Windows Updates on Desktop PCs - Forcing Install & Reboots

 

This page provides information on how Windows Updates are configured on "domain bound devices" (desktops & some laptops).

Description (What are we changing?)

CSCS will be changing the way Windows Updates are managed on our supported computers. We will be moving from a system whereby users have to be aware of the updates & choose to install them, to one where they are automatically installed and the system will then prompt for a reboot. This change will be made on all Windows devices managed by CSCS, over the next few months.

You will see several prompts over a 7-day period warning you that a reboot must be done to complete the update installation - if a reboot still has not happened after 7 days you will see a warning that it will automatically reboot in 1 hour. Shortly before the 1-hour timer is up, you will receive another prompt warning you it will reboot in 5 minutes, before it then automatically reboots.

If nobody is signed in to the PC outside of the “Active Hours” (8 am to 5 pm) the machine will automatically reboot.

If you have purchased a laptop in the last 3 years this will be familiar, as we have already been doing this for laptops on our “Remote Management Service” - this will simply be bringing the remainder of the estate to the same place.

Why are we doing this?

CSCS are making this change to ensure the security & integrity of our Windows estate. We have noticed a significant portion of devices (over 27%!) have not installed critical updates in at least 6 months. Unpatched devices present a security risk not only to the PC itself, but anyone using it, and the rest of the estate - we’ve all heard about the increasing cyber-attacks happening around the world.

This will also mean that CSCS are better able to meet the stringent security requirements that various groups & funding bodies are beginning to require - meaning we can better support you in your work.

Can I do anything to prepare?

Yes! Before we change the way updates are handled, you can manually check for any pending updates and set them to install - this will mean you can choose to install them at the end of the day & reboot your PC rather than have it forced on you. If there are a lot of missing updates, it’s likely to take quite a while to install them all.

Manually installing the updates

Open the Start menu, type in “Update” - click on the “Check for Updates” result to launch the Windows Update window:

Windows Update start-menu search result

Once the window opens check if it says “You’re up to date” and has a recent time when it last checked for updates - if the date & time are recent and it’s up to date then you don’t need to worry! If the date and time is more than a week off, click the “Check for Updates” button to check for any new updates:

Windows Update Window

If you instead have a list of updates waiting to be installed or downloaded, please click the “Install Now” button to install them, or if it says “Pending restart” then restart your PC - but please note that the reboot may take some time while it installs the updates:

Restart Required prompt
Restart Now for updates

If you had updates that needed to be installed & a reboot required, please run through the above steps again to ensure you have all the missing updates installed!

Impact

If you have been regularly installing the updates & rebooting your device, the only change you are likely to notice is that the updates will install automatically, and you are simply prompted to schedule a reboot for your PC.

How often will updates be pushed?

Microsoft releases updates on a Monthly basis - usually on a Tuesday - CSCS then do some testing before these are released to the wider estate. Updates will continue to be pushed on a monthly basis, except where there is a need to expedite the update - e.g. when Microsoft release an update outside of the normal patching cycle to address a severe vulnerability that is currently being exploited.

Can I opt out?

We understand that there are certain situations where automatically installing updates & rebooting a device after 7-days is not desirable - e.g. Instrument Devices (where software needs to be tested by the supplier prior to updates), or machines where software may need to do a “long run” longer than 7-days (where a forced reboot after 7 days will cause interruptions). We are building in to this update for some exceptional cases to not apply this at all.

We will only be allowing these exceptions for specific devices where the need to avoid this is greater than the need to secure our estate - as this change is to improve the security of all the devices on the CSCS network. We will not be allowing this for a user device where it is simply inconvenient - there must be a genuine need to avoid updates being installed automatically.

How do I opt out?

If you feel you do need devices to be excluded from this policy, please get in touch with CSCS by either emailing servicedesk@medschl.cam.ac.uk, logging a ticket using our self-service ticketing system: https://itsupport.medschl.cam.ac.uk or call us on 01223 336261 - we will be happy to discuss with you the requirements, and if appropriate add the device to an exclusion or delay group.