Should MSPs Enforce a Mandatory Rebooting Policy?

A reboot in the middle of my presentation? Good job, IT team, perfect timing, as always.

As an MSP, you’ve dealt customer push back on a mandatory rebooting policy.

It disrupts their day and when done without the right processes, can hurt the business.

But, without an automated patch management solution that does not require rebooting, you’ll need to do mandatory reboots at a convenient time for your customer.

In this article, you’ll see:

• How to overcome common objections
• A reminder on how rebooting helps patching
• Rebooting best practices

What frustrates customers about mandatory rebooting?

Picture this. You’re an accountant. It’s the end of the month, with open tabs, countless spreadsheets, and an unsaved presentation.

Everything disappears – tabs gone – as the computer reboots for updates.

No warning, no time to hit “Save”. You count the lost hours as you curse whoever is responsible for ruining your day.

It’s understandably frustrating. Of course, customers are wary of mandatory rebooting policies.

From “no-way” to “okay” on mandatory rebooting

First, let’s focus on the “no-way” to manual rebooting perspective.

Rebooting all devices disrupts the workflow and affects productivity.

Your customers rather focus on getting their job done.

By understanding their common objections, you can counter them with strong arguments and win (almost) every time.

Workflow disruption

A mandatory reboot of all devices will interrupt ongoing work. In a company that runs across different time zones, force rebooting will affect at least one team’s workflow.

Antidote: use automation for most patches and updates. Schedule the ones that can’t roll without rebooting. Gather intelligence about different teams’ workflows. Use a patching tool that allows you to create groups. That way you can choose the best maintenance time for everybody. Be predictable and flexible. Give users visible warning messages. Create an opportunity to postpone rebooting for a limited amount of time.

Data Loss

If employees have unsaved work, like an open spreadsheet, force rebooting will lead to losing important data.

Regular saving and backups are important, but you can’t only rely on them. Potentially losing the results of a week’s work is something no one wants to experience.

Antidote: Once again, the schedule, warn, be flexible model saves the day. Totally doable, in any work environment.

Impact on critical services

In some organizations, certain systems and devices run critical services. In a hospital’s IT infrastructure, for example, there are devices that you simply can’t put on hold.

Servers, devices running simulations, and long-term data analyses need continuous uptime. Approving a forced rebooting operation would affect critical data availability, to say the least.

Antidote: One side of the solution is using a patch and asset management tools that enable creating groups. That means you can reboot at least most of your devices.   For the critical ones that you can’t do without, there’s redundancy. Yes, budgets are always tight. Buying and building a backup system means money. But so does a ransomware attack or an unexpected crash due to not applying updates in time.

Both are risks that the customer should be aware of when opposing a mandatory rebooting policy and a redundancy approach.

For the record, recent reports show ransomware payments went over $1.1 billion in 2023. Exploiting unpatched known vulnerabilities to gain initial access is one of the hacker’s favorite attack vectors.

Employee autonomy

Employees value autonomy and flexibility. They need to decide their own schedule and working pace. Those who engage in active sessions with business partners, the media or customers, will particularly hate not being able to control their working devices.

They see your mandatory rebooting policy as intrusive and hate you for that.

Antidote: Be as flexible as possible. Set the rebooting window as generously as you can. Make it clear to everyone that postponing patches forever is not an option. Unless they are ready to face the consequences of a cyberattack that can mean:

• Being known as those guys who lost everybody’s data because they failed to apply basic security measures.
• Business partners receive phishing emails that track back to your company’s domain.
• Getting locked outside your device, with no access to critical working docs, because hackers got in and encrypted it all.

Quick reminder on how rebooting helps patching

Some patches and updates the vendors release require restarting the device after deployment. Until then, the patch management process is not complete, and patches can’t do their job:

• close a known vulnerability
• provide a new feature
• offer increased performance for the 3rd party software or operating system

Force rebooting ensures all endpoints are patched and updated on time.

Sure, you know all that, but your business partner might not. So, make sure you highlight for them what the main advantages of rebooting are:

Better security posture

Hackers exploit known vulnerabilities to gain initial access and breach systems. Lots of these vulnerabilities are years old.

Not restarting a device for months or even years sabotages the patching process. Regardless of the efforts of the security team or the System Admin, some endpoints will remain unpatched. Threat actors will be able to use them as an open gate into the network.

Reboot to complete the installation process and close security gaps.

Increased system performance

Regular reboots keep the system stable and help it work better by:

• clearing RAM
• ending stuck processes
• applying system improvements

Helps meet compliance goals

All industries and most countries have specific security standards. Ensuring prompt application of critical updates helps avoid potential fines.

Best patch management software helps avoid or reduce the need of rebooting to apply certain patches.

Heimdal’s patch and asset management tool performs two types of updates and patches:

• for 3rd Party software
• for Operating Systems

The 3rd Party patches don’t require rebooting the machine. That’s because we configure them in the patching system not to. For the Operating System Updates patches, Heimdal only reboots if the updates require it.

Victor Negru, B2B Support Engineer

Mandatory rebooting best practices

Most disadvantages of a mandatory rebooting policy point towards bad timing and lack of predictability.

Get through this short checklist of mandatory rebooting best practices. It will help keep computers safe, users and customers happy:

Communicate

Inform all users about the policy, its importance, and how you plan to implement it. Always warn users before a reboot occurs.

Give clear instructions and support to users who might experience issues due to the reboot.

Schedule

Plan reboots and maintenance during off-peak hours or times when system usage is at its lowest. Depending on the business profile and internal culture, the best moments might be:

• late in the evening, 22.00 pm, for example.
• during weekends
• right before the day starts. Give people a valid reason to grab a cup of coffee and chat in the lounge before they dive into daily tasks. Who would say no to that?

Be flexible

As often as possible, give users the chance to start the reboot themselves. Heimdal’s patch and asset management tool enables you to give users plenty of chances to reboot before you do it for them.

Set a window of time in which they can choose when exactly the reboot happens. This will prevent data loss, and activity and meeting disruptions.

Depending on the urgency of the patch or update, the window’s length may vary from 2 hours to 10 days. Security specialists recommend you apply the reboot as soon as possible.

Prevent data loss

Implement auto-save features or set visible, redundant warning messages that remind users to save their work before the reboot. This way you’ll prevent data loss.

Monitor compliance and exceptions

Track which devices have been successfully rebooted. Allow for exceptions where necessary, such as for critical infrastructure that requires more careful handling. Limit exceptions as much as possible.

Advocate the need for redundant devices, that could work as a backup for critical infrastructure. Patching keeps infrastructure working. Exactly because it is critical you can’t afford to leave it unpatched and exposed to hackers.

Review and adjust

Regularly review the policy’s impact. Ask for user feedback and make the necessary adjustments. This way you ensure the policy is effective and minimally invasive.

Conclusion

Implementing patches and updates is critical for maintaining the system safe and functional. Failing to completely apply a security patch can lead to:

– huge costs due to recovering the system, workflow disruption, and compensations that customers, employees, or impacted business partners might request in court

– data loss

– a bad reputation for the brand

When requesting a CEOs support to implement a mandatory reboot strategy, these are the main arguments you should use. Use this MSP client onboarding process checklist to make sure you set needs and expectations right when onboarding a new customer.

A patch management tool that minimizes the need for rebooting is also one of your strongest allies.

Also, keep in mind that you should always stay flexible and communication oriented.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Newsletter

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.