Applying #ZENworksPatchManagement policies on shutdown

One of the top ideas we have for ZENworks Patch Management is the ability to apply patches on Windows shutdown. While this functionality is currently not productized, we have found a way to make this happen. This solution shows you how to leverage Windows Group Policies, Windows Shutdown Scripts and ZENworks Patch Management policies to make this happen.

Create a Patch Policy

The first step of this process is to create a patch policy. You can find step-by-step instructions to do this in the online documentation. For the purpose of this cool solution, I’m assuming that:

  • You have created and assigned one or more patch management policies

  • You have configured the Patch Policy Settings for the devices that will use this method to Default (Manually apply patches on the system using “zac pap”).

  • It is recommended that you configure Patch Policy Pre-Install behavior so that patches are cached on a schedule behind the scenes, before you have scheduled the shutdown script to be active, so that on shutdown the user isn’t waiting for the patches to download, only apply. If you choose not to do this, the shutdown will take longer.

Create a Windows Shutdown script to apply your patch management policies on shutdown

In order to properly deploy patches with ZENworks Patch Management on shutdown it is recommended that you use a shutdown script that executes the ‘zac patch-apply-policy’ command.  Depending on the version of Windows you are running you can use either a batch file, Windows Scripting Host (WSH), or PowerShell script as the shutdown script. I prefer PowerShell and it is a really easy script that looks like this:


You can change the logdir by changing the value in the set-variable line. This will cause the patch policy to be applied on shutdown and the output of the zac command to be displayed to the user in the script window and output to the c:\zacpap.log file so that if you need to see what happened on shutdown later you can.

Save the file to a .ps1 file of your choice or use the zacpap script attached to this solution.

Create a Group Policy that configures shutdown script behavior

Window Group Policy provides several settings that are used to control the behavior of shutdown scripts. For patching on shutdown to work you must at the very least change the script timeout to be unlimited, because it could take a long time depending on the number of patches you have configured to apply. Additionally, you will probably want to configure your script to be run in a way that the user can see what is happening on shutdown.  Finally, you will want to configure the script to be run on shutdown and you may want to include the script as part of the group policy.

To configure Group Policies to apply the patch policy on shutdown, configure the following settings in your Group Policy (either via ZENworks group policies or Active Directory based group policies):


  • Computer Configuration > Administrative Templates > System > Scripts > Specify maximum wait time for Group Policy scripts. This should be enabled and set to 0 indicating an infinite wait time as patch policies can take a long time to apply depending on how many patches are missing.

  • Computer Configuration > Administrative Templates > System > Scripts > Display instructions in shutdown scripts as they run. This causes the script to be displayed while it is executing so that users can see what’s happening.


  • Computer Configuration > Windows Settings > Scripts > Shutdown. If you are using PowerShell, then on the PowerShell Scripts tab add the path where you want to deploy the Shutdown script to, or just the script name if you plan to deploy it as part of the group policy. Set For this GPO, run scripts in the following order, select Run Windows PowerShell scripts first. If you are using a Batch or WSF file configure it on the Scripts

  • (Optional) If you want to have the script distributed as part of the GPO so that it is always in place then you can click the Show Files button and copy your script file to the directory. This will cause the script to be saved with the group policy and distributed when the policy is applied

In my environment, I don’t use the Group Policy to deploy the script, instead I use bundles to distribute the script. This allows me to schedule the script to be installed on the 15th of each month. Then I use another bundle to delete the script on the 25th of each month. This means that for those 10 days the user sees a little slower shutdown times, but the rest of the month they don’t. During those 10 days if the machine is fully patched there will be a slight delay in shutdown while it verifies the patches are applied, but not the longer delay that would occur if patches are missing. The one gotcha is that if the user is gone for that ten-day period then they may not apply their patches.

Typically, I also create a bundle that allows the user to manually execute the patch policy process on demand, so that if the user finds a good time to apply patches outside of the mandatory ten-day window they can do so. I use the patchwatcher tool that I explained in a previous cool solution to provide users some indication of their progress. This means that if patches get applied in those first days, the shutdown scripts impact is minimized unless I add something to the patch policy.

Test It

Once you’ve created the group policy and any required bundles to distribute the script, you are ready to test. Assign the Group Policy and script deployment bundles to one or more test devices and then refresh the device to cause the Group Policy to apply and the script to be deployed (assuming that’s how you’ve scheduled things to run). Now shutdown the machine. You should see the script window opens showing the zac pap feedback and then once the policies have been applied the machine will shutdown. When you boot back up you should be able to review the zacpap.log file to verify all went as expected.

You can now deploy the group policy and script bundles to any devices that you want to apply patch policies to on shutdown.


Using the method described in this document you can deploy patch policies on shutdown, allowing devices to deploy patches required by your organization without impact the end-user’s normal operations. In theory, this same method could be used to transact any bundle using other zac commands. It is important to note however, that shutdown scripts must be fully automated and do not display any output other than the script execution window. I hope you find this useful in your environment.

A special thanks to Ashish and team for the hackfest idea that got the ball rolling on this one.





How To-Best Practice
Comment List
Related Discussions