Dealing with reboot pending clients in Configuration Manager 2012

Guess most of you are struggling with troubleshooting software update compliance and installing applications in Configuration Manager 2012. What I have found, is that clients in a reboot pending state often is the root cause to the problems. In previous posts I have described how you can use tools like Coretech Shutdown Utility to automatically restart computers that has been in a reboot pending state for X number of hours/days. 

The information about the reboot pending state is stored in WMI Root\ccm\ClientSDK namespace as illustrated here with the Coretech WMI & PowerShell explorer:

image

Identify reboot state using PowerShell

Launch PowerShell ISE and type Invoke-WmiMethod -Namespace "ROOT\ccm\ClientSDK" -Class CCM_ClientUtilities -Name DetermineIfRebootPending

image

image

Notice RebootPending is True in the first example and False in the second example. Now let’s take the PowerShell command and turn it into a Compliance rule in Configuration Manager 2012.

Create the Compliance rule in Configuration Manager

  1. Launch the Configuration Manager console, navigate to the Assetts and Compliance workspace, Compliance Settings, Configuration Items.
  2. Create a new Configuration Item, Select Windows and click Next.

    image

  3. Select all Operating systems, and click Next.
  4. On Settings, click New. In Setting type, select Script and in Data select Boolean.

    image

  5. On Discovery Script, click Add Script and type
  6. Invoke-WmiMethod -Namespace "ROOT\ccm\ClientSDK" -Class CCM_ClientUtilities -Name DetermineIfRebootPending  | select-object -ExpandProperty "RebootPending" and click OK.

    image

  7. Select the Compliance Rule tab, and click New. Configure the following values to False and click OK.

    image

  8. Finish the wizard. Notice that I’m not creating a remediation script as I do not want to force a reboot.
  9. Create a new Baseline, and add the Reboot Pending Configuration Item.

    image

  10. Deploy the baseline to a device collection.
  11. Right click the baseline deployment, select Create New Collection, Non-compliant.

    image

By | 2014-01-19T17:14:28+00:00 January 19th, 2014|Configuration Manager (SCCM), General info|14 Comments

About the Author:

Kent Agerlund
Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.

14 Comments

  1. Younus Mohammed May 7, 2014 at 22:21 - Reply

    Thank you for the great post.It helped me a lot.Kindly post the remediation script as well to reboot the non complaint PC’s

    Thanks In Advance and My rest Regards

  2. Paul Murray October 23, 2014 at 20:48 - Reply

    I set this up step by step and get the following error

    Error Code – 0x87d00327
    Error Description – Script is not signed CCM

  3. Kent Agerlund October 23, 2014 at 20:50 - Reply

    That’s the PowerShell execution policy. Administration workspace/Client Settings, Computer Agent – configure the PowerShell execution policy to bypass

    • Jessie December 23, 2016 at 10:45 - Reply

      I’ve been exploring for a bit for any high quality articles or blog posts on this kind of area . Exploring in Yahoo I at last stumbled upon this site. Reading this info So i am happy to convey that I&271#8;ve an incredibly good uncanny feeling I discovered exactly what I needed. I most certainly will make sure to don’t forget this site and give it a look on a constant basis.

  4. Paul Murray October 23, 2014 at 20:50 - Reply

    I set this up step by step and get the following error.

    Error Code – 0x87d00327

    Error Description – Script is not signed

    Thanks

  5. Ryan November 19, 2014 at 21:36 - Reply

    23rd Oct 2014 at 20:50

    That’s the PowerShell execution policy. Administration workspace/Client Settings, Computer Agent – configure the PowerShell execution policy to bypass

    Reply

  6. Nick February 11, 2015 at 10:32 - Reply

    Kent, works great dispite that we have a GPO set to RemoteSigned and that policy will override Client settings right. Do you know how to include like set-executionpolicy -Bypass in the script above ?

  7. Nick February 11, 2015 at 10:55 - Reply

    Kent, great article .. works great dispite that we have a GPO set to RemoteSigned and that policy will override Client settings right. Do you know how to include like set-executionpolicy -Bypass in the script above ?

  8. Nick February 11, 2015 at 13:39 - Reply

    Another thing I´ve noticed is that we tried to run the commands on serveral servers that we know was in reboot pending (in server manager 2008) and the script only check rebootpending from ccm. We got False when it actually need reboot.

  9. Topsporter April 24, 2015 at 0:36 - Reply

    Very nice! I struggled half a day on this blog http://tinyurl.com/lae6odm without results. Your instructions are throughout and easy to follow. Thank a bunch! By the way, luv your presentation in SCU 2014 in Switzerland.

  10. Syed Rizvi May 27, 2015 at 0:27 - Reply

    $Policy = “unrestricted”
    If ((get-ExecutionPolicy) -ne $Policy) {
    Write-Host “Script Execution is disabled. Enabling it now”
    Set-ExecutionPolicy $Policy -Force
    Write-Host “Please Re-Run this script”
    Exit
    }

    If you want to remote sign..

    • Ted Wagner August 12, 2015 at 16:53 - Reply

      I’m not sure this is possible. If the default value of the signing policy is “restricted”, then you can’t run the script in the first place. It’s a bit of a catch-22. Here’s an important bit. The default Client Setting in Configuration Manager 2012 SP1 is only to allow “All Signed” PowerShell scripts to execute.

      I would read the following post to learn more about signing and recommend you sign any scripts you use in SCCM. Managing the renewal of those signed certs would be a challenge, but just track where you use scripts in SCCM using a SharePoint list or a spreadsheet making sure to include the location, versions, when signed, when expires, etc.

      http://blog.coretech.dk/heh/configuration-items-and-baselines-using-scripts-powershell-example/

  11. Chris July 28, 2015 at 17:49 - Reply

    What do you recommend for how often the baseline should run?
    How do you report on this compliance setting?

  12. Mark September 21, 2016 at 16:25 - Reply

    Any idea why a soft reboot pending does not populate the deadline field? If Patches are installed in the advertisement period prior to the deadline, Pending reboot becomes True, IsHardrebootPending becomes false, and the Deadline shows 12/31/1969. In this scenario SCCM still places a reboot icon in the system tray, the reboot window has an actual deadline date, but because it is not a hard reboot, the snooze option is available. I have been scouring the net trying to figure out where this date is coming from. Anyone know ? It seems crazy to me that a soft reboot deadline date is not stored in the same place as a hard reboot deadline.

Leave A Comment