Windows Feature Updates (e.g. 1903, 1909, 2004) ignore the After Deployment 'do not reboot' option and restart the server anyway. Occasionally, other upgrades also have an inbuilt code to reboot the machine regardless of what options are chosen in LanGuard.
GFI LanGuard allows to leave scan targets turned on after deploying patches/remediating vulnerabilities, even if a reboot is required for an update to be installed completely. But some patches and upgrades have an inbuilt code to reboot the machine ignoring LanGuard configured after deployment settings.
Note: A message appears in the Deployment window indicating “A manual reboot is not necessary. The machine will be rebooted after the OS Upgrade has been extracted and complete.”
(Click to enlarge)
The workflow associated with deploying a Windows Feature Update follows these steps:
- The scan detects a Windows Feature Update available for a system
- The administrator configures Remediation settings, including After Deployment options, initiating deployment from the LG console.
- Due to the process in which Feature Updates are deployed via .esd files, the system indicates that the remediation job is complete when the script to initiate the install is run. This can cause confusion as the job looks completed in just a few moments when the script initiated the install process which was successful, but the install is still taking place. As such, the message is provided to not manually reboot the system, as doing so will cancel the in-progress installation.
- The machine will reboot upon completion of the extraction and installation of the .esd file.
- After reboot, the Feature Update is installed.
Due to the nature of these 'major' updates, Windows will automatically reboot after the deployment has been extracted and installed. This setting is hardcoded by Microsoft and cannot disabled.