Patch Management Group

 View Only

  • 1.  Schedule patch only when user logged out

    Trusted Advisor
    Posted Jan 15, 2016 07:24 AM

    I have a VIP user that last month and this month, when Adobe Reader DC tries to patch, it freezes his machine.  The mouse can move but no keyboard actions work and he has to power off to do anything.  The computer patched Adobe Reader DC fine for ~5 months before this started.

    So far, I can't reproduce it and no one else reports the probem.  In any case, it is a VIP user and I can't keep freezing his machine nor expect him to patch manually.  He does have a unique set of software on the machine.  Reimage probably isn't going to happen and even if it does, he will needs to reload his special set of tools that may be causing the problem.  

    As I continue to pour through event logs on his machine when I can get access to it to try to figure out what could cause this, I was thinking I could set the patch to install only when no one is logged in.  I am not seeing that as an option with a patch policy.  Am I missing it?

    I really don't want to build a separate managed softare policy each month for Adobe Reader just to have option to 'install only when no one is logged in.'

    Any other ideas?



  • 2.  RE: Schedule patch only when user logged out

    Posted Jan 17, 2016 01:34 PM
      |   view attached

    There is an option under Remediation, where you can select for installation to occur only if a user is logged out.  See attached screenshot.



  • 3.  RE: Schedule patch only when user logged out

    Trusted Advisor
    Posted Jan 17, 2016 02:09 PM

    Thanks. I was hoping to just do it for Adobe Reader DC patches.  Very few of our users logout so if I did this for all patches, I'd be in trouble.



  • 4.  RE: Schedule patch only when user logged out

    Posted Jan 17, 2016 02:43 PM

    Sure, makes sense.  Hmm..

    One approach would be to 1) keep the above Remediation option normal until you're ready to deploy the Adobe Reader DC patches, 2) change Remediation to "only when logged out", 3) create the software update policy for ARDC, then 4) change Remediation back (and don't modify existing policies). 

    Of course it might end up being easier to do all this via a Managed Software Delivery, though you said you hoped not to. People do like the granular control of the MSD approach for this type of patching weirdness, which doesn't crop up that often but is complicated to deal with.

    Another approach you might consider:  you could schedule a task to logoff the VIP user prior to the software update cycle running.  If there's a chance this user would agree to a particular time for updates -- having had such problems recently, maybe he will? -- that might be your answer.  The power control - logoff task could push from the NS as a normal Task, or kick off locally like a policy (via "Client Task Schedule" on the Tasks page) depending on how reliably that machine is connected to your network.  You could even apply a Maintenance Window policy to his machine, to enforce that the logoff and the updates wouldn't happen outside of specified times.

    Other folks may have other suggestions.  These were what I could think of.  Please let us know what ends up working for you!