[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

WSUS - Computers are being restarted even with No-Auto restart policy set

Posted on 2010-04-01
19
Medium Priority
?
685 Views
Last Modified: 2012-05-09
Hello Everyone,

Users are complaining that their computers a restarting on certain nights due to Windows Updates.
Our WSUS server is set with default options - to automatically approve critical updates. Set a deadline for the approval is UNCHECKED.

The GPO settings are shown below. Any idea why some systems reset over night, while the users are logged in with their computers locked?


Windows Components/Windows Updatehide
Policy Setting Comment
Configure Automatic Updates Enabled  
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  0 - Every day
Scheduled install time: 03:00
 
Policy Setting Comment
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates Enabled  
No auto-restart with logged on users for scheduled automatic updates installations: Enabled  
Re-prompt for restart with scheduled installations: Enabled  
Wait the following period before
prompting again with a scheduled
restart (minutes):  600
 
Policy Setting Comment
Reschedule Automatic Updates scheduled installations Enabled  
Wait after system
startup (minutes):  5
 
0
Comment
Question by:Methodman85
  • 9
  • 6
  • 3
  • +1
19 Comments
 
LVL 15

Assisted Solution

by:wantabe2
wantabe2 earned 664 total points
ID: 29340717
Technically, if the computers are locked, AD sees the computers as not being logged on. This setting in the GPO will take go into effect then:

"No auto-restart with logged on users for scheduled automatic updates installations: Enabled  "

If it makes you feel any better, I've messed with WSUS for years & this is an ongoing issue. With my experience, if a particular update requires a reboot, & the users clicks restart later, everytime WSUS & the computer pings each other again, they will get hte message until it reboots.
0
 
LVL 1

Author Comment

by:Methodman85
ID: 29347016
Getting the message is fine, but why do some systems restart if left locked over night. Isn't the message supposed to get sent to the locked session, and then the user sees it waiting for them in the morning when they unlock their computers? They shouldn't be starting a new logon session due to a reboot.

Are you saying that Locked and Logged Out = Same?
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 29350816
Yes, anytime you have to type in a username & password on a computer that is joined to a domain, a DC has to authenticate it if it is logged out or locked. The reason I know this, I had to call Microsoft Gold Support for a similair issue several months ago.

If you have a Windows 2008 DC on your LAN, lock a computer then go into active directory & look at the user or computer account & it will show logged off/locked. A Win 2003 DC does not show this setting in AD but it looks at it the same way, the setting is just not there for an admin to see.

Hope this helps.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:Methodman85
ID: 29357354
hrm, interesting. If that's the case, I wonder why a net user <username> doesn't register a logon time when I unlock the computer. I definitely believe you though. Unfortunately I don't have a 2008 DC on my network yet.
Is there any documentation that supports this behavior?
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 29360109
I don't know of any documentation although I will search my emails for the ticket from Microsoft when they closed my call because it references what I mentioned.
0
 
LVL 1

Author Comment

by:Methodman85
ID: 29360375
Also, how come this never seems to happen to servers? Why only on client machines? Have you noticed this same behavior?
0
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 668 total points
ID: 29484076
Hi,

Refer this:
http://technet.microsoft.com/en-us/library/cc512630.aspx

to cross verfiy your settings.

I hope this helps,
Shree
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 29570294
"Re-prompt for restart with scheduled installations:  Enabled  "



This is the reason the computers are rebooting. This is the reminder that a update that needed a reboot will do so in "Wait the following period before prompting again  with a scheduled restart (minutes):  600 "
 



0
 
LVL 1

Author Comment

by:Methodman85
ID: 29575984
SO then why does it not just re-prompt and leave it at that. I thought that just tells it how long to wait before displaying that annoying "Your system needs to be restarted message"
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 668 total points
ID: 29579594
There's a very good explanation of all the settings here:



http://web.archive.org/web/20080315025611/www.vbshf.com/vbshf/wsus/wsus_faq.htm
0
 
LVL 1

Author Comment

by:Methodman85
ID: 29590614
The link says:

"Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed."

So doesn't that mean that the prompt will show up again after the number of minutes. It's not saying that the computer will restart without re-prompt after the number of minutes

0
 
LVL 1

Author Comment

by:Methodman85
ID: 29590689
Line 1 and line 2 of the description seem to be saying different things lol.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 29591534
"If the status is set to Enabled, a scheduled restart will occur the  specified number of minutes after the previous prompt for restart was  postponed."




Meaning that how ever long it gets postponed, when that time has elapsed it will reboot. It does not just postpone the message.
0
 
LVL 1

Author Comment

by:Methodman85
ID: 29595050
yes but what about the first line "Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 29595813
Yes, it will prompt again and if no response(machine is locked) it will reboot in 5 minutes. There is a good reason for restarting. Further updates will not install until a pending reboot is taken care of. Some updates cannot install without a reboot because the file that they need to update is in use.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 29596065
It's probably better to explain it as "Delay countdown timer before automatic restart"
0
 
LVL 1

Author Comment

by:Methodman85
ID: 29598121
I see, I'm just running a quick test, I have it set to download and schedule install at 6:00PM on my test system. I will click restart later when the prompt comes up at that time. Then I will lock the machine (I have re-prompt set to 5 mins). It should restart 5 minutes after correct?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 29598983
Did you read "Rob's notes" from the earlier link?  ;^)



0
 
LVL 1

Author Comment

by:Methodman85
ID: 29908828
So if I don't configure the Reprompt option, the computers will stop restarting when someone is logged on, no matter how long they're idle?

Sorry I'm being so difficult. But if I remove the delay of 300 minutes before reprompt, the users will be prompted every 10 minutes, but they're systems will never restart unless the tell it to?
But if I leave the delay they will continue to restart if the prompt isn't answered.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question