Skip to main content

Can someone explain when Automox decides to run the remediation code of a worklet? I am using the worklet “Windows - Maintenance - Maintenance Window Reboots” from the worklet catalog and have the restart days as Saturday and a maintenance window of 4:00AM - 4:30AM”. After applying this worklet to a group I scan the device and it shows as “Compliant”. When the worklet scheduled time comes around there is no activity when it should in fact have rebooted the devices because they are all pending updates. 

 

Do I need to change the restart days to every day so Automox thinks it needs to be rebooted and set the worklet schedule to the day it needs to be remediated?

Hi Cbranum,

If you have a green checkmark next to your policy name, in general it indicates the endpoint is compliant (in this case, no reboot needed) and the Remediation code will not run.

The Remediation code will run under one of two conditions: The endpoint is not compliant (clock icon next to the policy name on the device, automated run, as scheduled) or if you force it to run (Run On This Device Now).

You can manipulate this behavior. If you want the Remediation code to run as scheduled every time regardless of compliance then you can put ‘exit 1’ in the Evaluation code. This makes the console think the endpoint is not compliant (even though it might be, we just dont care in this case) and the Remediation code will then run.

It is important to scan your device after assigning a new Worklet policy to it (or group of devices). This happens automatically based on the group scan interval, but I prefer to kick a scan off manually to just get it out of the way, no waiting.


Thanks for the response! The issue I’m having is that devices that Automox shows as “pending reboot” are showing compliant, when in fact they should not be compliant. If I set the maintenance day to Saturday and the maintenance window to 4:00AM - 5:00AM do I have to just hope that the endpoints scan within that timeframe for Automox to consider them non compliant?

 

I really need the devices to only reboot if required at a specific time, but it seems that is harder to achieve than it should be. 


I imagine we could revise the Evaluation code of the Worklet in this case. Looking at the exact notes, there actually isn’t even a condition being checked in the Evaluation code to see if a reboot is pending. It just sets up a potential time window to execute the Remediation code. (Am I (the eval code) running on a certain day at a certain time? If yes, queue up the Remediation code.) If my understanding is accurate its not the best approach we could offer since we couldn’t ensure a scan automatically runs within the parameters of the Evaluation code, and also the Remediation code has to be scheduled for execution which would also fall out of the ‘window’ desired or specified in the Evaluation code.

I think it would make sense to put most of the ‘checks’ found in the Remediation code into the Evaluation code. I’ll ask Anthony on monday to see if I need clarity on my understanding of if we can update how this is functioning.

 


Thank you very much! I appreciate you digging into this for me.


The Worklet in question is under review and will be modified to provide a more customizable option by creating a scheduled task. I don’t recommend using it today.

In the short term a better option is actually an older Worklet we have in the catalog:
https://console.automox.com/manage/worklet-catalog/16

This runs the evaluation code and checks the device for a restart status (New-Object -ComObject "Microsoft.Update.SystemInfo", can run this in a powershell window to see what it spits back).

It then executes the Remediation code as scheduled (saturday/midnight or whenever you want the reboot to take place).

I recommend removing the Remediation code in its entirety and just having:
Restart-Computer -Force



No need to get any more fancy that that.


Thank you for the help Mark! I think I am in good shape now.


Reply