Windows 10 Windows 10 svchost.exe automatic restart for updates when GPO is set for no auto-restart

  • Thread starter Thread starter Ryan-Smith
  • Start date Start date
R

Ryan-Smith

Guest
I had a Windows 10 2016 LTSB computer automatically restart to install an update while a user was logged in. We have a group policy configured to not auto-restart with logged in users. This policy is applied to several hundred computers and has been working properly for years. It was confirmed as being applied correctly to the problem computer with a gpresult. Here are some details:

Windows updates are distributed through our WSUS server and client update behavior is controlled through group policies. We have the following group policies set:

  • Configure Automatic Updates - Enabled / 4 - Auto download and schedule the install / Schedule install day: 0 - Every day / Schedule install time: 03:00
  • No auto-restart with logged on users for scheduled automatic updates installations - Enabled


I found the following logs:

  • Event ID 1074 / 2/6/2018 8:55:53 PM / The process C:\WINDOWS\system32\svchost.exe (PC-XXX) has initiated the restart of computer PC-XXX on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned)
    Reason Code: 0x80020010
    Shutdown Type: restart
    Comment:
  • Event ID 4647 / 2/6/2018 8:56:03 PM / User initiated logoff:

    Subject:
    Security ID: DOMAIN\usernamexxx
    Account Name: usernamexxx
    Account Domain: DOMAIN
    Logon ID: 0x3519A7C

    This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
  • Event ID 19 / 2/6/2018 8:57:36 PM / Installation Successful: Windows successfully installed the following update: 2018-01 Security Update for Adobe Flash Player for Windows 10 Version 1607 for x64-based Systems (KB4056887)


Not only did it force a restart with a logged on user, it performed the install outside of our scheduled install time. On 2/5/2018 I approved several Office updates and a Flash update to a small test group. This group consists of four Windows 10 2016 LTSB computers. All four had logged in users. All four installed the approved updates on 2/6/2018 at 03:00 as per our group policy (this was confirmed on the event logs of each computer). After the installation, none of the computers rebooted because they had logged in users. That brings us to the night of 2/6 where as you can see one computer auto rebooted with a logged in user, where as the other three computers did not reboot. Why did the one computer reboot? I have seen a few other posts for the same issue (svchost.exe initiated the restart + no auto-restart gpo) with no real response, so I figured I'd try a new post.

More...
 
Back
Top