WSUS - Computers are being restarted even with No-Auto restart policy set

Hello Everyone,

Users are complaining that their computers a restarting on certain nights due to Windows Updates.
Our WSUS server is set with default options - to automatically approve critical updates. Set a deadline for the approval is UNCHECKED.

The GPO settings are shown below. Any idea why some systems reset over night, while the users are logged in with their computers locked?


Windows Components/Windows Updatehide
Policy Setting Comment
Configure Automatic Updates Enabled  
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  0 - Every day
Scheduled install time: 03:00
 
Policy Setting Comment
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates Enabled  
No auto-restart with logged on users for scheduled automatic updates installations: Enabled  
Re-prompt for restart with scheduled installations: Enabled  
Wait the following period before
prompting again with a scheduled
restart (minutes):  600
 
Policy Setting Comment
Reschedule Automatic Updates scheduled installations Enabled  
Wait after system
startup (minutes):  5
 
LVL 1
Methodman85Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wantabe2Commented:
Technically, if the computers are locked, AD sees the computers as not being logged on. This setting in the GPO will take go into effect then:

"No auto-restart with logged on users for scheduled automatic updates installations: Enabled  "

If it makes you feel any better, I've messed with WSUS for years & this is an ongoing issue. With my experience, if a particular update requires a reboot, & the users clicks restart later, everytime WSUS & the computer pings each other again, they will get hte message until it reboots.
0
Methodman85Author Commented:
Getting the message is fine, but why do some systems restart if left locked over night. Isn't the message supposed to get sent to the locked session, and then the user sees it waiting for them in the morning when they unlock their computers? They shouldn't be starting a new logon session due to a reboot.

Are you saying that Locked and Logged Out = Same?
0
wantabe2Commented:
Yes, anytime you have to type in a username & password on a computer that is joined to a domain, a DC has to authenticate it if it is logged out or locked. The reason I know this, I had to call Microsoft Gold Support for a similair issue several months ago.

If you have a Windows 2008 DC on your LAN, lock a computer then go into active directory & look at the user or computer account & it will show logged off/locked. A Win 2003 DC does not show this setting in AD but it looks at it the same way, the setting is just not there for an admin to see.

Hope this helps.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Methodman85Author Commented:
hrm, interesting. If that's the case, I wonder why a net user <username> doesn't register a logon time when I unlock the computer. I definitely believe you though. Unfortunately I don't have a 2008 DC on my network yet.
Is there any documentation that supports this behavior?
0
wantabe2Commented:
I don't know of any documentation although I will search my emails for the ticket from Microsoft when they closed my call because it references what I mentioned.
0
Methodman85Author Commented:
Also, how come this never seems to happen to servers? Why only on client machines? Have you noticed this same behavior?
0
Shreedhar EtteCommented:
Hi,

Refer this:
http://technet.microsoft.com/en-us/library/cc512630.aspx

to cross verfiy your settings.

I hope this helps,
Shree
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DonNetwork AdministratorCommented:
"Re-prompt for restart with scheduled installations:  Enabled  "



This is the reason the computers are rebooting. This is the reminder that a update that needed a reboot will do so in "Wait the following period before prompting again  with a scheduled restart (minutes):  600 "
 



0
Methodman85Author Commented:
SO then why does it not just re-prompt and leave it at that. I thought that just tells it how long to wait before displaying that annoying "Your system needs to be restarted message"
0
DonNetwork AdministratorCommented:
There's a very good explanation of all the settings here:



http://web.archive.org/web/20080315025611/www.vbshf.com/vbshf/wsus/wsus_faq.htm
0
Methodman85Author Commented:
The link says:

"Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed."

So doesn't that mean that the prompt will show up again after the number of minutes. It's not saying that the computer will restart without re-prompt after the number of minutes

0
Methodman85Author Commented:
Line 1 and line 2 of the description seem to be saying different things lol.
0
DonNetwork AdministratorCommented:
"If the status is set to Enabled, a scheduled restart will occur the  specified number of minutes after the previous prompt for restart was  postponed."




Meaning that how ever long it gets postponed, when that time has elapsed it will reboot. It does not just postpone the message.
0
Methodman85Author Commented:
yes but what about the first line "Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.
0
DonNetwork AdministratorCommented:
Yes, it will prompt again and if no response(machine is locked) it will reboot in 5 minutes. There is a good reason for restarting. Further updates will not install until a pending reboot is taken care of. Some updates cannot install without a reboot because the file that they need to update is in use.
0
DonNetwork AdministratorCommented:
It's probably better to explain it as "Delay countdown timer before automatic restart"
0
Methodman85Author Commented:
I see, I'm just running a quick test, I have it set to download and schedule install at 6:00PM on my test system. I will click restart later when the prompt comes up at that time. Then I will lock the machine (I have re-prompt set to 5 mins). It should restart 5 minutes after correct?
0
DonNetwork AdministratorCommented:
Did you read "Rob's notes" from the earlier link?  ;^)



0
Methodman85Author Commented:
So if I don't configure the Reprompt option, the computers will stop restarting when someone is logged on, no matter how long they're idle?

Sorry I'm being so difficult. But if I remove the delay of 300 minutes before reprompt, the users will be prompted every 10 minutes, but they're systems will never restart unless the tell it to?
But if I leave the delay they will continue to restart if the prompt isn't answered.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.