My Users are no Longer Given the Prompt to Reboot

My Users are no Longer Given the Prompt to Reboot

Post by U0pvaG5zb2 » Fri, 15 Jun 2007 03:47:01


reviously in WSUS 2.0 updates would be pushed out at noon, installed, and
the users would be prompted with a box to either reboot now or reboot later.
We upgraded to WSUS 3.0 and now users are not even given the option to reboot
although none of the GPO settings were changed. When a client reports back
to the WSUS server they all say pending reboot. I am copying my GPO settings
here along snipets of a windowsupdate.log

GPO Settings:
WSUS Aerosim
Data collected on: 6/13/2007 1:31:54 PM hide all



Computer Configuration (Enabled)hide
Administrative Templateshide
Windows Components/Security Centerhide
Policy Setting
Turn on Security Center (Domain PCs only) Disabled

Windows Components/Windows Updatehide
Policy Setting
Allow Automatic Updates immediate installation Enabled
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 1

Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 12:00

Policy Setting
Delay Restart for scheduled installations Disabled
Enable client-side targeting Enabled
Target group name for this computer Aerosim

Policy Setting
Enabling Windows Update Power Management to automatically wake up the system
to install scheduled updates Enabled
No auto-restart for scheduled Automatic Updates installations Enabled
Re-prompt for restart with scheduled installations Enabled
Wait the following period before
prompting again with a scheduled
restart (minutes): 30

Policy Setting
Reschedule Automatic Updates scheduled installations Enabled
Wait after system
startup (minutes): 10

Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://aerosimdc01:80
Set the intranet statistics server: http://aerosimdc01:80
(example: http://IntranetUpd01)
-----------------------------------------------------------------------------------
Windows Update Log after updates were pushed out today at Noon which should
have required a reboot.

*********** Setup: Checking whether self-update is required ***********
2007-06-13 13:11:01:610 1536 398 Setup * Inf file:
C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wsus3setup.inf
2007-06-13 13:11:01:610 1536 398 Setup Update NOT required for
C:\WINDOWS\system32\cdm.dll: target version = 7.0.6000.374, required version
= 7.0.6000.318
2007-06-13 13:11:01:610 1536 398 Setup Update NOT required for
C:\WINDOWS\system32\wuapi.dll: target version = 7.0.6000.374, required
version = 7.0.6000.318
2007-06-13 13:11:01:610 1536 398 Setup Update NOT required for
C:\WINDOWS\system32\wuapi.dll.mui: target version = 7.0.6000.374, required
version = 7.0.6000.318
2007-06-13 13:11:01:610 1536 398 Setup Update NOT required for
C:\WINDOWS\system32\wuauclt.exe: target version = 7.0.6000.374, required
version = 7.0.6000.318
2007-06-13 13:11:01:610 1536 398 Setup Update NOT required for
C:\WINDOWS\system32\wuaucpl.cpl: target version = 7.0.6000.374, required
version = 7.0.6000.318
2007-06-13 13:11:01:610 1536 398 Setup Update NOT required for
C:\WINDOWS\system32\wuaucpl.cpl.mui: target versi
 
 
 

My Users are no Longer Given the Prompt to Reboot

Post by MSF » Fri, 15 Jun 2007 06:55:52

ell first the Error in your log snippet shows that you are receiving
80240025 for the Client UI (CltUI FATAL) this maps to
WU_E_USER_ACCESS_DISABLED
Group Policy settings prevented access to Windows Update.

So somehow the User Configuration setting has been changed in your Policy,
something WSUS does not do, to disallow all access to Windows Update
features (2007-06-13 13:11:02:860 1536 e60 AU Windows Update is disabled by
policy for

Second I notice that you are running the RC version of WSUS with the RTM
version of the client installed. I would recommend that you upgrade your
WSUS server to RTM.


--
Cecil [MSFT]
Deployment, WSUS
Microsoft

This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"SJohnson_Aerosim" < XXXX@XXXXX.COM > wrote in
message news: XXXX@XXXXX.COM ...


 
 
 

My Users are no Longer Given the Prompt to Reboot

Post by U0pvaG5zb2 » Fri, 15 Jun 2007 07:12:01

ecils thanks for the quick reply. I'm thinking back to our previous
configuration under WSUS 2.0 and I believe we had users locked out from
accessing windows update there as well but the Prompt functionality worked.
The end goal is prevent users from installing updates that our IT department
has not tested and approved since everyone has admin rights on their machine.


The 1st thing I will do tomorrow is upgrade to the RTM version hopefully
this will give me the previous results we had under WSUS 2.0. Going forward
though is it possible to still prevent users from accessing Windows Update
via Group Policy in WSUS 3.0 and still have the reboot prompt functionality?
---------------------------------------------
"Cecils(MSFT)" wrote:

 
 
 

My Users are no Longer Given the Prompt to Reboot

Post by MSF » Fri, 15 Jun 2007 08:00:26

nother option would be Administrative Templates --> System --> Internet
Communication Management --> Internet Communication Settings --> Turn of
access to all Windows Update Features.

This will disable the Internet access to Windows Update, but still allow
Automatic Updates to interact with the WSUS server. This is also predicated
on the fact that you no longer configure the User Setting denying the same
functionality. The USER setting will remove ALL access to Windows Update
features, to include updating from WSUS.


Hope this helps :)
--
Cecil [MSFT]
Deployment, WSUS
Microsoft

This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"SJohnson_Aerosim" < XXXX@XXXXX.COM > wrote in
message news: XXXX@XXXXX.COM ...

 
 
 

My Users are no Longer Given the Prompt to Reboot

Post by U0pvaG5zb2 » Fri, 15 Jun 2007 12:07:00

ecils,

You were dead on - upgraded to RTM and changed that GPO per your suggestions
and we're back in business.
------------------------------------------------------------------------------
"Cecils(MSFT)" wrote:

 
 
 

My Users are no Longer Given the Prompt to Reboot

Post by Andy Smit » Thu, 21 Jun 2007 00:53:49

n 14 Jun, 04:07, SJohnson_Aerosim
< XXXX@XXXXX.COM > wrote:
>> >> > ...> >> > read more Hide quoted text >
> - Show quoted text -

We are not running WSUS 3.0 yet, but seems in our 2.0 SP1 environment
that the install of the AU client update 936301 onto the WSUS server
has stopped the restart prompt appearing for end users. I guess I
didn't thoroughly check 936301 first, but was not aware it would put
the new AU client into the /Selfupdate folder so existing clients
would get it. Had a couple of users over the past couple of days, who
had pending updates, and they had a restart after the 30 minute
countdown (we enforce the restart at our site) but they did NOT
receive the 'Restart required, your computer will restart in 30
minutes' prompt as usual.

Windowsupdate.log reads as follows -

Launched new AU client for directive 'Reboot Warning', session id =
0x0
2007-06-19 15:00:29:138 856 444 AU Windows Update is disabled by
policy for user

So I assume from reading the rest of this post that the v7.0 client
now requires Windows update access to be enabled by policy otherwise
the restart prompt will not appear? So is that a bug that was in the
old AU client in that it should not have been displaying any message
if windows update was disabled, but it did anyway, or was it working
as intended but the new AU client has broken it?

In any event, will look at enabling WU access, but switching off the
internet access to WU as per suggestion above.





 
 
 

My Users are no Longer Given the Prompt to Reboot

Post by stevesalte » Fri, 06 Jul 2007 21:09:04

This is a major issue for me. This is definitely a change in behavior
from the 2.0 AU client behavior.

We have the "disable access to automatic updates" gpo set so that
users don't see the "downloading xx%" bubble or the "your updates are
downloaded" bubble in the systray. However, they have always seen the
reboot prompt if the system is left logged in when the patches are
installed because we have the "don't reboot logged on users" gpo set.
We ran wsus 2.0 configured this way for over a year. Now, with wsus
3.0, I'm seeing logs full of:

=========== Logging initialized (build: 7.0.6000.374, tz: -0400)
===========
2007-07-05 07:52:36:592 3788 d38 Misc = Process: C:\WINNT
\system32\wuauclt.exe
2007-07-05 07:52:36:592 3788 d38 Misc = Module: C:\WINNT
\system32\wucltui.dll
2007-07-05 07:52:36:592 3788 d38 CltUI FATAL: Failed to get
notification handle, hr=80240025
2007-07-05 07:52:36:748 1360 220 AU AU received handle event
2007-07-05 07:52:51:780 1360 220 AU Launched new AU client for
directive 'Reboot Pending', session id = 0x0

I hope this isn't a change to the behavior of the client but it
appears that's the case. Does anyone have any ideas?