This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Restart needed for updates to take effect (0x000006d)"

We are seeing this error on 260 devices (increasing) on our network

Enterprise console 5.5.0

Has Sophos pumped out an update to cause this or is there some other reason ?

I have checked my own PC (Which is included in the ones at "error") and see absolutely no problem with my Sophos installation...

What is going on here ?



This thread was automatically locked due to age.
Parents
  • Hello Weeboo,

    10.8.1 would require a reboot (though I'd be surprised if they were already rolling it out). I'm not aware of any other reason for this status. What is the SAV version displayed (in the console or locally)?

    Christian

  • 10.8 by the looks of it !!

    Not 10.8.1 yet

  • We are down to 164 PC's today - showing the same error - after being switched off overnight

    I have selected ALL and "protected them" - a good hour ago and all are STILL showing a yellow cross on them on the console !!

    Something is up - but what is it ?

    And most importantly - are we protected ?

  • Hello Weeboo,

    a yellow cross - you mean the triangle  in the Alerts and errors column?
    If a previous update resulted in the warning Protect won't change the status, this warning is always issued after an install when there are certain new components or upgraded versions of them. Even if the Installer is repeatedly run it will detect that "old" components are still in use. In rare cases (but more than 100 doesn't count as rare) the VolatileFlags key isn't removed.
    Please note that Windows 8/10 computers with Fast Startup enabled don't actually reboot with a shutdown/start sequence.

    are we protected
    as said, yes - with the restriction that some components (e.g. HitmanPro.Alert) are not (fully) active after an initial install.

    Christian

  •  

    QC said:

    Hello Weeboo,

    a yellow cross - you mean the triangle  in the Alerts and errors column?
    If a previous update resulted in the warning Protect won't change the status, this warning is always issued after an install when there are certain new components or upgraded versions of them. Even if the Installer is repeatedly run it will detect that "old" components are still in use. In rare cases (but more than 100 doesn't count as rare) the VolatileFlags key isn't removed.
    Please note that Windows 8/10 computers with Fast Startup enabled don't actually reboot with a shutdown/start sequence.

    are we protected
    as said, yes - with the restriction that some components (e.g. HitmanPro.Alert) are not (fully) active after an initial install.

    Christian

     

    No - I meant in the status in the console - telling me that it is "updating" - when normally - when all is up-to-date and OK - It is Green !

  • Hello Weeboo,

    ah, I see.
    Some clarification: The green thingy  is not related to the up-to-date status, it means that to computer is connected, i.e. it's talking via RMS to the management server (naturally on order to send its update status the endpoint must connect thus you often see this icon and the Yes together - but a disconnected computer can be up to date as well). The yellow thingy  is an hourglass, you see it when SEC is trying to perform the Protect Computers steps on the endpoint, it does not indicate that the computer is updating. It stays for some time until either the endpoint calls in with its status indicating that Protect succeeded or the interval SEC is willing to wait has passed in which case you get an error message and the icon shows the disconnected  state.
    It's possible that these endpoints aren't switched on. If Fast Startup is enabled they will show as connected even if they are switched off as RMS isn't stopped by Windows and thus doesn't log off from the management server. You might want to check the Last message time shown in the Computer Details tab.

    Christian

  • a week down the line - we are still seeing large numbers  (118 at present) of devices at error - with the "RESTART NEEDED .............." message

    They are all rebooted overnight - so how long should I wait before being concerned ?

    They are ALL switched on !

  • Hello Weeboo,

    a systematic approach is better than just looking at numbers and contingent events and actions. First thing to check is whether the endpoints in question have actually rebooted - Windows' system up time is an indicator. If they did the next step is to determine the component requesting the reboot, I'd check the VolatileFlags key first. If it's not present then one of the install logs should have a corresponding message near its end.

    Christian

  • QC said:

    Hello Weeboo,

    a systematic approach is better than just looking at numbers and contingent events and actions. First thing to check is whether the endpoints in question have actually rebooted - Windows' system up time is an indicator. If they did the next step is to determine the component requesting the reboot, I'd check the VolatileFlags key first. If it's not present then one of the install logs should have a corresponding message near its end.

    Christian

     

     

    Hi Christian

    Sorry for the delay in updating you

    I tried the VOLATILEFLAGS key - on one device and found that it was not present - what is the next step ?

    Also - if I did write a powershell script and run it on all devices on GP - Would it matter that the key was removed from ALL devices - even those not at error ?

  • Hello Weeboo,

    the key isn't there just for the fun of it. As the note in the 0000006d article says you should only remove it if it persists after a reboot.

    next step as mentioned in my previous post - did the endpoints actually reboot (and not go through turn off/fast boot cycle)? The ALUpdate log normally mentions the presence of the VolatileFlags key. PendingFileRenameOperations also constitute a reboot requirement. And, as said, a component's install log normally notes a reboot requirement.

    Christian 

  • QC said:

    Hello Weeboo,

    the key isn't there just for the fun of it. As the note in the 0000006d article says you should only remove it if it persists after a reboot.

    next step as mentioned in my previous post - did the endpoints actually reboot (and not go through turn off/fast boot cycle)? The ALUpdate log normally mentions the presence of the VolatileFlags key. PendingFileRenameOperations also constitute a reboot requirement. And, as said, a component's install log normally notes a reboot requirement.

    Christian 

     

    Yes - they are all switched down EVERY night and up every morning

    The numbers at error - dropped down from a peak of around 160 to 120 to 100 to 80 but now appears to have bottomed out at 62 -  it has remained at this level for a week / 10 days

  • Hello Weeboo,

    that the number decreased is a good sign. 62 is a lot (considering your total) but there might be common reasons. Some investigation is required though.

    Christian

Reply Children
No Data