27 April 2016

Windows 7 clients automatically rebooting for updates - no notifcation - WSUS

Recently I had a call from a client saying that they're having computers randomly reboot (without warning) to install Windows Updates.  All machines were Windows 7, and they were all on the client's domain.  They had WSUS installed and configured, with GPOs to define the backup settings etc.  In this case, the GPO stated that machines will automatically download and install updates at 4pm each day, and only reboot if there was no active user.

After checking the GPO, I was confident that the issue was not related to that, as it clearly stated that the computers won't be rebooting automatically.  I remoted into the workstations to ensure that they're actually applying the GPO (gpresult /r), which they were.  So it wasn't GPO, and it wasn't the workstations as far as I could tell.

I logged into WSUS itself, and checked the automatic approval settings.  That was all setup and was approving certain updates (such as Critical Updates and Security Updates etc).  When looking further down the Automatic Approval rules, I noticed that there had been a deadline set for installing the updates.

The deadline had been set for 5am on the same day that the Windows Updates were approved.  This means that the when a workstation turns on in the morning (which is usually after 5am...), it will realise that it has some updates available.  Because it's already past the deadline, the workstations starts installing the updates as soon as it can, and applying them immediately.  

The WSUS settings here overwrite the GPO settings, so even though it may have been defined in the GPO to not reboot, the computer knows that it's already past it's deadline to have these updates installed, so it ignores the remainder of the settings, and applies the updates straight away.  If the updates require a reboot, it will do the reboot immediately as well.  This was what was causing the 'random' rebooting of computers throughout the day.  

To resolve this issue, one could change the deadline to perhaps allow a couple of days after the update has been approved, or in my case, completely remove the deadline requirement.  The GPO will get machines to install updates each day anyway, so it's not needed in this case.

No comments:

Post a comment