Learn more about configuring reboot settings for Windows, Linux, and Mac deployment jobs.
You might have patches in your job that require a system reboot after installing them. Also, in the case of Windows Rollback jobs, the system reboot is required after the patches are rolled back.
You can configure a job to either suppress a reboot for an indefinite time or defer it by a Y time duration for an X number of times, where X and Y are configurable. To configure these options, go to the Options tab in the Create/Edit a Job wizard.
- Reboot Settings for Windows and Linux Deployment Jobs
- Reboot Settings for Mac Deployment Jobs
When you create the deployment job, the Reboot messages section is available from the Options step. In this step, you can:
- Suppress a reboot
- Defer a reboot and show the countdown after the deferment limit is reached
Options step in Windows Deployment job:
Options step in Linux Deployment job:
Suppress reboot option allows you to patch systems in advance and defer reboot till the maintenance window. To enable this option, go to the Create and Edit wizard job, navigate to the “Options” tab and enable “Suppress Reboot” in the “Reboot messages” section. You can suppress reboot indefinitely, as maybe required for the Server class Windows machines. Although this option is recommended for Server class assets only, it can be used for non-server assets too.
Microsoft claims that a system is in a “Volatile” state after upgrades are carried out and before the necessary reboots.
Volatile systems may display undesirable and unpredictable behavior or side effects. That is why we recommend keeping the time interval between patching your assets and rebooting them as minimum as possible. Exercise personal judgment before activating this option.
A patch that is marked as “Reboot required” is NOT completely applied till the Reboot actually happens, after the job is run.
For Windows jobs, the "Suppress Reboot" option should be used with caution as it blocks all subsequent jobs till the reboot happens which allows the job to be marked as complete. Such a job will also be reported as "Pending Reboot", till the manual reboot is applied.
For Linux jobs, the "Suppress Reboot" option will NOT block subsequent jobs but such a job and all subsequently executed jobs will also be reported as "Pending Reboot", till the manual reboot is applied.
Note: For patches dependent on other “Reboot required” patches, in some cases are as good as NOT applied, if the reboot is suppressed.
Note: This option is available for Windows only.
Reboot is an option on the level of a job, not per patch. If no user is logged in, the reboot will start immediately after completing the patch deployment. The need for a reboot is determined on a job level, based on patches in the job. A user can override the auto-reboot of a job by manually rebooting the system before the scheduled reboot time. In case of multiple patches requiring a reboot, deployment of all patches needs to be completed/ attempted before the reboot can be applied. Some patches initially indicate “Reboot required” but may actually NOT require it, based on the context/ state of the system. In such cases, the reboot prompts are suppressed automatically, for being Not Applicable.
You can configure Reboot Request to defer a reboot for a duration between 1 minute and 1440 minutes/ 24 hours. You can defer a reboot between 1 – 9 times, for a period of 1 – 1440 minutes each time.
The ideal reboot configurations recommended are as follows:
- Defer reboot by 1 – 15 minutes for 1 – 5 times for Urgent rollout of Critical Patches.
- Defer reboot by 1 hour for 9 – 12 times. Allows you to defer for a maximum of 1 working day. 1-hour interval allows a more granular control but too frequent interruption to the user. 2- 4 hours deferments 3 – 6 times can also help achieve the same. The best choice depends on the organizational context.
- Defer reboot by 8 hours for 3 times. Allows you to defer reboot for a maximum of 1 working day at 8 hours intervals.
- Defer reboot by 24 hours for 2 – 7 times. Allows you to defer till the end of the working week/ calendar week.
Deferring beyond a week is NOT recommended. For any reason, if you need to defer reboot beyond a week, then we recommend using Suppress Reboot option.
The “Reboot Countdown” is recommended to be enabled whenever reboot is NOT suppressed. For Windows jobs, the Reboot Countdown is enabled by default and the default time is set to 15 minutes. On Linux, the Reboot Countdown is disabled by default. If you enable it, the default time will be set for 15 minutes. However, you can reduce it to 1 minute or increase it to a maximum of 24 hours.
If the deferment limit is set in the Reboot Request, then setting this option shows a countdown message to users after deferment limit is reached. It ensures an explicit indication of remaining time before a reboot so that the end user is not surprised by a sudden reboot. Reboot countdown can be configured to show the countdown message before a minimum 1 minute and maximum of 24 hours/1440 minutes. We recommend you set the reboot countdown to 15 minutes for your assets.
Before going ahead with configuring the Mac deployment options, ensure that the user notification is enabled.
When you create the deployment job, the Reboot messages section is available from the Options step. In this step, you can configure the following deployment messages:
- Pre-Deployment
- MacOS Patching Countdown
- Deployment in progress
- Deployment Complete
Note: The MacOS deployment messages are compatible with Mac agent binary version 4.30.0 and later for Intel and 4.40.0 and later for ARM. Users with the Patch Manager and the Patch User roles can then configure the MacOS deployment messages during the Mac Job creation.
By default, the toggles next to every deployment message are set to OFF.
Refer to the following screen capture that shows the pre-configured messages:
If you don't have the Mac agent binary version 4.30.0 and later for Intel and 4.40.0 and later for ARM, the reboot behavior for MacOS Security Patches is as follows:
- If the job includes the MacOS security patches that need a reboot, the reboot happens after every MacOS security patch, and the job execution resumes after every reboot.
- When the MacOS security patching starts, the following message is shown:
You need to click Install to start patching.
Note: When you close this pop-up message, it is shown again after every 30 min time interval. If no patching window is configured, the pop-up message expires after 24 hours.
- After you click Install, the following message is shown:
Make sure that you save your work. When the patching process is in progress, and you close this pop-up message, it is shown again after every 5 min time interval. When the patching process is completed, the system reboot happens without showing any other message.
Note: There is no fixed time that is taken to complete the patching process. It might vary from 15 min to an hour or even more than that.