(imported comment written by SystemAdmin)
cstoneba,
I’ve just recently implemented a process to handle this and it’s fairly simple. One task handles triggering a flag to set the patching window to True when it should be ‘Active’ (as a Bigfix setting, to keep it simple and easy to re-configure via console, if necessary) and later to False when inactive.
A second task handles the reboots, set to reapply every 30 mins. In order to keep me informed of which machines are doing what, I set a setting called ‘Patching-Status’. The patching active/inactive task above also updates the status, as do all the baselines. That way I know which task is working/has just done work on the client.
In the reboot task, the initial setting is to ‘Reboot triggered - not required’ and then an if statement handles three tests - within the first half-hour, within the last half-hour, or (in any of the ‘midde’ half hours, if its ‘Pending Restart’. Each of these if’s only contain a restart command and an update to the Status setting (as appropriate to let me know which was triggered).
Thus during the patching window, the status may go from ‘Active’, ‘Reboot - 1st cycle’, ‘Baseline being applied’, ‘Baseline complete’, ‘Reboot - not required’, ‘Baseline being applied’, ‘Baseline complete’, ‘Reboot - last cycle’, ‘Deactivated’. The baselines might get applied before the last reboot…and even possibly after the last reboot occurs, but as there are essentially 9 other half-hour windows (between possibly reboots, including the first) for the patching to occur, I am not that bothered about the rather low possibility of a few patches being applied after that last one.
Now, this is not quite as ‘tight’ as I could make it. To do exactly what you’re talking about, I would want the Active setting to probably go through the sequence “False, Start, True, End, False”. The baselines would only be running when it’s True, but the Start, True and End would all be relevant possibilities for the reboot cycle. And the reboot cycle is 30 minutes mostly because I got bored waiting for an hour between reboots and having to wait for the final patching status to come back as completed.
Let me know if you have any questions.
-Jim
P.S. I know some of the long-winded suggestions I’ve posted here before have only been theoretical (such as controlling the timing of rebooting/patching paired machines), but this process has been running currently for almost two months (jinxing myself as I write this) and has worked very well.