none
SCCM 2012 SP1 - Microsoft updates - Suppress reboots for logged on users

    Question

  • Hello,

    I have a question about deploying Microsoft Security Updates to workstations via SCCM 2012 SP1.  Is there a way to deploy the MS updates to workstations and only suppress reboots for machines with users logged on or locked?  There seems to be only 2 different options for reboots, Suppress them all or don't suppress them at all.  We would like SCCM to reboot the machines that are logged off, but suppress the reboot for those that are logged on, while at the same time, provide the user with a notification that their machine needs to be rebooted (at their convenience). 

    We've tried applying the Domain GPO "No auto-restart with logged on users for scheduled automatic updates installations" (Enabled) and "Configure Automatic Updates" (Disabled), but the logged on/locked machines still receive the restart countdown with no option to postpone or delay.

    This is a show stopper for us since we have an environment where we are absolutely not allowed to reboot a logged on machine.

    For a little background, we are coming from SMS 2003 and the Distribute Software Updates (ITMU) way of deploying MS Updates, where we could always set the program to run "Only when no user is logged on".

    Please tell me there is a way to achieve our desired result.

    Thanks,

    Dan 

    Tuesday, December 17, 2013 7:44 PM

Answers

  • Thanks for your suggestions.  I appreciate it.  I think as of now, we have a game plan on how to proceed with the monthly Microsoft Updates.  We are going to suppress all reboots, but allow notifications for computer restarts.  We will adjust our other monthly packages (Adobe updates, Java, Firefox, etc.) to have Configuration Manager force a reboot for logged off devices, which should take care of the pending MS updates required restarts. 

    We typically prioritize deployments as follows: 

    1. MS Updates 2. Adobe Updates 3. Firefox and Java

    With that workflow, we will have at least 2 or 3 different packages that follow behind the MS Updates, and force a reboot for logged off machines.  The remaining machines that are logged on will continue to receive the daily systray reminders for reboots, which will hopefully prompt the customer to reboot their devices at their convenience.

    • Marked as answer by Dizzle916 Wednesday, December 18, 2013 6:59 PM
    Wednesday, December 18, 2013 6:55 PM

All replies

  • Hmm, this is tricky one but this is what I would try to test.

    Deploy software updates and suppress reboot on all.

    Then, I would create a package with a command line, let's say "ipconfig" and deploy it an hour or two after software update job runs leaving all systems in pending reboot state.

    I would then select "After running" option to let "Configuration Manager restarts computer" and select this to run only when no user is logged in and deploy it to the same collection you deployed updates.

    This way, your package controls reboots with ipconfig command which does absolutely nothing to your system. It just executes command so SCCM can proceed with reboot. I hope this makes sense.


    Tuesday, December 17, 2013 7:57 PM
  • Thanks for the suggestion skywalker123.  I was thinking that may be our only option since we cannot reboot customer's machines that are in a logged on/locked state.  It would be very easy to "chain" that program if the MS Updates Deployment package was a "Package" or "Application", but since that is not the case, we may not have a choice.  If we create a program that runs after the MS updates installs, the deadline for the reboot program would need to occur at the very end of the maintenance window.  I could see this working for the first group of machines (first night), but since we have a staggered deployment cycle, this may create a management nightmare in dealing with maintenance windows. 

    Deployment scenario:  Deploy to 400 machines first night, 1,000 second night, 1,000 third night, and 1,500 fourth night

    Maintenance windows:  Monday - Friday (1-5am)

    I could see this having the potential of having reboots occuring prior to receiving the MS Updates, which would leave us in the same situation as we started out in the first place.

    I have read about running a query to detect machines needing a reboot, then deploying to that group of machines with the "Only when no user is logged on" option.  This option would still leave the machines, that were logged off during the maintenance window, receiving the systray restart notification for at least one day before we could inventory and deploy to the machines that need a reboot.

    Does anyone else have an environment similar to ours?  If so, what approach are you guys using?

    Thanks,
    Dan

    Tuesday, December 17, 2013 10:15 PM
  • So, totally side question then: why patch the systems at all? Many/most updates require a reboot but if you never force a reboot at some point, then you may as well not even patch them. To me, this is more of a short-sighted policy issue than a technical one. Either your organization wants patched systems or it doesn't; if it does, then there are certain things that must be done. I know that doesn't solve your immediate issue and may be outside of your control, but it's kind of like asking for a car without wheels.

    Jason | http://blog.configmgrftw.com

    Tuesday, December 17, 2013 10:22 PM
  • I hear what you are saying and totally understand where you're coming from.  Unfortunately, our customers are used to the SMS 2003 way of patching "only when no users are logged on".  We depend on our customers to log their devices off at least once a month, in order to receive updates.  This is the case for all of our deployments, whether they are MS updates, Adobe updates, Java, Firefox, In-house-applications, etc. 

    We work in an environment where we cannot afford to reboot a customers machine, and risk losing their unsaved data.  That is the requirement and we have to work around it. 

    So from what I'm gathering, our only option may be to suppress all reboots, then follow up with a program that reboots machines (while they are logged off)?

    Tuesday, December 17, 2013 10:33 PM
  • I would not say the only option but something I can think of as workaround.

    There is no native way to do what you need in CM12.

    You could also package each update and send all of this as advertised package but that's even bigger administrative nightmare.

    I see how this can be frustrating. You had an option in SMS 2003 and now you don't.

    As for maintenance windows. Just set that package to reboot exactly at 4:59 am and select to ignore maintenance windows on software installation and reboots. If you have 4 collections, this is really not that big of a deal.

    If this does not work for you there might 3rd party solutions that integrate with SCCM and introduce additional options. I'm not aware of anything that would do what you need, but I've seen options like reboot systems prior updating etc so it would not surprise me if there is something somewhere out there. You would have to do some research to find it.

    Wednesday, December 18, 2013 2:12 PM
  • Thanks for your suggestions.  I appreciate it.  I think as of now, we have a game plan on how to proceed with the monthly Microsoft Updates.  We are going to suppress all reboots, but allow notifications for computer restarts.  We will adjust our other monthly packages (Adobe updates, Java, Firefox, etc.) to have Configuration Manager force a reboot for logged off devices, which should take care of the pending MS updates required restarts. 

    We typically prioritize deployments as follows: 

    1. MS Updates 2. Adobe Updates 3. Firefox and Java

    With that workflow, we will have at least 2 or 3 different packages that follow behind the MS Updates, and force a reboot for logged off machines.  The remaining machines that are logged on will continue to receive the daily systray reminders for reboots, which will hopefully prompt the customer to reboot their devices at their convenience.

    • Marked as answer by Dizzle916 Wednesday, December 18, 2013 6:59 PM
    Wednesday, December 18, 2013 6:55 PM