One of the struggles that we have encountered with SCCM (System Center Configuration Manager) is ensuring that user computers stay up to date without interrupting their normal workflow. Servers are easy to keep up to date as they are always powered on, and we have maintenance windows set on a regular schedule so that they can reboot after updates are installed. User computers present additional challenges since in our environment they are mostly laptops that are taken home and are not powered on after hours. This means that we need to strike a balance between ensuring the computers are updated and respecting the user’s need to work uninterrupted.
Out of the box SCCM gives us a few options when deploying updates. There is not a clear option as to which is best as each has pros and cons:
· Suppress restart: This allows the update to be downloaded and installed within the schedule specified, and for computers that are only on during the day to get the deployed updates. However, allowing installation of updates while the user is working can cause issues with strangely behaving software as it updates. Also, SCCM does not provide a way to ensure that the user reboots, which can lead to pending reboots and software that will not install until the pending reboot is cleared.
· Do not suppress restart (with maintenance window): This option is ideal for servers since you can specify a window and updates will only install and reboot the server within that window. This could work if the client computers were powered on overnight (or set for Wake-on-LAN). Laptops that are taken home do not work well with this option. There is also no option for the computer to catch up if it misses the maintenance window.
· Do not suppress restart (without maintenance window): While this would be the most effective way to keep the client computers up to date, you would be a very disliked coworker. For any updates requiring a restart, the computer would immediately restart without the reboot being easily cancelled. Use this option at your own risk.
As you can see there is not always a clear answer for which option is best. For our scenario, mostly laptops taken home, we tried the first two options.
1. We deployed the updates and suppressed reboot. While this was effective in getting the first round of updates installed, we found that many laptop users were not rebooting, but simply closing the lid of the laptop. We found many laptops that had not been rebooted in months. This led to computers that were far behind in updates and other deployed software that would not install due to a pending reboot flag.
2. Next, we tried to deploy without suppressing the reboot. We sent out a memo asking for laptops to be powered on during an evening maintenance window twice a month. In the perfect scenario this would have been effective, but it was not for us. Many users were not leaving their laptops on and connected, and updates began to lag behind.
Ok, so given that we tried the first two scenarios (and were not going to try the third) where did that leave us? Fortunately, I attended TechEd 2014 and had the pleasure of attending a few sessions with Kent Agerlund on SCCM. While all of TechEd was extremely informative, I came away with a wealth of knowledge on SCCM and Exchange that was very applicable to my daily job. This is one of those areas. Kent spoke of a tool that Coretech developed called Shutdown Tool (download link here). This tool creates a pop up that forces a reboot of the computer after a given amount of time. The great part is that a user is allowed to postpone the reboot until the time period you give is elapsed. This gives us greater flexibility than SCCM, which will force the reboot whether the user is ready or not.
Using the shutdown tool we are able to suppress the update’s reboot, and ensure that the user reboots in a timely manner. This combination will ensure that the computer stays up to date without our constant intervention or relying on a user.
So how can we pitch to management the need to force users to reboot every week? Thankfully, SCCM already has the necessary information stored, although not in a canned report. I created a report, based on the following query, which displayed all the computers that had not rebooted within the last seven (7) days. I was able to show management that over 75% of our users were not rebooting on a weekly basis.
SELECT TOP (100) PERCENT dbo.v_R_System.Name0, dbo.v_GS_OPERATING_SYSTEM.LastBootUpTime0,DATEDIFF( Day,dbo.v_GS_OPERATING_SYSTEM.LastBootUpTime0, GETDATE()) AS [Days since last
FROM dbo.v_GS_OPERATING_SYSTEM INNER JOIN dbo.v_R_System ON dbo.v_GS_OPERATING_SYSTEM.ResourceID = dbo.v_R_System.ResourceID
WHERE (DATEDIFF(Day, dbo.v_GS_OPERATING_SYSTEM.LastBootUpTime0, GETDATE()) > 7) AND (dbo.v_GS_OPERATING_SYSTEM.Caption0 LIKE ‘%xp%’) OR (dbo.v_GS_OPERATING_SYSTEM.Caption0 LIKE ‘%Windows 7%’) OR (dbo.v_GS_OPERATING_SYSTEM.Caption0 LIKE ‘%vista%’)
ORDER BY [Days since last boot]
In the end I believe we have found the option with the least compromises to our end users’ experience. Each situation is different, but between these options you should be able to find one that fits your users’ experience as well.