Overview
Windows Feature Updates (e.g. 1903, 1909, 2004, 20H2) ignore the After Deployment 'do not reboot' option and restart the server anyway. Occasionally, other upgrades or custom software updates also have an inbuilt code to reboot the machine regardless of what options are chosen in LanGuard.
Solution
GFI LanGuard allows to leave scan targets turned on after deploying patches/remediating vulnerabilities, even if a reboot is required for an update to be installed completely. But some patches, upgrades, and software updates have a hardcoded inbuilt code to reboot the machine ignoring LanGuard configured after deployment settings; refer to the sections below.
Windows Feature Updates and Other Major Updates
Due to the nature of these 'major' updates, Windows will automatically reboot after the deployment has been extracted and installed. This setting is hardcoded by Microsoft and cannot disabled.
A message appears in the Deployment window indicating “A manual reboot is not necessary. The machine will be rebooted after the OS Upgrade has been extracted and complete.”
The workflow associated with deploying a Windows Feature Update follows these steps:
- The scan detects a Windows Feature Update available for a system.
- The administrator configures Remediation settings, including After Deployment options, initiating deployment from the LG console.
- Due to the process in which Feature Updates are deployed via .esd files, the system indicates that the remediation job is complete when the script to initiate the install is run. This can confuse, as the job looks completed in just a few moments when the script initiated the successful install process, but the install is still taking place. As such, the message is provided to not manually reboot the system, as doing so will cancel the in-progress installation.
- The machine will reboot upon completion of the extraction and installation of the .esd file.
- After reboot, the Feature Update is installed.
If you want to have control over the automatic reboot in such cases, the only option is disabling auto-download and deployment of service packs and update rollups and running manual remediation for these. This can be done by unticking "Download and deploy missing service packs and updates rollups" in the Auto-Remediation options.
Custom Software Deployment
When the automatic reboot happens during the custom software deployment, this is either hardcoded by the software vendor or you are missing some command-line parameter provided by the vendor to prevent such automatic rebooting.
The actual script parameters to be used to deploy the software are outside of our scope of support. If custom software documentation is not providing such information, contact the third-party vendor whose software is deployed.
Run the batch file manually from a command line and verify that it installs the software correctly, doesn't require any user interaction, and, since you want to avoid this, doesn't automatically reboot. If you can do this manually from the command line, the same parameters should work with LanGuard deployment.