I’m stuck in a dilemma and would like to know the suggested solution. I have a baseline that unlocks, patches, (both fine), but then I want to lock it and then reboot.
If I lock it before reboot (reboot being an action, not a post action), then the reboot won’t occur. If I reboot, then lock, the lock may not effect. How is everyone else doing it?
The reason I don’t want a post action reboot is because I want to reboot only device that have a reboot client setting, hence the custom reboot task.
Can you post this code? I have some locked computers myself that just need special patching needs (schedule time w/ users etc) and I was thinking it would be nice to have a second password to apply patches to locked computers… Looks like you have another way of doing it that I’d love to hear…
Ben, if I restart, then lock, in a baseline, will the client take the next action (lock) after the restart, or does a restart reset the actionsite.
I don’t want a policy to lock clients becase that would create a major headache when trying to unlock clients to do maintenance.
My current, unsuccessful baseline is:
Bes Client Setting: Unlock Computer
Variuos Microsoft Patches
Custom Reboot task (shutdown -r -f -t 10) Ben, I know you say to not do it this way, but a post action restart is not specific enough for targeting clients. Enhancment request: relevance for post action)
Cstoneba, can you tell me how / why you do this? Do you have a set of locked computers that need more specific patching criteria (IE: a set window someone gives you that can change day to day)?
So do you create a new baseline each month for “locked” computers with the patches you want to deploy on these locked machines?
For #3, why not just use the “restart 30” command?
But regardless, if you have a baseline and you restart in the middle of the running baseline action, the agent will pick up where it left off after the restart (assuming the baseline action is still relevant and unconstrained). Is it possible that some other relevant action will run too? I think the answer is yes… But I believe that is true of whenever the computer is unlocked (for instance, there is a chance another action can run while the computer is unlocked in between your baseline actions when it is downloading files)…
tscott, all clients are locked. When we deploy our baseline of Microsoft patches, we need to first unlock the client, patch them, reboot, then lock it again. All this is done within a single baseline, perferably.
Ben, I wish I could use the “restart 30” command, but it has never works for me. It always asks for confirmation via the “take action” prompt (even when no user is logged into the computer). Good points Ben. I suppose I could have the reboot command and the lock command all within a single action script. Maybe that would be a better idea than splitting the reboot and lock into two seperate fixlets.
if you log into the BES admin tool, you can provide the url of a custom site that has the ability to run regardless of if the client is locked. The issue is that the unlock task runs in the BES Support site, which can run against a locked client. However, once you place this task in your custom baseline, it is no longer inthe BES Support site. So, you sill need to add your baseline to a custom site, then give that custom site access to locked computers via the BES Admin tool.