Mar 12 2020 11:32 AM
We’re in the process of switching patching policies away from our RMM product to group policies. While the patching seems to be working pretty effectively we’ve had mixed results in regards to reboot actions.
Ideally we'd like to be able to reboot at a fixed time but it doesn't look like this behavior can be controlled via GPO. We also would like to be able to manage this via single GPO for all workstations, whether 7 or 10 (and different 10 builds).
Target systems: workstations only; Windows 10 and Windows 7 for the most part. We also still have a large number of Windows 10 endpoints are still running 1803 or below.
Business hours: 5am-11pm hours
Critical component: reboot actions – ideally rebooting ONLY outside of business hours automatically, but give users the option to schedule it (and more importantly to provide them visibility when the endpoint is going to be rebooted), then IF a deadline (few days) has been reached to reboot the endpoint to finish applying the patches.
Admin templates for 1909 are in place.
The biggest question at this stage is the behavior when several patches are older than the deferral period. Especially for feature updates.
As previously mentioned we have a significant portion of endpoints still below 1803 which is well over 365 days deferral we have setup for feature updates.
We’ve seen some users report their system simply reboot w/o any warning (looking at the logs, it appear that feature updates were the culprit).
We tried to leverage the following GP components and are questioning the way they apply: