• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 27623
  • Last Modified:

Prevent automatic reboot after windos update

Hi,
Iam running windows 2003 on server A and Sever B. Server B is a workstation and Server A is running WSUS for windows updates and has clients in its domain. I found out that all the clients of server A automatically gets rebooted most probably that is due to windows update and Server B also gets rebooted whenever there are any updates which requires reboot. Following is the error which i get in the eventlogs:

"The process winlogon.exe has initiated the restart of computer B on behalf of user NT AUTHORITY\SYSTEN for the following  reason. No title for this reason could be found
Reason code:0x80020002
shutdown  type :restart"

and before this log there are event logs which says like update is sucessfully installed and reboot required, which clarifies that this is not virus activity and reboot is due to windows update. I also scanned winlogon.exe with symantec antivirus and found no threat.

I have enabled " No automatic restart for windows update" option in group policy, it is not working  as it only works when a user is loggen on, otherwise it will automatically reboot the system.

My concerns are:
1. How can i configure WSUS so that all the clients wont get rebooted automatically whenever there are updates which require reboot, instead user should get a prompt for reboot whenever he gets log on that system.
2. How can i configure Server B to disallow automatic reboot.
3. Why Server A wasnt rebooted but all the clients get rebooted


Thanks in advance.
0
KidsTrainingTeam
Asked:
KidsTrainingTeam
  • 3
  • 2
  • 2
  • +2
1 Solution
 
canaliCommented:

1) would be a nice feature
 2)  look registry
 3) look differences in registry server A and Server B HKEY_LOCAL_MACHINE\ Software\ Policies\ Microsoft\ Windows\ WindowsUpdate
http://www.emailbattles.com/archive/battles/vuln_aacgjahfig_ib/

Is not much... I'm curious to know the registry differences between server

Gas
0
 
ISoulCommented:
I think you should actually just set the systems so that they don't automatically install the Windows Updates, but instead have them download automatically and then you manually install the updates when convenient.
0
 
rindiCommented:
I agree, don't use the automatic update function, but rather run the updates yourself. I've lately seen some windowsupdates that tend to have a bad influence on the system, so, particularly for a server you should be carefull when running the updates. When a new update has arrived I'd wait for 2 weeks before running it, in that time any bugs should have been corrected. I'd also officially plan downtime when updating, so do it on weekends or when the server isn't heavily utilized, and warn the users of such events and that the server may have some down time. You can combine other service tasks with update day, like cleaning out the dust, running chkdsk and defragmentation, all tasks that should be done regularly to keep a server in good order....
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Walter PadrónCommented:
Hi KidsTrainingTeam,

1) Enable "No auto-restart for scheduled Automatic Updates installations". Below is a portion of our policy as i posted in  http://www.experts-exchange.com/Operating_Systems/Q_21845863.html (currently active) and it works as intended.

Allow Automatic Updates immediate installation Enabled
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
Scheduled install day:  0 - Every day
Scheduled install time: 13:00
No auto-restart for scheduled Automatic Updates installations Enabled

2) Disable or not configure "No auto-restart for scheduled Automatic Updates installations". Make a diferent GPO to apply to those servers.

1), 2) and 3) Check the policies are applied correctly if servers, DCs and computers are in differents OUs

cheers
0
 
KidsTrainingTeamAuthor Commented:
Hi rindi
Dont you think we have to apply updates as soon as possible when they are releaed because,  obviously server will remain vulnerable.

0
 
canaliCommented:
I agree with rindi, "manual" update is better.
Sometime updates are not critical for a production server:
Ex. if  microsoft  release an update (with Maximum Severity Rating)  Critical, regarding msrpc or DTC ... and your server is behind a firewall, only port 80 open to the world you don't need to apply it as soon as possible ...
sometime an update rated Moderate can be critical for yor server because regard your core application (IIS, mssql..)
So the better solution would be read the microsoft bulletin and understand the severity risk (but is time keeping;)
after the analisys then you decide what is better
but if u prefer let Bill Gates decide 4 u :)
Gas
 
0
 
rindiCommented:
As I said, some of the patches m$ sends out in it's windowsupdates are themselves buggy and can cause bigger issues. Big companies with large IT deps usually first test those updates inside a test environment and only release them to the production servers when they are regarded as safe. Of course smaller companies don't have the additional resources needed for that kind of procedures, but usually by waiting 2 weeks it is likely the patch has been patched. And as mentioned above, servers shouldn't be used for other things, and if things are kept that way many of the fixes aren't really necessary.
0
 
KidsTrainingTeamAuthor Commented:
Thanks rindi
0
 
rindiCommented:
your welcome
0
 
ISoulCommented:
Not even any breadcrumbs my way, huh. That's alright. =P
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now