Skip to content
Contact us Customer portal Sign in
  • There are no suggestions because the search field is empty.

Safetica Client update issues

Learn how the Safetica Client update process works on devices with Windows, and how to resolve issues that may occur during or after an update.

 

Applies to: Devices with Windows (on-prem and cloud) – because a restart is required on Windows to complete the update.

On macOS, Safetica Client is updated without a restart.

 

Before you start investigating the issue

  • Make sure you set up the correct exceptions for your antivirus software. Learn more here.
  • If you are using the CrowdStrike antivirus, switch the mode of the Extended User Mode Data Visibility feature to Moderate. Learn more here.

 

 

How the update process works

After you initiate an update from the Safetica console (learn more here), the following steps occur on the device:

  1. The update installer is downloaded to the device.
  2. When the user shuts down or restarts the computer, a Windows shutdown script runs after sign-out and performs the update.
  3. After the restart, the new version of Safetica Client starts automatically.

 

Fallback

Safetica includes the following fallback:

1st restart

If the shutdown script does not run after a first restart, the device enters Waiting for restart state.

2nd restart + auto install

If the shutdown script does not run after a second restart, the update is installed immediately on startup.

3rd restart

After the update is installed, Safetica triggers an automatic restart with a 5-minute timeout and user notification.

This fallback only happens when the shutdown script does not run at all. If the update itself fails during 2nd attempt at installation, the device enters a Failed state and the update must be re-initiated manually from the Safetica console.

 

 

Troubleshooting

Issue 1: Shutdown scripts are not executing

If shutdown scripts consistently fail to launch, the root cause is typically in the Windows or domain configuration. Check the following:

  • Group Policy override: A domain Group Policy may be overriding or disabling local shutdown scripts. Verify that your GPO allows shutdown scripts on the affected devices.
  • Shutdown scripts disabled: Scripts may be turned off at the device or domain level. Ensure script execution is enabled.
  • Restart scripts without kernel reboot: Some third-party reboot scripts may not trigger a true kernel reboot, so the system doesn’t register a real restart and the shutdown script never runs.
  • Legacy GPO deployment scripts still active: If Safetica was originally deployed via a GPO deployment script, that script may still be running on devices long after the initial deployment. This can interfere with Safetica Client updates. Verify that any GPO deployment scripts created for the initial Safetica deployment have been disabled or removed. Learn more about batch installation of Safetica using GPO here.

 

Issue 2: Update fails due to shutdown timeout

The update runs during the shutdown sequence and may take 5+ minutes. If the system enforces a short shutdown script timeout, the update can be interrupted, potentially leaving the Safetica Client in a broken state.

How to identify a shutdown timeout

Check the Group Policy Operational log in Event Viewer:

Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational

Look for Event ID 5018 entries related to shutdown scripts. If all scripts complete in a suspiciously uniform short time (e.g., exactly 30 or 60 seconds), a forced timeout is killing them.

Resolution

  1. Increase the GPO shutdown script timeout: Open the Group Policy Editor and go to Computer Configuration > Administrative Templates > System > Scripts. Set the maximum wait time to at least 300 seconds (5 minutes).
  2. Check for other tools enforcing timeouts: SCCM and similar endpoint management tools can independently set shutdown script timeouts. The default Windows timeout for GPO scripts is 10 minutes. If your environment uses a shorter value, something (e.g., Script Execution Timeout in SCCM) might have overridden it.

✍️To quickly confirm whether a timeout is the root cause, set the value on a single test machine using the Local Group Policy Editor and attempt the update. If it succeeds, the timeout is confirmed.

✍️The registry value WaitToKillServiceTimeout (HKLM\SYSTEM\CurrentControlSet\Control) controls how long Windows waits for services to stop. It does NOT control the shutdown script timeout. Changing it will not resolve this issue.

 

Issue 3: Device appears to be in a restart loop

If a device seems to restart repeatedly after an update is initiated, review the following:

  1. Check the logs: Verify actual restarts by reviewing timestamps and process IDs. Same process ID = same boot cycle.
  2. Count the restarts: Typically: 2 manual restarts (by user) + 1 automatic restart (by Safetica) are expected. See Fallback.
  3. Verify the timeline: 20+ minute gaps between restarts are normal and do not indicate a loop.

 ❗If the device really is in a restart loop, deactivate the Safetica Client from the Safetica console to stop the cycle, then collect logs for investigation.

 

Issue 4: Device shows "Failed" status

If the update ran but encountered an error, the device shows the Failed status. To resolve it:

  1. Go to Devices > Overview tab in the Safetica console.
  2. Find the device with the Failed status.
  3. Re-initiate the update manually. Learn more here.

 

Issue 5: Device stays in "Waiting for reboot" status

The user may not have restarted their computer yet. Ask them to restart. If the status persists after multiple restarts, shutdown scripts are likely not executing. See the Issue 1 above.

 

 

Workaround

If shutdown script timeout issues cannot be resolved, try using this workaround to reduce the risk of a timeout:

  • Deactivate the Safetica Client on the affected device from the Safetica console. Learn more here.
  • Initiate the update from the Safetica console. Learn more here.
  • Activate the Safetica Client again after the update completes. Learn more here.

Deactivating the Safetica client before the update shortens the overall update duration, so that it is less likely to be interrupted by a timeout.

 

 

How to collect logs

If you cannot resolve the issue yourself and need to contact Safetica Support, collect the following logs from the affected device:

Log type

Location/Details

Safetica Client logs

Run troubleshooting in Safetica console, reproduce the issue, and collect logs. Learn more here.

MSI installer logs

C:\ProgramData\Safetica Client Service\Agent\InstallLogs

System logs

Event Viewer > Windows Logs > System

Application logs

Event Viewer > Windows Logs > Application

Group policy logs

Event Viewer > Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational