This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

feature request - or did I just have not found this seeting? Max delay for computer-restart

Dear all,

we keep on having W10 and W7-clients that are not rebooting their computer like they supposed to.

So we have some clients, that report "Restart required for Sophos ....updates to take effect" and are restarted for about 7-14 days or even longer.
I.e. Exploit Prevention updates:

Is there a feature available yet, where I can force my clients to delay the computer restart for max 2-3 days after the update, when a reboot is required?
Like WSUS style :)?
If not, is there a event-log that might be querieable for this event (with scheduled tasks or similar)?

How do you solve those situations?

I am looking forward hearing from you and grateful for your input.

BR

M



This thread was automatically locked due to age.
Parents
  • Hello M,

    a forced reboot isn't implemented (for various reasons) - you haven't missed some setting.
    For SAV the MSInstaller writes an entry to the Application Event log but as far as I can see there's none for EXP. AutoUpdate writes the requirement to the logs, alc.log in encoded form, ALUpdate log in plain text (can't say whether with every update check or only when there are actual updates), but both aren't kept for an extended period so you'd have to store the timestamp of the initial request somewhere.

    Devices managed by us are anyway sooner or later rebooted in the course of regular software maintenance. Where the users have administrative rights, well, they might as well postpone a reboot required for Windows Updates. If they decide to ignore it they ignore it.

    Christian   

  • Dear Christian,

    Thanks again for your reponse.

    I am able to find several entries for single clients, where a reboot is required on the management console.
    Sadly I am not able to to find any log entries about this on the devices locallyin the stated log files.

    Therefore I would like to monitor this with PTRG on the Sophos AV management server (database) to
    e-mail the users after the 3rd or 4th day to do a reboot.

    Would you happen to guide me to the right database table, that I could query for that function?

    We have very limited users with local administrative permissions, but sadly more than expected, that
    keep their computer running without a reboot for quite some time.

    I appreciate your feedback.

    BR
    Markus

  • Hello Markus,

    in the ALUpdate log you should see the following string in every update cycle as long as the reboot is pending:
    <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>AutoUpdate.RebootNeeded</ID><StringID>109</StringID><Sender>ALUpdate</Sender></ErrorMessage>
    (haven't found an "initial" message).

    In the ALC.log the indicator is the 0x4c:
    0x4 ALUpdate 0x32 0x16e4 0x1 0x4c 0x1d98 0x5d722b3e
    After initial install it's AFAIK 0x4d, reboot before install is 0x7a or 0x9e, to finish deinstallation 0xbc, for EXP there are 0xc0 and 0xc2.
    The start of an AutoUpdate cycle is 0x6 and successful finish is 0x7b.


    On the SEC side the restart requirement (for SAVXP) is logged in the Errors table - here's an example:

    ID     |ComputerID |...|AlertTime               |Outstanding| Source |...|Number|...|InsertedAt
    123456 |4711       |...|2019-09-05 03:44:10.000 |          1| ALC    |...|   109|...|2019-09-05 03:44:10.707

    Source='ALC' and number=109 is the "error" you are interested in, Outstanding=1 denotes the reboot is still pending, ComputerID is the Foreign Key for the Primary Key ID ComputersAndDeletedComputers table that gives you the computer's Name.

    Christian

Reply
  • Hello Markus,

    in the ALUpdate log you should see the following string in every update cycle as long as the reboot is pending:
    <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>AutoUpdate.RebootNeeded</ID><StringID>109</StringID><Sender>ALUpdate</Sender></ErrorMessage>
    (haven't found an "initial" message).

    In the ALC.log the indicator is the 0x4c:
    0x4 ALUpdate 0x32 0x16e4 0x1 0x4c 0x1d98 0x5d722b3e
    After initial install it's AFAIK 0x4d, reboot before install is 0x7a or 0x9e, to finish deinstallation 0xbc, for EXP there are 0xc0 and 0xc2.
    The start of an AutoUpdate cycle is 0x6 and successful finish is 0x7b.


    On the SEC side the restart requirement (for SAVXP) is logged in the Errors table - here's an example:

    ID     |ComputerID |...|AlertTime               |Outstanding| Source |...|Number|...|InsertedAt
    123456 |4711       |...|2019-09-05 03:44:10.000 |          1| ALC    |...|   109|...|2019-09-05 03:44:10.707

    Source='ALC' and number=109 is the "error" you are interested in, Outstanding=1 denotes the reboot is still pending, ComputerID is the Foreign Key for the Primary Key ID ComputersAndDeletedComputers table that gives you the computer's Name.

    Christian

Children
No Data