My boss and I were sitting in our server room today when we all of a sudden heard one of our servers go into hyper-speed, indicating that it was restarting. You can imagine the immediate "oh crap" expressions on our faces.
We dug into the logs, and it appears that there were some updates automatically installed that required a restart. AU, seeing that there was no one logged in, automatically did the restart. This is a production server, so we have automatic updates turned off (not even downloading then waiting.. It should wait for us to tell it before it does anything).
I ran both rsop.msc and gpedit.msc to check if there was a rogue group policy that forced the automatic updating. Nothing.
Our windowsupdate.log shows this:
2011-12-16 09:00:12:092 964 17f4 AU Setting AU scheduled install time to 2011-12-16 20:00:00
(there were many more lines like that, and one pointing to a scheduled install just minutes before we heard the restart)
So, somewhere, AU is getting the bright idea that it should schedule automatic installs. Any ideas on why that might be happening?
A bit of pertinent information:
We recently (one month ago) installed a WSUS server, and two weeks ago pointed all of our servers at it. With WSUS came forefront client security, with a policy set up to do automatic definition updates every 6 hours. This could possibly be the problem, but it seems like a major flaw that by checking for definition updates it would automatically install other updates.
I also rolled out (I believe last Thursday) a new GPO for our workstations that forces automatic updating at 2:00 PM. This was applied to a select few workstations in the company and NONE OF THE SERVERS. I confirmed that that group policy wasn't applied through rsop.msc
As far as I can tell, this has only happened on or 2003 servers, but I can't make any promises that it isn't happening on the 2008 servers and I just haven't noticed.
Ideas?
On the server itself, from a command prompt, I'd recommend running gpresult (with a /v for Verbose output or a /z for the uber-detailed version) and see of you can locate a policy that is incorrectly applied (or alternative, not applied as it should be for some reason). Also, I'd recommend the >result.txt (or whatever you want to name it) with the /v and /z options - they can get rather wordy and exceed you command prompt screen buffer. Having the results in a text file also makes them searchable, which is nice...
Here is an interesting article, though I'm not sure if it applies here.
what are your automatic update settings? Check both group policy and local policy. With group policy (if aplicable) run a RSOP which will basically create a picture of what your GP settings look like including taking inheretance into consideration. My guess is you have auto install / reboot setup and MS released an out of band patch.
Secondly, be careful with what classifacation you auto approve. As you point out there's definition updates, but there's also security update, critical (or important) update, reccomended updates. If you have security or critical set to auto approve, and MS releases an out of band patch you're going to get it and it will reboot based on your WSUS scheduled install settings (in gorup policy).