ZENworks Patch Management: Forcing a patch-required reboot on user logout
Recently, a customer requested a way to force a patch-required reboot when a user logs out. The customer's machines don't ever shut down, instead remaining powered on as different users log in and out of them. He wanted a way to suppress patch-required reboots during the user session and then have a reboot occur when the user logged out. While the Reboot Behavior options currently support the suppressing of patch reboots during the user session, the options don't allow for forcing a reboot on user logout only, although the ability has been requested in the Ideas portal and you can vote on it here.
To help this customer, Chris Seiler, one of our ZENworks engineering architects, came up with an approach that uses a ZENworks Configuration Management bundle to flag when a reboot is required after a Patch policy is applied, then uses another bundle to initiate a reboot after logout if that flag is present. Here's how to implement that approach:
- Make sure the Patch Policy Reboot Behavior (ZCC > Configuration > Management Zone Settings > Patch Management > Patch Policy Settings) is set to Disabled so that no reboot or reboot prompts occur.
- Create a bundle that writes a file to disk. This file is the "flag" that will initiate a reboot on user logout:
- First, create a simple text file and name it "Reboot Required.txt". It doesn't need to include any text.
- Create a Windows "Install File(s)" bundle. I named mine "Install Reboot File".
- When creating the bundle, upload the "Reboot Required.txt" file, set the Destination Directory to "c:\" (or another location if you prefer), and set the Copy Option to "Copy If Does Not Exist".
- After creating the bundle, assign it to all of the devices that you want rebooted. I simply assigned my bundle to the Windows 10 Workstations dynamic group so it would apply to all of my Windows 10 workstations.
- Publish the bundle.
- Create another bundle that initiates a reboot of the device after a user logs out:
- Create a Windows "Empty Bundle". I named mine "Initiate Reboot."
- After creating the bundle, add a "File Exists" system requirement and specify "c:\Reboot Required.txt" as the file (if you used a different name or path, use that name and path).
- Add a "File Removal" Launch action that removes the "c:\Reboot Required.txt" file. Run the action as System. This causes the file to be removed when the user initiates a log out, which is needed in order to reset the process for the next time a Patch policy is applied.
- Add a "Reboot/Shutdown" Launch action and set the "Time to wait before Reboot/Shutdown" to 0 (zero) seconds so that it happens immediately after logout.
- Assign the bundle to the same devices as the "Install Reboot File" bundle. When doing so, deselect all of the "Shortcut Locations" so that it is not displayed to the user. Configure a Launch Schedule with a Schedule Type of Event = "User Logout".
- Publish the bundle
- Edit each Patch policy to add a "Launch Bundle" Post-Enforcement action that launches the "Install Reboot File" bundle. Republish the policies after editing them. IMPORTANT: Make sure to do this in ALL policies.
- On an assigned device, do a refresh. In the Z-icon bundles list you should see the Patch policy bundles, the "Install Reboot File" bundle, and the "Initiate Reboot" bundle. If not, check the assignments on the Patch policy and two bundles.
- To test, use "zac pap" at the command line to apply the Patch policies.
When a Patch policy runs on a device, the following will happen:
- Patches included in the policy will be installed.
- The "Install Reboot File" bundle will be launched at the end of the policy and the "Reboot Required.txt" file will be copied to the device if it does not already exist. This is the "flag" that indicates a reboot is required.
- When the user logs out, the "Initiate Reboot" bundle is launched. If the "Reboot Required.txt" file exists, the bundle instructs the device to reboot after logout. The bundle also deletes the "Reboot Required.txt" file. This ensures that a reboot doesn't happen every logout - only those logouts after which a Patch policy has been applied.
- After the logout, the reboot happens.