WSUS & GPOS - Force restart and disable choosing updates W12R2

My objective is that Windows Update runs everyday, install all available updates and (if necessary) automatically restarts the computer, giving the chance to the users to postpone it to maximum 4 hours...

I think I am almost done setting up a WSUS for our small infrastructure here, however there are still issues bothering me.

  • Which GPO setting should I use to force my clients to automatically install all available updates for their respective groups? ("Allow Automatic Updates immediate installation" isn't working...)

  • Which GPO can I use to disable the "Select the updates to install" in the Windows Update client application?

Thanks in advance!


Solution 1:

You want to use Configure Automatic Updates and choose Download and Install, Every Day, and a time.

enter image description here

I don't believe there's a maximum number of "postpone reboots" or a way to turn off the selection screen, but if it applies before the user arrives you won't have that problem.

Solution 2:

Katherine's answer is good, but here's some additional information:

You probably don't want to force a reboot on your users. The end result of this is eventually almost always the same: some poor user loses 8 hours of unsaved work when the computer restarts on him unexpectedly. Combining the schedule Katherine described above with the "No auto-restart with logged on users for scheduled automatic updates installation" policy ensures that the computer will always install all the updates available at the scheduled time, but will only reboot if there are no users logged on. In my environment, we require users to log off and reboot when they leave for the day.

The "Allow Automatic Updates immediate installation" policy that you mentioned only means that updates not requiring a restart will be installed in real-time, i.e. they won't wait until the scheduled install time. Using this in conjunction with the above policies affords you the ability to install a vast majority of updates as they are approved, while holding those that require a restart until after hours.

There is no way to disable the "Select the updates to install" screen, however, if you have UAC enabled (as you should) and your users aren't local administrators (they shouldn't be), attempting to do anything in the Windows Update client will throw a UAC prompt for administrative credentials. This effectively prevents them from changing anything with updates.