IT policy - enforced updating within 7days

The university information security policy and the departmental information security policy both stipulate that computers are "Configured to receive software updates from the manufacturer and other third parties, and updates are installed within one week of being released;"

Departmental windows computers are set to automatically check for windows updates at 3am every night, downloading and installing any updates required, but the computer will only reboot automatically if there is nobody signed-in using the computer.  Some equipment control computers are configured to only download updates at 3am, thus allowing people to choose when to install the updates so as not to interfere with any running experiments.

However many people leave themselves logged-in continuously which prevents the automatic reboots. Also some people ignore notifications about updates and reboots. 

In order to improve compliance with the requirement that updates are installed within one week of being released, departmental Windows computers connected to the Materials domain now also have a group policy that will enforce rebooting of any computer that has been pending reboot for 7 days after installation of an update.

The  proposed policy change was presented to Departmental Committee (DC145) before being approved. Initially the new policy was applied to 10% of computers to assess behaviour, before being rolled-out more widely. 

Computers with this policy will notify people as per this image after installing updates that require a reboot.

Update Policy Alert

In addition the Windows Updates settings page showing "Restart required" will now also say "Your organisation requires your device to restart by  XX/XX/XXXX".

Update Policy Alert

Further notifications will appear closer to the deadline, with the message changing accordingly e.g. "Your organisation requires your device to restart in 1 hour" (note the timings do not seem to be accurate...).  Ultimately there is a final warning to give users a chance to save their work before the computer reboots.

Update Policy Alert Final

Note that for equipment control computers that are already configured to only download updates at 3am, thus allowing users to choose when to install the updates so as not to interfere with any running experiments, the 7 day timer only starts when the update is installed.