Patch Compliance Failing: 90+ Day Uptime, Missing Updates

LIMEHAWK - Managed IT

Uptime-Based Reboot — automation

date	Sep 5, 2024
status	RESOLVED

Incident

Compliance audit flagged a healthcare client for "missing critical patches." 23 of 47 workstations showed patches downloaded but not installed. Average fleet uptime was 34 days - users were hibernating laptops but never rebooting. One machine had been "up" for 97 days. Patches were there, just waiting for a reboot that never came.

Problem Identification

highest uptime	97 days (front desk - "never turn it off")
average uptime	34 days across 47 workstations
compliance status	0% - all "installed" patches pending reboot
root cause	Fast Startup + user behavior

Windows 10's Fast Startup was the culprit. When users clicked "Shut Down," Windows actually hibernated the kernel. The machine appeared to power off, but it wasn't a true reboot. Updates in "Pending Reboot" status never installed.

Why Standard Solutions Failed

Active Hours — users set 6 AM - 11 PM (never restart)

Deadline forcing — triggers at 2 AM, laptops sleeping

User prompts — "Restart now" dismissed for weeks

Smart scheduling — picks inactive times when laptop asleep

Fundamental problem: Windows Update can only restart a machine that's awake and online. Users who close laptop lids at 5 PM and open at 8 AM never hit the maintenance window.

Solution

Enforce reboots through RMM agent, which runs with SYSTEM privileges and can force restarts regardless of Windows Update's "smart" scheduling.

Why This Works

Win32_OperatingSystem	real LastBootUpTime (immune to Fast Startup)
quser enumeration	logs who was on before reboot
$SkipIfUserActive	optional defer if someone working
warning period	configurable 5-min warning for user

Key insight: RMM agent can wake machine from sleep to run scheduled tasks. Combined with this script, machines that "never reboot" now reboot weekly - automatically, during off-hours, with no user action required.

Outcome

avg uptime	34 days → 4 days
compliance	0% → 100%
audit result	failed → passed

Deployed with 7-day threshold. Within one week, every machine had rebooted at least once. Patches that had been "pending reboot" for months finally installed. Re-ran compliance scan: 100% compliant.

"Shut Down" doesn't mean reboot - Fast Startup hibernates

WU deadlines only work if machines awake during maintenance

RMM-based enforcement catches what Windows Update misses

uptime is proxy for patch compliance - high uptime = low install

Get Help

Need automated patch compliance? We implement maintenance automation that keeps your fleet patched without disrupting users.