We have a Windows 2012 RS server running Hyper-V that last week at 02:07am decided to install lots of Windows Updates then restart! As a result the non-highly available Virtual Machines went offline so not a great situation to be in when your hosting 24x7 services.
Looking in the WindowsUpdate.Log I can see lots of activity at the time.
2015-08-19 02:01:54:030 1612 1688 Agent * WSUS status server: http://mercury:8530 2015-08-19 02:01:54:030 1612 1688 Agent * Target group: (Unassigned Computers) 2015-08-19 02:01:54:030 1612 1688 Agent * Windows Update access disabled: No 2015-08-19 02:01:54:061 1612 1688 AU ########### AU: Initializing Automatic Updates ########### 2015-08-19 02:01:54:061 1612 1688 AU AIR Mode is disabled 2015-08-19 02:01:54:061 1612 1688 AU # Policy Driven Provider: http://mercury:8530 2015-08-19 02:01:54:061 1612 1688 AU # Detection frequency: 22 2015-08-19 02:01:54:061 1612 1688 AU # Approval type: Scheduled (User preference) 2015-08-19 02:01:54:061 1612 1688 AU # Auto-install minor updates: No (Policy) 2015-08-19 02:01:54:061 1612 1688 AU # Auto update required (cannot be disabled)
2015-08-19 02:01:54:280 1612 d0c AU Update {9B29D104-997F-475E-99B1-854C30CB4E88}.201 was auto-approved for forced install
Lots of progress then … 2015-08-19 02:05:30:547 1612 d78 Agent ** END ** Agent: Installing updates [CallerId = AutomaticUpdates] 2015-08-19 02:05:30:547 1612 c90 AU # WARNING: Install call completed, reboot required = Yes, error = 0x00000000 2015-08-19 02:05:30:547 1612 d78 Agent ************* 2015-08-19 02:05:30:547 1612 c90 AU ######### 2015-08-19 02:05:30:547 1612 c90 AU ## END ## AU: Installing updates [CallId = {D49E3A19-EAF6-4FCD-A2D1-0CAC957AC5E6}] 2015-08-19 02:05:30:547 1612 c90 AU ############# 2015-08-19 02:05:30:547 1612 1688 AU Install complete for all calls, reboot needed
2015-08-19 02:15:30:559 1612 1688 AU Client has determined it is safe to reboot without warning. Rebooting now... 2015-08-19 02:15:30:559 1612 1688 AU AU invoking RebootSystem (OnRebootNow) 2015-08-19 02:15:30:559 1612 1688 AU Allowing auto firmware installs at next shutdown
We control WSUS behaviour via Group Policy so I was surprised why this particular server restarted, It’s in the same OU as other servers that did not restart! Running Group Policy Modelling I can see that the standard (expected) group policies are in place. In addition on the server that restarted I can see no Group Policy event failures so as far as I’m aware the group policy had been applied, in addition there’s no local security polices applied that would have taken precedence over AD GP’s.
The AD functional level is Windows 2008 R2 but we have the relevant ADMX files in place for 2012 R2 Group Policy. Currently we are set to Automatic Update Option 5 0 “Allow the Local administrator to choose” and “No auto-restart with logged on users for scheduled automatic updates installations”
I’ve been reading lots about the new Windows 2012 “Automatic Maintenance” this is set on all servers to run daily at 2am, although the time is close to my event I would expect the remainder of my server estate to have also started updating and rebooting if this was the process that caused the event.
I’ve spent some time trying to establish the root cause so I can ensure it doesn’t happen again, so far I can see the cause but no means to prevent future occurrences and I’m concerned it could affect further servers. Any advice welcomed.
