NOTE Second workaround added 1/23/2013. See Alternate Workaround section at the end of this article.
Consider the following scenario:
- You set System Center 2012 Configuration Manager (ConfigMgr) Client Agent\Computer Agent\Show notifications for new deployments to "False".
- You create a Software Updates Deployment in ConfigMgr.
- The Software Updates Deployment contains software updates that require a machine restart in order to complete installation.
- You configure the User Experience\User Notifications configuration setting for the deployment to "Hide in Software Center and all notifications".
- You configure the User Experience\Device Restart behavior configuration setting to “Suppress the system restart for both Servers and Workstations”.
Expected behavior:
No user notifications are displayed before, during, or after the software updates installation processes run..
Actual behavior:
Machine restart notifications are displayed on the ConfigMgr client machine after the post-install software updates scan completes. The notifications are displayed on all supported client operating system versions.
First visible indication:
A yellow "Restart Required" balloon notification is displayed.
If you click within the boundary of this yellow balloon notification, a Software Center "Restart your computer" notification is displayed. If you do not click within the boundary of the yellow notification box, the Software Center notification is not created and the yellow balloon notification fades away after approximately 5 seconds.
If you make no selections in the Software Center notification, it remains onscreen indefinitely. If you click Cancel or if you click Snooze and then click “OK”, the Software Center notification closes and a green icon is displayed to the far left of the visible notification area. If you mouse over the icon, a small “restart required” dialogue opens up.
To date, only one method has been identified that will disable all visible machine restart notifications.
This method uses a combination of domain GPO Adm template settings and Local Policy Adm template settings with Windows 7 and Windows 2008 R2. The specific Local Policy configuration settings are new with Windows 7 and Windows 2008 R2. Thus these are the only client operating systems with which it is possible to achieve complete and total suppression of the restart notifications. These policies are:
NOTE Best practice discourages unnecessary editing of the Default Domain Policy.
Domain Policy User Configuration Policies Admin templates Start Menu and Taskbar Set "Turn off all Balloon Notifications" to "Enabled"
Local policy on Win 7 (New setting for Windows 7):
Local Policy User Configuration Policies Admin templates Start Menu and Taskbar Set "Turn off automatic promotion of notifications to the taskbar" to Enabled.
References:
Agent Configuration
Deployment User Experience configuration
Yellow Balloon Notification
Software Center notification
Green notification area icon
Alternate Workaround
An additional workaround has been identified. This new workaround uses a single Windows Software Restriction GPO configuration setting to prevent SCNotification.exe from running and generating pop-up notifications. Note that this workaround will disable ALL ConfigMgr 2012 pop-up notifications. The Software Restriction GPO is available in Local Security Policy configuration settings and in Domain Policy configuration settings. These settings are common to Windows XP, Windows 7, Windows 8, Windows 2003, and Windows 2008.
To implement this workaround with a Local Security Policy:
Click Start, then Run.
Type secpol.msc, then click OK.
Navigate to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\
Right-Click “Software Restriction Policies”; select “New Software Restriction Policies” from the pop-up menu.
Right-Click “Additional Rules”; select “ New Path Rule” from the pop-up menu.
Select “Browse” and browse to SCnotification.exe on the local machine or manually enter the path to ScNotification.exe.
Select “Disallowed”.
Click “OK” .
Right-Click “Additional Rules”; select “ New Hash Rule” from the pop-up menu.
Browse to and select SCnotification.exe on the local machine; hash values will be detected and added to the new rule.
Click “OK”.
Close Local Security Policy Editor. It should look something like this:
To implement this workaround with a Domain Security Policy:
Open Group Policy Management Editor.
Select the Policy that you want to use to enable the Software Restriction Policies or create a new GPO.
Right-click the policy; select "edit" from the pop-up menu.
Navigate to policyname\\Computer Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies\
Close Group Policy Management Editor. It should look something like this:
Thanks to Premier Field Engineer Volkan Coskun for identifying this alternate workaround.
Terry McKinney | Premier Field Engineer
Get the latest System Center news on Facebook and Twitter:
App-V Team blog: http://blogs.technet.com/appv/ ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ DPM Team blog: http://blogs.technet.com/dpm/ MED-V Team blog: http://blogs.technet.com/medv/ Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ Operations Manager Team blog: http://blogs.technet.com/momteam/ SCVMM Team blog: http://blogs.technet.com/scvmm Server App-V Team blog: http://blogs.technet.com/b/serverappv Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials WSUS Support Team blog: http://blogs.technet.com/sus/
The Forefront Server Protection blog: http://blogs.technet.com/b/fss/ The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity- support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Thanks for posting this, I've been running into this exact problem. Will there be a fix for it in SCCM 2012 SP1?
Yes, a fix would be nice. Rather not have to hack GPOs to solve this.
After considerable review we will not be able to take a product change to SP1 to alter the current notification behavior. We are committed to revisit this in the planning stages for our next release.