Windows Update: Rogue Reboot



  • Windows Server 2012 R2 6.3.9600

    The process C:\Windows\system32\svchost.exe (Server1) has initiated the restart of computer Server1 
    on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Recovery (Planned)
     Reason Code: 0x80020002
     Shutdown Type: restart
     Comment: 
    

    So this happened at 9:23 EDT today.. we didn't okay it,.. and of course the client is a tad miffed. We got notification that it occurred...

    should this have happened? Could this have been prevented? Updates were run on it this past weekend,.. and rebooted.



  • Are some updates so 'critical' that Microsoft dictates automatic restart?



  • Looking at the application log

    Successfully scheduled Software Protection service for re-start at 2115-07-07T13:14:44Z. 
    Reason: RulesEngine.
    


  • @g.jacobse said:

    Are some updates so 'critical' that Microsoft dictates automatic restart?

    Depends on what Settings you push out via Group policy to prevent it. If you do nothing yes they can restart on their own.
    Also if it's a terminal/remote desktop server you need to completely lock out non-domain admins from accessing windows updates.



  • Was anyone logged in through RDP or anything?

    Windows Server 2012 will do the automatic "You have 15 minutes until this thing restarts, you have no choice" thing just like it's Windows 8, but only if someone is actively logged into the server interface (AKA disconnected RDP sessions don't count).

    I know there was an out of band patch not too long ago, I don't know if you applied it and rebooted it with your maintenance last weekend but the combination of an important patch wanting to restart stuff + someone stepping away from an open RDP connection would cause something like this.



  • We had the notification that a reboot was needed post updates last weekend. AFAIK - no one was logged in. It's in New York and the local staff would not have had access to it.



  • We had this happen to us and our primary SQL server last week (I think I mentioned here) same results unexpected reboot at basically the same time of day as you (right around 9:30AM).

    I really need to deploy GPO settings to prevent or arrange automatic updates.



  • We push a server policy that forces the updates to download from WSUS but as Automatically Download but, let me chose when to install. If you don't choose when to install manually you'll end up with this stuff. I also have a GP to block non-domain admins from installing on all servers.



  • Just happened to find this from last night.

    Windows update Update for Windows (KB3055343) requires a computer restart to complete the installation.
    (Command line: "C:\Windows\system32\wusa.exe "C:\Program Files (x86)\DesktopCentral_Agent\\patches\101697-Windows8.1-KB3055343-v2-x64.msu" /quiet /norestart")
    


  • This is something that has been running through my brain all day...

    And it just so happens that this update was released from MS on July 20.

    We ran updates on the server on Sunday. and rebooted it then.

    Why was it not installed then????



  • @g.jacobse said:

    This is something that has been running through my brain all day...

    And it just so happens that this update was released from MS on July 20.

    We ran updates on the server on Sunday. and rebooted it then.

    Why was it not installed then????

    But was it download at that point? and if you have WSUS was it approved at that point.

    Also often times you need to install updates three or four times after reboots, some have prerequisites and some can't be installed with others.



  • @thecreativeone91 said:

    @g.jacobse said:

    This is something that has been running through my brain all day...

    And it just so happens that this update was released from MS on July 20.

    We ran updates on the server on Sunday. and rebooted it then.

    Why was it not installed then????

    But was it download at that point? and if you have WSUS was it approved at that point.

    Also often times you need to install updates three or four times after reboots, some have prerequisites and some can't be installed with others.

    Also, did the update have a dependency that was not there until after the Sunday reboot. Thus causing it to now be a needed update?



  • Seems like this has come around again....

    Server is receiving updates when the GPO is set to disable it.



  • Hey @scottalanmiller here is an example of a random reboot! 🙂



  • I have users on a nearly monthly occasion complain that they they tell the system to remind in 10 mins or 4 hours, and yet the machine will just randomly reboot while they are working.



  • ive had similar issues

    Tried WSUS server through Group Policy. Never got it to work properly. gave it the finger.

    Turned windows updates off through GPO policy settings and to not bother user. Machines still at random will reboot without notice due to updates. Or updates will still get installed.

    Am I that incompetent?





  • @Dashrender said:

    I have users on a nearly monthly occasion complain that they they tell the system to remind in 10 mins or 4 hours, and yet the machine will just randomly reboot while they are working.

    Are you using any sort of RMM product?



  • @BRRABill said:

    @Dashrender said:

    I have users on a nearly monthly occasion complain that they they tell the system to remind in 10 mins or 4 hours, and yet the machine will just randomly reboot while they are working.

    Are you using any sort of RMM product?

    ManageEngine I believe might be on it,.. but updates are pushed manually.



  • @gjacobse said:

    ManageEngine I believe might be on it,.. but updates are pushed manually.

    I asked because we use N-Able and they used to have an issue where the popup would show up, but it basically did nothing.

    Their code rewrote all the update stuff.



  • Is there a reason this reboot is referred to as "red", or was that supposed to be rogue?



  • When you reboot, your users see red?



  • @scottalanmiller
    Sometimes it's not just the users that see red SysAdmins do too...



  • @ntoxicator Are you sure the GPO is being applied?



  • Edited rouge to rogue. Makes a bit more sense now.



  • Any further progress on tracking this down?



  • @scottalanmiller

    Not entirely.

    Both @art_of_shred and I have looked at it. It would appear though that updates were set to trigger.. and not to disable. So while another setting showed as being disabled, it would still trigger.



  • What's the latest? Should we be looking into this more?



  • @scottalanmiller said in Windows Update: Rogue Reboot:

    What's the latest? Should we be looking into this more?

    No longer an issue,



  • Well then, another one bites the dust.


Log in to reply