ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Cancel Restart Client Computers commands

book

Article ID: 172816

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

An administrator issues the Restart Client Computers command one or more times on one or more client groups. You wish to cancel or recall the command(s).

Cause

There is no option to cancel or recall Restart Client Computers commands from the Symantec Endpoint Protection Manager (SEPM) console. Clients download all commands for their client group and store them locally, and then execute the commands in the sequence they were issued. Moving clients to a new client group without these commands will not remove the queued commands from the client's local settings.

Resolution

Note: Following these steps will remove all commands from the SEPM. If you currently have any outstanding commands you wish clients to execute, you will need to reissue these commands.

Remove commands from Symantec Endpoint Protection clients

The following steps add a Host Integrity (HI) policy to the affected group(s). The policy will remove the scheduled restarts from the affected SEP clients' registries. In order for the policy to take effect, you must temporarily disable Tamper Protection on the affected client group(s).

  1. Download the Host Integrity policy attached to this document (Remove SEP reboot commands from clients v1.dat)
  2. Log in to the SEPM console
  3. Click Clients and locate the affected client groups
  4. For each affected group:
    ​Note: If the affected groups inherit policies from another group, you must first disable policy inheritance
    1. ​Click Policies > General > Tamper Protection, uncheck Protect Symantec security software from being tampered with or shut down, and click OK
  5. Click Policies > Host Integrity > Import a Host Integrity Policy
  6. Browse for the downloaded host integrity policy (Remove SEP reboot commands from clients v1.dat) and click Import
  7. Click Assign the policy, check all of the affected groups, and click Assign
  8. Click Yes to confirm the assignment

​Remove commands from the SEPM

The following steps purge all commands from the database of each affected SEPM site, and delete the command files from the file system of each affected SEPM.

  1. For each SEPM site:
    1. ​Execute the following SQL command on the SEPM database:
      UPDATE BASIC_METADATA SET DELETED = 0, USN = (SELECT SEQ_NUM FROM SE_GLOBAL) WHERE TYPE = 'Command'
  2. For each SEPM server
    1. Delete all files in the SEPM command folder.  The default path is (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\command)

​Confirm successful deletion of commands on clients

After completing the above steps, confirm the SEP clients properly applied the HI policy and deleted all Restart Client Computers commands.

  1. The SEP client UI on remediated clients will no longer show a restart required message
  2. The Windows registry on remediated clients will no longer have the following registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\RebootMgr"

​Clean up

Return the affected client groups to their default configurations, specifically:

  1. ​Re-enable Tamper Protection
  2. Withdraw the Remove SEP reboot commands from clients v1 HI  policy

 

Attachments

Remove SEP reboot commands from clients v1.dat get_app