Dealing with reboot pending clients in Configuration Manager 2012

Guess most of you are struggling with troubleshooting software update compliance and installing applications in Configuration Manager 2012. What I have found, is that clients in a reboot pending state often is the root cause to the problems. In previous posts I have described how you can use tools like Coretech Shutdown Utility to automatically restart computers that has been in a reboot pending state for X number of hours/days. 

The information about the reboot pending state is stored in WMI Root\ccm\ClientSDK namespace as illustrated here with the Coretech WMI & PowerShell explorer:

image

Identify reboot state using PowerShell

Launch PowerShell ISE and type Invoke-WmiMethod -Namespace "ROOT\ccm\ClientSDK" -Class CCM_ClientUtilities -Name DetermineIfRebootPending

image

image

Notice RebootPending is True in the first example and False in the second example. Now let’s take the PowerShell command and turn it into a Compliance rule in Configuration Manager 2012.

Create the Compliance rule in Configuration Manager

  1. Launch the Configuration Manager console, navigate to the Assetts and Compliance workspace, Compliance Settings, Configuration Items.
  2. Create a new Configuration Item, Select Windows and click Next.

    image

  3. Select all Operating systems, and click Next.
  4. On Settings, click New. In Setting type, select Script and in Data select Boolean.

    image

  5. On Discovery Script, click Add Script and type
  6. Invoke-WmiMethod -Namespace "ROOT\ccm\ClientSDK" -Class CCM_ClientUtilities -Name DetermineIfRebootPending  | select-object -ExpandProperty "RebootPending" and click OK.

    image

  7. Select the Compliance Rule tab, and click New. Configure the following values to False and click OK.

    image

  8. Finish the wizard. Notice that I’m not creating a remediation script as I do not want to force a reboot.
  9. Create a new Baseline, and add the Reboot Pending Configuration Item.

    image

  10. Deploy the baseline to a device collection.
  11. Right click the baseline deployment, select Create New Collection, Non-compliant.

    image


Comments (13):

  1. Thank you for the great post.It helped me a lot.Kindly post the remediation script as well to reboot the non complaint PC’s

    Thanks In Advance and My rest Regards

  2. Paul Murray says:

    I set this up step by step and get the following error

    Error Code – 0x87d00327
    Error Description – Script is not signed CCM

  3. Kent Agerlund Kent Agerlund says:

    That’s the PowerShell execution policy. Administration workspace/Client Settings, Computer Agent – configure the PowerShell execution policy to bypass

  4. Paul Murray says:

    I set this up step by step and get the following error.

    Error Code – 0x87d00327

    Error Description – Script is not signed

    Thanks

  5. Ryan says:

    23rd Oct 2014 at 20:50

    That’s the PowerShell execution policy. Administration workspace/Client Settings, Computer Agent – configure the PowerShell execution policy to bypass

    Reply

  6. Nick says:

    Kent, works great dispite that we have a GPO set to RemoteSigned and that policy will override Client settings right. Do you know how to include like set-executionpolicy -Bypass in the script above ?

  7. Nick says:

    Kent, great article .. works great dispite that we have a GPO set to RemoteSigned and that policy will override Client settings right. Do you know how to include like set-executionpolicy -Bypass in the script above ?

  8. Nick says:

    Another thing I´ve noticed is that we tried to run the commands on serveral servers that we know was in reboot pending (in server manager 2008) and the script only check rebootpending from ccm. We got False when it actually need reboot.

  9. Topsporter says:

    Very nice! I struggled half a day on this blog http://tinyurl.com/lae6odm without results. Your instructions are throughout and easy to follow. Thank a bunch! By the way, luv your presentation in SCU 2014 in Switzerland.

  10. Syed Rizvi says:

    $Policy = “unrestricted”
    If ((get-ExecutionPolicy) -ne $Policy) {
    Write-Host “Script Execution is disabled. Enabling it now”
    Set-ExecutionPolicy $Policy -Force
    Write-Host “Please Re-Run this script”
    Exit
    }

    If you want to remote sign..

    • Ted Wagner says:

      I’m not sure this is possible. If the default value of the signing policy is “restricted”, then you can’t run the script in the first place. It’s a bit of a catch-22. Here’s an important bit. The default Client Setting in Configuration Manager 2012 SP1 is only to allow “All Signed” PowerShell scripts to execute.

      I would read the following post to learn more about signing and recommend you sign any scripts you use in SCCM. Managing the renewal of those signed certs would be a challenge, but just track where you use scripts in SCCM using a SharePoint list or a spreadsheet making sure to include the location, versions, when signed, when expires, etc.

      http://blog.coretech.dk/heh/configuration-items-and-baselines-using-scripts-powershell-example/

  11. Chris says:

    What do you recommend for how often the baseline should run?
    How do you report on this compliance setting?

  12. Mark says:

    Any idea why a soft reboot pending does not populate the deadline field? If Patches are installed in the advertisement period prior to the deadline, Pending reboot becomes True, IsHardrebootPending becomes false, and the Deadline shows 12/31/1969. In this scenario SCCM still places a reboot icon in the system tray, the reboot window has an actual deadline date, but because it is not a hard reboot, the snooze option is available. I have been scouring the net trying to figure out where this date is coming from. Anyone know ? It seems crazy to me that a soft reboot deadline date is not stored in the same place as a hard reboot deadline.

Leave a Reply