Many times I have been at a user’s computer and have seen the notification that the computer needs to reboot to apply updates and many times the user procrastinates for months. Are your users not rebooting to allow patches to install? Sometimes it makes sense to take that option away. This is a PowerShell script that checks the WSUS database and reboots machines in a given target group with a given amount of patches pending.
Configuration is simple; just edit the values in the script and run it with an account that has administrative access to the computers. $WSUSTargetGroup is the computer group name in WSUS, $WSUSServer is the computer name of the WSUS server, and finally $UnpatchedForceCount is the number of updates outstanding before the script will force a reboot.
Just download the script, edit the configuration and set it up as a scheduled task (suggested time would be overnight on the weekend so Amy in accounting doesn’t loose all that Excel data she has been working on).