今天下午我遇到了一件意想不到的事情。Windows Server 2012 R2 终端服务器在安装更新后意外重启,这与组策略中的设置相反。
以下 GPO 适用于服务器:
Windows Update
Data collected on: 2016-12-19 16:23:58
General
Details
Domain xxxx.xxxxxxxxxxx.net
Owner XXXX\Domain Admins
Created 2016-11-15 13:36:44
Modified 2016-11-15 13:39:40
User Revisions 0 (AD), 0 (SYSVOL)
Computer Revisions 5 (AD), 5 (SYSVOL)
Unique ID {91ADBD9A-8488-4F98-B04A-9C8029A437B2}
GPO Status Enabled
Links
Location Enforced Link Status Path
xxxx No Enabled xxxx.xxxxxxxxxxx.net
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
XXXX\Domain Admins Edit settings, delete, modify security No
XXXX\Domain Computers Read No
XXXX\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.Windows Components/Windows Update
Policy Setting Comment
Allow Automatic Updates immediate installation Enabled
Allow non-administrators to receive update notifications Disabled
Always automatically restart at the scheduled time Enabled
The restart timer will give users
this much time to save their
work (minutes): 15
Policy Setting Comment
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance Disabled
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
Policy Setting Comment
Turn on recommended updates via Automatic Updates Enabled
User Configuration (Enabled)
No settings defined.
因此,预期结果应该是服务器应立即安装任何没有影响的更新,并在凌晨 3 点安装任何不需要重新启动的更新,然后重新启动。
实际结果是服务器于 16:51:30 重新启动,并在 WindowsUpdate.log 中显示以下消息:
2017-01-11 16:51:30:071 812 1368 AU Client has determined it is safe to reboot without warning. Rebooting now...
通过使用 TerminalServices-LocalSessionManager 日志,我能够确定当天的最后一个终端服务器用户在 16:41:29 注销,因此看起来在没有人登录计算机的整整 10 分钟后,计算机确实重新启动了。完整的Windows更新日志可供审查。
对日志的进一步分析似乎表明,需要重新启动的更新已按照设置于 2017-01-11 03.00 安装,但由于某些不确定的原因,服务器当时并未重新启动。
答案1
如果有用户登录了几天,并且服务器在其正常更新计划期间安装更新,则需要重新启动的更新将不会启动重新启动,直到最后一位用户注销。
因此,如果您的用户昨天登录,断开连接或保持其会话打开,则在凌晨 3 点安装更新,机器想要重新启动,但要等到最后一个用户注销后才会重新启动,因此,如果在 16:41 注销,则服务器认为它是安全的并启动重新启动。