Patch Management Solution

Hi All

Recently many of my users have complained that they are recieving multiple restart prompts during our monthly patch release when there are several patches to install.  They reboot the computer when prompted, then state that they are prompted again and have to restart up to 2 more times, sometimes they state that the reboot referral of 24 hours we have set is not present, and they have to reboot immediately.

I checked our configuration and we have "Allow restart after installation: At end of software update cycle" selected, and we only have "allow user to defer = 1 days" set under notification settings.  Each of the patches is set to run ASAP, but we do not set the "Allow immediate restart if requried"

On our test computers, we always recieve the monthly patches in one cycle and we only get one reboot prompt, so we are unable to replicate the issue.

I assume that this problem is occuring because patches are not being downloaded and installed in a single cycle, why would that be the case?
I also notice that we have set "Reinstallation atempts ater task failure = 3, could this be the cause of multiple restart prompts?

Many Thanks

Are you sure that you don't have multiple agent policies applying to these groups? 

And yes, even on failure the patch agent will prompt to reboot the computer.

In the Microsoft August Patch release we observed that some of the patches in this cycle were not installed all together. 

Our configuration is a little less aggressive in that we do not force reboots at the end of a software cycle, we do a scheduled reboot on the computers if necessary and set a 6 hour notification for restart for our mobile devices. 

Back to August patches.

MS15-079 needed to be installed before MS15-093 became applicable.

MS15-080 appeared to require several restarts of computers before being installed completely.  Could not nail down the why with this one but without it installed, several external noted sites would crash IE 11 until this patch was installed so we suspected that others contained in the set were needed before this one would complete successfully.

In our case, this basically means that each night a subset of the patches release were getting done and it was taking 3 - 4 days for the full set to be completed.

Hope this helps - It really sounds like in your case this would have caused the 2-3 restarts for the complete set and support our observation of this patch set in our environment.

Many thanks for your reply, particulalry with your experience with MS15-080.

I think that in our environment, when we prompt users to restart at the end of the patch cycle, users can choose to reboot ASAP, thus missing the next scheduled patch assessment scan.  They only get the subsequent patches as part of a new patch cycle after the reboot that then prompts them to reboot again. 

For those users who defer the origianl reboot, they get a assessment scan and then get the subsequent patch installs.  I believe they may be potentially prompted again to reboot (ignoring the first cycles deferalment), but they only have to restart once!

I believe MS15-079 consisted of 2 IE9 patches, one requiring the other.  This may be why it was required prior to 93.

MS15-080 consisted of numerous patches, one of which was revised a week after initial release.  So if you patched once, you may still need to patch for it again.