Dealing with reboot pending clients in Configuration Manager 2012

Guess most of you are struggling with troubleshooting software update compliance and installing applications in Configuration Manager 2012. What I have found, is that clients in a reboot pending state often is the root cause to the problems. In previous posts I have described how you can use tools like Coretech Shutdown Utility to automatically restart computers that has been in a reboot pending state for X number of hours/days.

The information about the reboot pending state is stored in WMI Root\ccm\ClientSDK namespace as illustrated here with the Coretech WMI & PowerShell explorer:

Identify reboot state using PowerShell

Launch PowerShell ISE and type Invoke-WmiMethod -Namespace "ROOT\ccm\ClientSDK" -Class CCM_ClientUtilities -Name DetermineIfRebootPending

Notice RebootPending is True in the first example and False in the second example. Now let’s take the PowerShell command and turn it into a Compliance rule in Configuration Manager 2012.

Create the Compliance rule in Configuration Manager

Launch the Configuration Manager console, navigate to the Assetts and Compliance workspace, Compliance Settings, Configuration Items.
Create a new Configuration Item, Select Windows and click Next.
Select all Operating systems, and click Next.
On Settings, click New. In Setting type, select Script and in Data select Boolean.
On Discovery Script, click Add Script and type

Invoke-WmiMethod -Namespace "ROOT\ccm\ClientSDK" -Class CCM_ClientUtilities -Name DetermineIfRebootPending | select-object -ExpandProperty "RebootPending" and click OK.

Select the Compliance Rule tab, and click New. Configure the following values to False and click OK.
Finish the wizard. Notice that I’m not creating a remediation script as I do not want to force a reboot.
Create a new Baseline, and add the Reboot Pending Configuration Item.
Deploy the baseline to a device collection.
Right click the baseline deployment, select Create New Collection, Non-compliant.

By Kent Agerlund|2014-01-19T17:14:28+01:00januar 19th, 2014|Configuration Manager (SCCM), General info|19 Comments

Om forfatteren: Kent Agerlund

Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.

19 kommentarer

Younus Mohammed maj 7, 2014 af 22:21

Thank you for the great post.It helped me a lot.Kindly post the remediation script as well to reboot the non complaint PC’s

Thanks In Advance and My rest Regards
Paul Murray oktober 23, 2014 af 20:48

I set this up step by step and get the following error

Error Code – 0x87d00327
Error Description – Script is not signed CCM
Kent Agerlund oktober 23, 2014 af 20:50

That’s the PowerShell execution policy. Administration workspace/Client Settings, Computer Agent – configure the PowerShell execution policy to bypass
- Jessie december 23, 2016 af 10:45
  
  Iâ€™ve been exploring for a bit for any high quality articles or blog posts on this kind of area . Exploring in Yahoo I at last stumbled upon this site. Reading this info So i am happy to convey that I&271#8;ve an incredibly good uncanny feeling I discovered exactly what I needed. I most certainly will make sure to donâ€™t forget this site and give it a look on a constant basis.
Paul Murray oktober 23, 2014 af 20:50

I set this up step by step and get the following error.

Error Code – 0x87d00327

Error Description – Script is not signed

Thanks
Ryan november 19, 2014 af 21:36

23rd Oct 2014 at 20:50

That’s the PowerShell execution policy. Administration workspace/Client Settings, Computer Agent – configure the PowerShell execution policy to bypass

Reply
Nick februar 11, 2015 af 10:32

Kent, works great dispite that we have a GPO set to RemoteSigned and that policy will override Client settings right. Do you know how to include like set-executionpolicy -Bypass in the script above ?
Nick februar 11, 2015 af 10:55

Kent, great article .. works great dispite that we have a GPO set to RemoteSigned and that policy will override Client settings right. Do you know how to include like set-executionpolicy -Bypass in the script above ?
Nick februar 11, 2015 af 13:39

Another thing I´ve noticed is that we tried to run the commands on serveral servers that we know was in reboot pending (in server manager 2008) and the script only check rebootpending from ccm. We got False when it actually need reboot.
Topsporter april 24, 2015 af 0:36

Very nice! I struggled half a day on this blog http://tinyurl.com/lae6odm without results. Your instructions are throughout and easy to follow. Thank a bunch! By the way, luv your presentation in SCU 2014 in Switzerland.
Syed Rizvi maj 27, 2015 af 0:27

$Policy = “unrestricted”
If ((get-ExecutionPolicy) -ne $Policy) {
Write-Host “Script Execution is disabled. Enabling it now”
Set-ExecutionPolicy $Policy -Force
Write-Host “Please Re-Run this script”
Exit
}

If you want to remote sign..
- Ted Wagner august 12, 2015 af 16:53
  
  I’m not sure this is possible. If the default value of the signing policy is “restricted”, then you can’t run the script in the first place. It’s a bit of a catch-22. Here’s an important bit. The default Client Setting in Configuration Manager 2012 SP1 is only to allow “All Signed” PowerShell scripts to execute.
  
  I would read the following post to learn more about signing and recommend you sign any scripts you use in SCCM. Managing the renewal of those signed certs would be a challenge, but just track where you use scripts in SCCM using a SharePoint list or a spreadsheet making sure to include the location, versions, when signed, when expires, etc.
  
  http://blog.coretech.dk/heh/configuration-items-and-baselines-using-scripts-powershell-example/
Chris juli 28, 2015 af 17:49

What do you recommend for how often the baseline should run?
How do you report on this compliance setting?
Mark september 21, 2016 af 16:25

Any idea why a soft reboot pending does not populate the deadline field? If Patches are installed in the advertisement period prior to the deadline, Pending reboot becomes True, IsHardrebootPending becomes false, and the Deadline shows 12/31/1969. In this scenario SCCM still places a reboot icon in the system tray, the reboot window has an actual deadline date, but because it is not a hard reboot, the snooze option is available. I have been scouring the net trying to figure out where this date is coming from. Anyone know ? It seems crazy to me that a soft reboot deadline date is not stored in the same place as a hard reboot deadline.
Qaiss Aria marts 15, 2018 af 17:35

sort of related to this but I was curious how you can initiate the SCCM restart notification through script, I have setup my restart for 75 minutes with a potpond then later within half hour it will only allow you to restart only. I was hoping if anyone can guide me with powershell script to initiate restart.
Rho Sys Admin maj 14, 2018 af 19:50

Could you tell me what the PowerShell requirements are to get this to run successfully? I’ve run into at least a dozen Windows 7 computers that return 0xffffffff errors:

I see in DcmWmProvidier.log

Script Execution Returned :4294967295, Error Message:Invoke-WmiMethod : This method is not implemented in any class
…

At C:\Windows\CCM\SystemTemp\5d755a09-118a-4af1-933e-f0990a210dd0.ps1:1 char:17
+ Invoke-WmiMethod <<<< -Namespace "ROOT\ccm\ClientSDK" -Class CCM_ClientUtilities -Name DetermineIfRebootPendingÿ | select-object -ExpandProperty "RebootPending"
+ CategoryInfo : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
+ FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod
Rho Sys Admin maj 14, 2018 af 19:51

Sorry, left out a key line:just above “At C:\Windows\….”

<![LOG[ScriptProvider::CreateInstanceEnumAsync – Script Execution Returned :4294967295, Error Message:Invoke-WmiMethod : This method is not implemented in any class
Rho Sys Admin maj 17, 2018 af 19:16

So this did not work for us. We deployed a package where we had a number of computers identified as “In Progress: in the deployment status with the details of “reboot pending”. I found “Restart Manager” event log entries that confirmed a restart was required. But the PowerShell script returns “False” for each computer I checked. Upon restarting these computers, their status changed from “In Progress” to “Success”.

I realize I’m not providing any detail. Everything works. It’s just the script doesn’t see the required reboot. I’m installing an Outlook add-in. The restart is only required if the user left Outlook open during the time of the install. If Outlook is NOT open during the install, no reboot is required.

So could this be a quirk of what I’m installing?
Bill Dunn juni 5, 2018 af 16:45

Hi Kent…can’t seem to get this to work…tried a couple of systems and the Powershell command returns.

PS C:\WINDOWS\system32> Invoke-WmiMethod -Namespace “ROOT\ccm\ClientSDK” -Class CCM_ClientUtilities -Name DetermineIfRebootPending
Invoke-WmiMethod : Provider load failure
At line:1 char:1
+ Invoke-WmiMethod -Namespace “ROOT\ccm\ClientSDK” -Class CCM_ClientUti …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
+ FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod