WSUS: Windows Vista clients reboot automatically even though a user is logged on

  • Article

Here's an interesting WSUS/Vista issue written up Joe Tindale, a Senior Support Escalation Engineer in North Carolina.  If you're turning off automatic restarts but seeing them anyway this may be your issue:

========

Issue: You may have Windows Vista clients reboot automatically even though "No auto-restart for scheduled Automatic Update installation options" (NoAutoRebootWithLoggedOnUsers) is enabled and a user is logged in.  You may also see something similar to the following in the windowsupdate.log:

2008-09-02 23:04:13:878 1044 b40 AU AU invoking RebootSystem (OnRebootRetry)
2008-09-02 23:04:13:928 1044 b40 Misc WARNING: SUS Client is rebooting system.
2008-09-02 23:04:15:951 1044 b40 AU WARNING: Initiating reboot since no user logged on

Cause: The most common cause for this condition is that the Terminal Services service is disabled.  The Windows Update Agent (WUA) uses Terminal Services to determine what users are logged into which sessions.  If Terminal Services is disabled we then specifically query session 0 to see if a user is logged on.  In down level operating systems (2000, XP and 2003) that check is fine but since session 0 in Windows Vista and Windows Server 2008 is non-interactive that check will not correctly notify WUA if someone is indeed logged on since the first user logs into session 1 in those operating systems.

Resolution: It is recommended that you keep Terminal Services enabled and block remote desktop using some alternate way such as a firewall policy blocking the RDP port (3389) or configure remote settings to "Don't allow connections to this computer".  You can use group policy to configure both of these options so overhead can be minimized.

More Information:   Below is where the various policies can be set:

Firewall Policy: Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile -> Windows Firewall: All Inbound Remote Desktop exceptions

RDP Policy: Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server -> Connections -> Allow users to connect remotely using Terminal Services

========

Thanks Joe!

J.C. Hornbeck | Manageability Knowledge Engineer