dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
839
share rss forum feed

Daemon
Premium
join:2003-06-29
Berkeley, CA
Reviews:
·Comcast
·webpass.net

[Windows] Allow reboot for WU unless certain program is running?

I run IT for a University Lab. Several of the machines are running Windows and are used exclusively as hosts to control scientific instruments. When the instruments are running, they can be collecting data continuously for up to a week at a time, but they are only running about 15% of the time (or 3-5 days a month).

At the moment, I have automatic updates disabled on these machines because I can't risk the machine rebooting to finish installing an update while the instrument software is running. This creates additional IT overhead. We have other machines that also control instruments, but those instruments only run for minutes (or a few seconds) at a time, and not overnight, so automatic updates are fine.

Is there a way for me to set a policy that allows a machine to reboot automatically for updates unless a particular program (hopefully parameterized by name) is running? We can easily quit the control software unless an active run is in place. We also have an Active Directory domain set up and all of the instrument machines are joined to it.
--
-Ryan
I use Linux, OS X, iOS and Windows. Let the OS wars die.


guppy_fish
Premium
join:2003-12-09
Lakeland, FL
kudos:1
Reviews:
·Verizon FiOS

If it ain't broken, don't try and fix it!!!!

Its working just fine doing the research data control or collection and shouldn't even be touched, unless something is broken and you are specificy requested to apply an update.

It creates IT overhead? why is that?, just have it setup in a GPO that never does updates, very simple

I strongly suggest you inventory what does what and make sure your not breaking critical systems with useless windows updates.



alanxenos
Dispatches from Chiraq

join:2008-09-26
Winnetka, IL
Reviews:
·T-Mobile US
·AT&T U-Verse
·Sprint Broadband..

said by guppy_fish:

If it ain't broken, don't try and fix it!!!!

Its working just fine doing the research data control or collection and shouldn't even be touched, unless something is broken and you are specificy [sic] requested to apply an update. .

Exactly. Assuming these machines are ONLY used for monitoring/collecting data from instruments over local busses, updates should be a non-issue. Really, these should not even be on the network to minimize risk.
--
»www.speedtest.net/result/3297485581.png

Vinch

join:2007-10-24
Pointe-Claire, QC
reply to Daemon

Windows Update can be setup to automatically install updates but not to restart using group policy. You will be stuck with a pesky restart now/later (4hr max reminder) window following updates. As far as I know, there is no setting to control further.
Alternatively, maybe you could write some sort of script to stop automatic updates service when you launch the instrumentation software?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
reply to guppy_fish

Scheduled maintenance windows.


Daemon
Premium
join:2003-06-29
Berkeley, CA
Reviews:
·Comcast
·webpass.net
reply to alanxenos

said by alanxenos:

said by guppy_fish:

If it ain't broken, don't try and fix it!!!!

Its working just fine doing the research data control or collection and shouldn't even be touched, unless something is broken and you are specificy [sic] requested to apply an update. .

Exactly. Assuming these machines are ONLY used for monitoring/collecting data from instruments over local busses, updates should be a non-issue. Really, these should not even be on the network to minimize risk.

For reasons related to organization-wide policies beyond my control, the machines must remain networked. Assume that's the case and they are connected with a publicly-accessible IP address.
--
-Ryan
I use Linux, OS X, iOS and Windows. Let the OS wars die.


The WeaseL
Premium
join:2001-12-03
Minnesota
reply to Daemon

You can set it to install updates but not auto restart. It will pop up a box in the corner every couple hours asking to restart. This is probably your best option.

I'm sure there is a way to script it with Power shell, but I wouldn't go that route based on what you are doing here. This would get the updates installed and leave the decision to reboot in the hands of a person.
--
How lucky am I to have known someone who is so hard to say good-bye to.


mikefxu

join:2004-10-05
Titusville, FL

said by The WeaseL:

You can set it to install updates but not auto restart. It will pop up a box in the corner every couple hours asking to restart. This is probably your best option.

I have one user that fights the restart for weeks. When I ask everyone to close out all their programs and files so I can update and restart the servers I take care of theirs also.


Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5
reply to guppy_fish

said by guppy_fish:

It creates IT overhead?

The IT overhead is that these machines, not participating in automatic updates, have to be updated manually when the time is right. Somebody has to keep a list, check it twice, etc.

Pain in the ass.
--
Stephen J. Friedl | Unix Wizard | Security Consultant | KA8CMY | Southern California USA | my web site


The WeaseL
Premium
join:2001-12-03
Minnesota
reply to mikefxu

said by mikefxu:

said by The WeaseL:

You can set it to install updates but not auto restart. It will pop up a box in the corner every couple hours asking to restart. This is probably your best option.

I have one user that fights the restart for weeks. When I ask everyone to close out all their programs and files so I can update and restart the servers I take care of theirs also.

I'm guilty of clicking postpone for a few days before finally rebooting.
--
How lucky am I to have known someone who is so hard to say good-bye to.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to Daemon

Windows update keeps its operational parameters in the registry. There is a well-documented API to the registry. Create a wrapper program that saves, disables, and restores 'auto update reboot'.


Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
reply to Daemon

Another idea could be a "Meatspace" policy combined with install but not restart. This policy would be that when the science is done and they download their data to the server or whatever they use to take it back to their class room or office they reboot the computer. Perhaps even a reboot before starting their science stuff too. Get that habit going and the install but not reboot is not as much of an issue.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports



maartena
Elmo
Premium
join:2002-05-10
Orange, CA
kudos:2
reply to Daemon

The windows update service can also be started from the command line, and the actual updating can be as well. See here for more information:

»technet.microsoft.com/en-us/libr···%29.aspx

One could set the windows update service to manual, and then create a batch/cmd file that first starts the service, pauses 10 seconds, then checks for updates, and installs them, followed by a system reboot.

That in turn can be turned into cmd file that is either ran by the lab people as part as a standard procedure, e.g. when the the data collection is done, click this icon here to start the Windows Update process and reboot the machine. Alternatively, it can be invoked remotely if so desired.

Another thing you may be able to do is schedule the updates to install at a certain day of the month. If there is such a day, where data collections are not running in the lab, then you can schedule the windows update and reboot on that particular day.
--
"I reject your reality and substitute my own!"



PToN
Premium
join:2001-10-04
Houston, TX
reply to Daemon

My experience on these types of environments, it is not to do any windows updates.

Many of these tools, programs, and libraries may break because a system file was updated (for whatever reason).

We have X-Ray machines, SMT machines, Optical inspection stations, etc; all run specialized software and connected to specialized IO cards. We do not update these machines at all. The only time we update them is whenever the manufacturer sends a technician to update the software or we are instructed to do so by the company who makes/supports the machine/software.


Daemon
Premium
join:2003-06-29
Berkeley, CA
Reviews:
·Comcast
·webpass.net

said by PToN:

My experience on these types of environments, it is not to do any windows updates.

Many of these tools, programs, and libraries may break because a system file was updated (for whatever reason).

We have X-Ray machines, SMT machines, Optical inspection stations, etc; all run specialized software and connected to specialized IO cards. We do not update these machines at all. The only time we update them is whenever the manufacturer sends a technician to update the software or we are instructed to do so by the company who makes/supports the machine/software.

That would be doable if the machines weren't networked with a publicly accessible IP address. Security updates in that situation become must-installs, and typically must-install ASAP.
--
-Ryan
I use Linux, OS X, iOS and Windows. Let the OS wars die.

guppy_fish
Premium
join:2003-12-09
Lakeland, FL
kudos:1
Reviews:
·Verizon FiOS

said by Daemon:

That would be doable if the machines weren't networked with a publicly accessible IP address. Security updates in that situation become must-installs, and typically must-install ASAP.

So put that network behind a commercial grade router/firewall with strong ACL protection. Much less work than the risk of updates to critical machines

Daemon
Premium
join:2003-06-29
Berkeley, CA
Reviews:
·Comcast
·webpass.net

said by guppy_fish:

said by Daemon:

That would be doable if the machines weren't networked with a publicly accessible IP address. Security updates in that situation become must-installs, and typically must-install ASAP.

So put that network behind a commercial grade router/firewall with strong ACL protection. Much less work than the risk of updates to critical machines

I appreciate that many consider best practice to not install the updates at all for critical systems. However, years of experience with our particular software set in combination with the organizational policies I am subject to have taught me that is not best practice for my particular situation.

I could go on and on about the particulars of our situation and the peculiar insanities of academic IT, but I won't waste time on what is a moot point anyway. Suffice it to say, I can't do what you suggest, even though I would love to.
--
-Ryan
I use Linux, OS X, iOS and Windows. Let the OS wars die.


maartena
Elmo
Premium
join:2002-05-10
Orange, CA
kudos:2

said by Daemon:

said by guppy_fish:

said by Daemon:

That would be doable if the machines weren't networked with a publicly accessible IP address. Security updates in that situation become must-installs, and typically must-install ASAP.

So put that network behind a commercial grade router/firewall with strong ACL protection. Much less work than the risk of updates to critical machines

I appreciate that many consider best practice to not install the updates at all for critical systems. However, years of experience with our particular software set in combination with the organizational policies I am subject to have taught me that is not best practice for my particular situation.

I could go on and on about the particulars of our situation and the peculiar insanities of academic IT, but I won't waste time on what is a moot point anyway. Suffice it to say, I can't do what you suggest, even though I would love to.

To quote Morpheus: Some rules can be bent, others can be broken.

I think your best scenario is to create batch file that will start the update process, update the machine, and reboot it.... and put an icon to that batch file on the desktop, and have the lab people that run data collections simply double click that once the data collection has finished.
--
"I reject your reality and substitute my own!"