I'm finding that most users ignore the "There are updates ready to be installed, click here to install" message that WSUS pushes out. Until now we haven't forced the install but I'm thinking about changing the group policy to enforce updates nightly. This will sometimes require a reboot which I want to enforce through GP as well.
I know there will be push-back from the users but am wondering if this is defendable best practice. It seems like the right thing to do to ensure PCs are up to date and secure.
Best Answer
I would just like to get on my auto-reboot soapbox for a second: it's been my experience that automatically/forcing a reboot is generally a bad idea.
We system admins often have somewhat of a complex about making sure the latest patch has been applied the second it's installed because OMG until then the system is unpatched. However, you must realize that system admins at least theoretically are there to enable the people who use the system to do their work.
If you automatically reboot once a patch is installed, and, say, the workstation's system clock has been reset, thinking it's 2 AM, and some poor Dilbert loses work, you've made a huge gaff. In my opinion, it's a much bigger gaff than having a temporarily unpatched system on the network.
In my experience, having some sort of un-dismissable message telling the user to reboot is usually a better idea. Let them finish their work and reboot over lunch, or ask them to shut down their workstation at night, or something that fits into your organization nicely.
That being said, when I helped to administer 12 computer labs in a college, we had defined downtime when we knew for certain that nobody was going to be using any of the machines because the doors were locked. That is a situation in which autorebooting is surely ok; it's just the autonomous forced automatic work stoppage that irks me.