locked
Very unexpected server restart after automatic updated RRS feed

  • Question

  • We have a Windows 2012 RS server running Hyper-V that last week at 02:07am decided to install lots of Windows Updates then restart! As a result the non-highly available Virtual Machines went offline so not a great situation to be in when your hosting 24x7 services.

    Looking in the WindowsUpdate.Log I can see lots of activity at the time.

    2015-08-19      02:01:54:030       1612       1688       Agent      * WSUS status server: http://mercury:8530

    2015-08-19      02:01:54:030       1612       1688       Agent      * Target group: (Unassigned Computers)

       2015-08-19          02:01:54:030       1612       1688       Agent      * Windows Update access disabled: No

    2015-08-19      02:01:54:061       1612       1688       AU          ###########  AU: Initializing Automatic Updates  ###########

    2015-08-19      02:01:54:061       1612       1688       AU          AIR Mode is disabled

    2015-08-19      02:01:54:061       1612       1688       AU            # Policy Driven Provider: http://mercury:8530

    2015-08-19      02:01:54:061       1612       1688       AU            # Detection frequency: 22

    2015-08-19      02:01:54:061       1612       1688       AU            # Approval type: Scheduled (User preference)

    2015-08-19      02:01:54:061       1612       1688       AU            # Auto-install minor updates: No (Policy)

       2015-08-19          02:01:54:061       1612       1688       AU            # Auto update required (cannot be disabled)

     

    2015-08-19      02:01:54:280       1612       d0c         AU          Update {9B29D104-997F-475E-99B1-854C30CB4E88}.201 was auto-approved for forced install

     

    Lots of progress then …

    2015-08-19   02:05:30:547       1612       d78         Agent    **  END  **  Agent: Installing updates [CallerId = AutomaticUpdates]

    2015-08-19   02:05:30:547       1612       c90         AU            # WARNING: Install call completed, reboot required = Yes, error = 0x00000000

    2015-08-19   02:05:30:547       1612       d78         Agent    *************

    2015-08-19   02:05:30:547       1612       c90         AU          #########

    2015-08-19   02:05:30:547       1612       c90         AU          ##  END  ##  AU: Installing updates [CallId = {D49E3A19-EAF6-4FCD-A2D1-0CAC957AC5E6}]

    2015-08-19   02:05:30:547       1612       c90         AU          #############

    2015-08-19      02:05:30:547       1612       1688       AU          Install complete for all calls, reboot  needed

     

    2015-08-19   02:15:30:559       1612       1688       AU          Client has determined it is safe to reboot without warning. Rebooting now...

    2015-08-19   02:15:30:559       1612       1688       AU          AU invoking RebootSystem (OnRebootNow)

    2015-08-19      02:15:30:559       1612       1688       AU          Allowing auto firmware installs at next shutdown

     

    We control WSUS behaviour via Group Policy so I was surprised why this particular server restarted, It’s in the same OU as other servers that did not restart!

    Running Group Policy Modelling I can see that the standard (expected) group policies are in place. In addition on the server that restarted I can see no Group Policy event failures so as far as I’m aware the group policy had been applied, in addition there’s no local security polices applied that would have taken precedence over AD GP’s

    The AD functional level is Windows 2008 R2 but we have the relevant ADMX files in place for 2012 R2 Group Policy.

    Currently we are set to Automatic Update Option 5 0 “Allow the Local administrator to choose” and “No auto-restart with logged on users for scheduled automatic updates installations”

    I’ve been reading lots about the new Windows 2012 “Automatic Maintenance” this is set on all servers to run daily at 2am, although the time is close to my event I would expect the remainder of my server estate to have also started updating and rebooting if this was the process that caused the event. 

    I’ve spent some time trying to establish the root cause so I can ensure it doesn’t happen again, so far I can see the cause but no means to prevent future occurrences and I’m concerned it could affect further servers.

    Any advice welcomed.... Thanks

     

    Monday, August 24, 2015 1:45 PM

All replies

  • Are there any traces in Event logs?

    Look for server updates (like this one https://support.microsoft.com/en-us/kb/2885694 )

    Regards

    Milos

    Monday, August 24, 2015 2:57 PM
  • Thanks for the swift reply, indeed that looked promising however as stated we are running Windows Server 2012 R2 and the article and hotfix is only applicable to Windows Server 2012.

    I'm pretty sure we have the suggested hotfix / roll-ups on this server too.

    Monday, August 24, 2015 3:15 PM
  • can you run rsop.msc on the hyper-v host and see what the settings state?

    have you checked the systems logs to ensure no one accidentally triggered the update installations manually?

    look for the events preceding the reboot.

    Monday, August 24, 2015 7:23 PM
  • Indeed as stated I've spent some time trying to diagnose this, my first port of call was a fully review of the event log:

    USER32:

    The process C:\Windows\system32\svchost.exe has initiated the restart of computer -- on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Recovery (Planned)
     Reason Code: 0x80020002
     Shutdown Type: restart

    ____

    Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes:
    - Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 and Windows Server 2012 R2 x64-based Systems (KB3032663)
    - Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2 (KB3078071)
    - Update for Windows Server 2012 R2 (KB3059316)
    - Update for Windows Server 2012 R2 (KB3013791)
    - Update for Windows Server 2012 R2 (KB3034348)
    - Update Rollup 7 for Microsoft System Center 2012 R2 - Operations Manager Agent (KB3064919)
    - Update for Windows Server 2012 R2 (KB3075853)
    - Security Update for Windows Server 2012 R2 (KB3076895)
    - Update for Windows Server 2012 R2 (KB3041857)
    - Update for Windows Server 2012 R2 (KB3071663)
    - Update for Windows Server 2012 R2 (KB3060793)
    - Update for Windows Server 2012 R2 (KB3055343)
    - Update for Windows Server 2012 R2 (KB3055323)
    - Update for Windows Server 2012 R2 (KB3018467)
    - Security Update for Windows Server 2012 R2 (KB3055642)
    - Update for Windows Server 2012 R2 (KB3061468)
    - Update for Windows Server 2012 R2 (KB3063843)
    - Update for Windows Server 2012 R2 (KB3068708)
    - Security Update for Windows Server 2012 R2 (KB3046339)
    - Security Update for Windows Server 2012 R2 (KB3067505)
    - Security Update for Windows Server 2012 R2 (KB3068457)
    - Update for Windows Server 2012 R2 (KB3054464)
    - Update for Windows Server 2012 R2 (KB3054203)
    - Security Update for Windows Server 2012 R2 (KB3078601)
    - Update for Windows Server 2012 R2 (KB3065013)
    - Security Update for Windows Server 2012 R2 (KB3075220)
    - Update for Windows Server 2012 R2 (KB3045634)
    - Update for Windows Server 2012 R2 (KB3058168)
    - Security Update for Windows Server 2012 R2 (KB3061512)
    - Update for Windows Server 2012 R2 (KB3054256)
    - Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 and Windows Server 2012 R2 x64-based Systems (KB3023222)
    - Security Update for Windows Server 2012 R2 (KB3072630)
    - Security Update for Windows Server 2012 R2 (KB3072633)
    - Security Update for Windows Server 2012 R2 (KB3069392)
    - Update for Windows Server 2012 R2 (KB3049989)
    - Update for Windows Server 2012 R2 (KB3045746)
    - Update for Windows Server 2012 R2 (KB3029438)
    - Security Update for Windows Server 2012 R2 (KB3046359)
    - Security Update for Windows Server 2012 R2 (KB3004365)
    - Security Update for Windows Server 2012 R2 (KB3060716)
    - Security Update for Windows Server 2012 R2 (KB3061518)
    - Windows Malicious Software Removal Tool for Windows 8, 8.1, 10 and Windows Server 2012, 2012 R2 x64 Edition - August 2015 (KB890830)
    - Security Update for Microsoft Silverlight (KB3080333)
    - Update for Windows Server 2012 R2 (KB3060383)
    - Update for Windows Server 2012 R2 (KB3029603)
    - Update for Windows Server 2012 R2 (KB3060681)
    - Security Update for Windows Server 2012 R2 (KB3071756)
    - Security Update for Windows Server 2012 R2 (KB3046017)
    - Security Update for Windows Server 2012 R2 (KB3059317)
    - Update for Windows Server 2012 R2 (KB3037313)

    Wednesday, August 26, 2015 10:31 AM
  • can you run rsop.msc on the hyper-v host and see what the settings state?

    have you checked the systems logs to ensure no one accidentally triggered the update installations manually?

    look for the events preceding the reboot.

    Sure, I've reviewed the group policy modelling and I can see that the expected GPO for updates is being applied, the same that applies to a 100 odd other servers and this is the only server that restarted.

    Wednesday, August 26, 2015 10:34 AM