should you force a reboot after pushing out Windows updates?

windows-update group-policy wsus

Solution 1:

I would just like to get on my auto-reboot soapbox for a second: it's been my experience that automatically/forcing a reboot is generally a bad idea.

We system admins often have somewhat of a complex about making sure the latest patch has been applied the second it's installed because OMG until then the system is unpatched. However, you must realize that system admins at least theoretically are there to enable the people who use the system to do their work.

If you automatically reboot once a patch is installed, and, say, the workstation's system clock has been reset, thinking it's 2 AM, and some poor Dilbert loses work, you've made a huge gaff. In my opinion, it's a much bigger gaff than having a temporarily unpatched system on the network.

In my experience, having some sort of un-dismissable message telling the user to reboot is usually a better idea. Let them finish their work and reboot over lunch, or ask them to shut down their workstation at night, or something that fits into your organization nicely.

That being said, when I helped to administer 12 computer labs in a college, we had defined downtime when we knew for certain that nobody was going to be using any of the machines because the doors were locked. That is a situation in which autorebooting is surely ok; it's just the autonomous forced automatic work stoppage that irks me.

Solution 2:

We auto install then delay the restart for the install for 30 mins - prompts the user to reboot now and if there is no response in 30 mins then it reboots the machine. There was some initial grumbling but that have gotten used to it. If they are in the middle of something they can click "reboot later" to delay the reboot until a good time. But they will be prompted every 30 mins. It is a nice balance between just rebooting on the users and having them never install the updates.

EDIT:

Update - sorry missed the setting when i was double checking my GPO setting, the Re prompt for reboot is independently configurable. So you can set the delay before it prompts again. Also this is for a 2003 enviroment, they may have added/changed options in 2008

Related

Adding OCR info to a PDF
Where is the man page for "pthread_mutex_lock"?
Why doesn't Nemo preview thumbnails?
Yubikey Two-factor Authentication Full-disk Encryption via LUKS
How to switch between host and guest OSes in virtual box
"No such file or directory" when trying to remove a file, but the file exists?
Is there a PPA for the latest Blender version?
Download a whole website with wget (or other) including all its downloadable content
How to permanently set an environment variable [duplicate]
What is the <number>! in byobu's status bar mean?
Resize images to specific height value in ImageMagick?
Why isn't Startup Disk Creator working in 12.04?