A
Allen Terry
Over the past year this scenario has happened a few times, with different servers. It has happened to a Hyper-V cluster node and a passive node of a SQL fail over cluster. Normally the following group policies prevent the server from automatically updating and rebooting. The issue could hit one server one month and then all of our servers behave as expected for a few months and then it hits us again.
Group Policy Settings:
The following event is logged:
Log Name: System
Source: User32
Date: 5/13/2020 12:41:59 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: vmnode2.domain.local
Description:
The process C:\windows\system32\svchost.exe (VMNode2) has initiated the restart of computer VMNode2 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned)
Reason Code: 0x80020010
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="User32" Guid="{b0aa8734-56f7-41cc-b2f4-de228e98b946}" EventSourceName="User32" />
<EventID Qualifiers="32768">1074</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-05-13T16:41:59.573145200Z" />
<EventRecordID>264706</EventRecordID>
<Correlation />
<Execution ProcessID="1516" ThreadID="1640" />
<Channel>System</Channel>
<Computer>VMNode2.domain.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="param1">C:\windows\system32\svchost.exe (VMNode2)</Data>
<Data Name="param2">VMNode2</Data>
<Data Name="param3">Operating System: Service pack (Planned)</Data>
<Data Name="param4">0x80020010</Data>
<Data Name="param5">restart</Data>
<Data Name="param6">
</Data>
<Data Name="param7">NT AUTHORITY\SYSTEM</Data>
</EventData>
</Event>
Continue reading...
Group Policy Settings:
- Always automatically restart at the scheduled time - Enabled - 30 minutes
- Automatic Updates detection frequency - Enabled - 8 hours
- Configure Automatic updates - Enabled - 3 - Auto download and notify for install
- Turn on recommended updates via Automatic Updates - Enabled
The following event is logged:
Log Name: System
Source: User32
Date: 5/13/2020 12:41:59 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: vmnode2.domain.local
Description:
The process C:\windows\system32\svchost.exe (VMNode2) has initiated the restart of computer VMNode2 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned)
Reason Code: 0x80020010
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="User32" Guid="{b0aa8734-56f7-41cc-b2f4-de228e98b946}" EventSourceName="User32" />
<EventID Qualifiers="32768">1074</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-05-13T16:41:59.573145200Z" />
<EventRecordID>264706</EventRecordID>
<Correlation />
<Execution ProcessID="1516" ThreadID="1640" />
<Channel>System</Channel>
<Computer>VMNode2.domain.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="param1">C:\windows\system32\svchost.exe (VMNode2)</Data>
<Data Name="param2">VMNode2</Data>
<Data Name="param3">Operating System: Service pack (Planned)</Data>
<Data Name="param4">0x80020010</Data>
<Data Name="param5">restart</Data>
<Data Name="param6">
</Data>
<Data Name="param7">NT AUTHORITY\SYSTEM</Data>
</EventData>
</Event>
Continue reading...