SUS group policy question

[JHayes]

I have an SUS server setup and working (all win2kpro sp3 machines).

Under computer configuration/adminstrative templates/windows
components/windows update I have set 'Configure Automatic Updates' set to
enabled with option 4. The 'explain' tab says about option 4 "If a user
is logged on to the computer when Windows is ready to restart, the user
will be notified and given the option to delay the restart."

However, non-local admin users are not given an option, the notice pops
up but the 'no' button is greyed out and the only way to get rid of the
msg box is to hit 'yes' to reboot.

Is this behavior caused by the users not being local admin? Is there a
way to let the user choose 'no' without being local admin? I have
removed all other policy's from my test box, except the default domain
policy which I cannot remove (but I've looked at it and it doesn't look
like anything would cause this problem), and I still have this problem.

Thanks for any comments.

JHayes

 

[Vsevolod Titov [MSFT]]

Well, this is expected behavior. Non-admin user should not be able to stop
security patch from being applied.

You can set default installation time in the night hours, or whatever time
you don't expect users logged on this machine. By default updates are
installed at 3:00 AM.

 

[wcrouse]

A more recent .adm file adds another option, 'no auto restarts...' to
group policy for SUS updates. With this setting enabled, updates will
not be installed restarted when any user is logged on. The system will
wait until a user has logged off.

 

[JHayes]

Well, this is expected behavior. Non-admin user should not be able to
stop security patch from being applied.

You can set default installation time in the night hours, or whatever
time you don't expect users logged on this machine. By default updates
are installed at 3:00 AM.

Sorry for my late response, I've been out with the flu.

Thanks for your response, I thought that was the problem, but we do NOT
want all our users to be local admin. Unfortunetly, our policy is to
have users shutdown their pc's at the end of the day, so none of the
machines would be able to receive updates after hours. Looks like I need
to get mgmt to change our policy else we annoy users with a msg box that
won't go away unless they reboot.

The idea isn't to let a non-admin user refuse an update, it's to allow
them to delay the update until they are ready to reboot.

JHayes

 

[JHayes]

A more recent .adm file adds another option, 'no auto restarts...' to
group policy for SUS updates. With this setting enabled, updates will
not be installed restarted when any user is logged on. The system will
wait until a user has logged off.

I don't think this is correct. The adm I'm using has the 'no auto
restarts' option, however, under the 'explain' tab it says "Instead,
Automatic Updates will notify the user to restart the computer to
complete the installation."

I use this and the user will get the notification, but if they are not
local-admin the 'no' button is greyed out. This seems to be what
Microsoft wants, but since I do not want my users to be local admin it
just means the users will have a 'yes/no' box that won't go away and that
they cannot say no to.

If you can point me to a more recent adm that doesn't force a reboot on a
non-local admin I would be grateful.

What I don't understand is that the user is not 'refusing' the update,
they are simply delaying the reboot needed.

meh. I'd rather use mbsafu, but the admin's in the other sites think
it's too difficult. So I will bend our policy to fit SUS in the name of
unity.

JHayes