0 Replies Latest reply on Dec 22, 2017 6:07 PM by cjmartin249

    Allowing user input for third party patching

    cjmartin249

      A little background to preempt some of the why would you do it this way questions...

      We are using SolarWinds Patch Manager to provide third party patching content for SCCM Current Branch. Recently HP and other vendors have released Synaptics (TrackPad/TrackPoint) driver updates to remove a security vulnerability. (The drivers have a hidden keylogger). We used the HP catalogs to publish the new drivers and everything seems to detect fine. But during install of the drivers, the trackpad buttons stop working on some PCs. This leaves the PC in the state where they can't click on anything. The PC works fine after a reboot, but having our users try to save/close their stuff and force a reboot with the keyboard is not practical. Waiting for the system to automatically reboot is also impractical as we typically give our users a few days before patches are enforced and even then we have a 4 hour reboot countdown configured in SCCM.

       

      So what we came up with, is the idea to use the Patch Manager Package Boot Helper tool to display a message to the user informing that an immediate reboot is required for this specific update. We have to give them some heads up to close documents. The Package Boot helper could also run a shutdown.exe command after install to force the reboot. As we started to test this, we found that the advanced settings configuration option "Install can request user input (non-silent install)" causes SCCM to think that the software update is expired. We can't get it to work. Unchecking the option re-enables the update, but then the update is silent.

       

      So, my questions:

      1. Is this option supposed to work with SCCM Software Updates? Or is this option only usable when using the Patch Manager agent? Or is there some bug here?

      2. If this option does work via SCCM, does it still run elevated? Or will this cause UAC prompts? I could test this myself if the patches wouldn't show up as expired.

      3. Any other ideas on how to better handle these driver updates? I like the auto detection and scripting the catalogs provide. If we can't get this to work I may not be able to use Software Updates forcing us to create a traditional package writing a lot of code and deploying them separately.

       

      Thanks in advance for any feedback or assistance