Force Restart Issue

Hello,

We are facing an issue with BigFix where some targeted servers are restarting immediately after installing updates and other servers not, even though the restart has already been scheduled for 8 hours later within Post Action. Unfortunately, this behavior is causing unexpected downtime during working hours.

Here are the logs and screenshots related to this incident:

At 15:43:43 +0300 - mailboxsite (http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/mailboxsite1074185216)
Downloaded ‘http://SCCM.scb.local:52311/mailbox/files/18/19/181925c49a2c3f392c59648f627ef0d961c3a18f’ as ‘Action 63183.fxf’
At 15:43:44 +0300 - mailboxsite (http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/mailboxsite1074185216)
Gather::SyncSiteByFile adding files - count: 1
At 15:43:44 +0300 -
Successful Synchronization with site ‘mailboxsite’ (version 195) - ‘http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/mailboxsite1074185216’
Processing action site.
At 15:43:57 +0300 - mailboxsite (http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/mailboxsite1074185216)
Relevant - MS25-SEP: Cumulative Update for Windows Server 2016 - Windows Server 2016 - KB5065427 (x64) (fixlet:63183)
At 15:46:04 +0300 -
Encrypted Report posted successfully
At 15:46:30 +0300 -
DownloadPing command received (ID=63183)
At 15:46:32 +0300 -
ActionLogMessage: (action:63183) Action signature verified for Downloads
DownloadsAvailable: checking for ‘http://SCCM.scb.local:52311/bfmirror/downloads/63183/0’
DownloadsAvailable: true (action id 63183)
ActionLogMessage: (action:63183) Non-Distributed - DownloadsAvailable
ActionLogMessage: (action:63183) Submitting download request
ActionLogMessage: (action:63183) Download url: ‘https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2025/09/windows10.0-kb5065427-x64_b341c6fc803e28fc7257524e5f5de44551766bcf.msu’
ActionLogMessage: (action:63183) Download url: ‘https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2025/09/windows10.0-kb5065687-x64_3719efc71da546d91481f446ac57939a4b288a8b.msu’
At 15:57:45 +0300 -
ActionLogMessage: (action:63183) Action signature verified for Execution
ActionLogMessage: (action:63183) starting action
At 15:57:46 +0300 - BigFix Inventory Discovery (http://sync.bigfix.com/cgi-bin/bfgather/bigfixinvdiscovery)
Downloaded ‘http://SCCM.scb.local:52311/bfmirror/bfsites/enterprisemirror_59_25/__fullsite’ as ‘__TempUpdateFilename’
At 15:57:46 +0300 -
Successful Synchronization with site ‘BigFix Inventory Discovery’ (version 25) - ‘http://sync.bigfix.com/cgi-bin/bfgather/bigfixinvdiscovery’
At 15:57:46 +0300 - actionsite (http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Prefetch download manager collected file) prefetch windows10.0-kb5065427-x64_b341c6fc803e28fc7257524e5f5de44551766bcf.msu sha1:b341c6fc803e28fc7257524e5f5de44551766bcf size:1722980752 https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2025/09/windows10.0-kb5065427-x64_b341c6fc803e28fc7257524e5f5de44551766bcf.msu sha256:a57a0bc707bb59e5d383ecdbded433cc86ca0d73f91b87c0de201ec7d290f329 (action:63183)
Command succeeded (Prefetch download manager collected file) prefetch windows10.0-kb5065687-x64_3719efc71da546d91481f446ac57939a4b288a8b.msu sha1:3719efc71da546d91481f446ac57939a4b288a8b size:12629561 https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2025/09/windows10.0-kb5065687-x64_3719efc71da546d91481f446ac57939a4b288a8b.msu sha256:c679ac4d4b747688f9ecd83affe29ff0261dac4985122b03d26151d9ed91ccf9 (action:63183)
At 15:57:47 +0300 - actionsite (http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (evaluated true) continue if {exists running service “wuauserv” OR NOT exists service “wuauserv” whose (start type of it = “disabled”)} (action:63183)
Command started - waithidden “C:\Windows\system32\wusa.exe” “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\Enterprise Security__Download\windows10.0-kb5065687-x64_3719efc71da546d91481f446ac57939a4b288a8b.msu” /Quiet /Norestart (action:63183)
At 15:58:49 +0300 -
Encrypted Report posted successfully
At 15:58:52 +0300 - actionsite (http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Exit Code=0) waithidden “C:\Windows\system32\wusa.exe” “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\Enterprise Security__Download\windows10.0-kb5065687-x64_3719efc71da546d91481f446ac57939a4b288a8b.msu” /Quiet /Norestart (action:63183)
Command succeeded (evaluated true) continue if {exists running service “wuauserv” OR NOT exists service “wuauserv” whose (start type of it = “disabled”)} (action:63183)
Command started - waithidden “C:\Windows\system32\wusa.exe” “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\Enterprise Security__Download\windows10.0-kb5065427-x64_b341c6fc803e28fc7257524e5f5de44551766bcf.msu” /Quiet /Norestart (action:63183)
At 16:00:21 +0300 -
Encrypted Report posted successfully
At 17:15:44 +0300 - actionsite (http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Exit Code=3010) waithidden “C:\Windows\system32\wusa.exe” “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\Enterprise Security__Download\windows10.0-kb5065427-x64_b341c6fc803e28fc7257524e5f5de44551766bcf.msu” /Quiet /Norestart (action:63183)
Command succeeded action requires restart “b341c6fc803e28fc7257524e5f5de44551766bcf” (action:63183)
At 17:15:51 +0300 - Enterprise Security (http://sync.bigfix.com/cgi-bin/bfgather/bessecurity)
Fixed - MS25-SEP: Cumulative Update for Windows Server 2016 - Windows Server 2016 - KB5065427 (x64) (fixlet:506542703)
At 17:15:51 +0300 -
ActionLogMessage: (action:63183) ending action
At 17:15:51 +0300 - mailboxsite (http://LIFECYCLE.scb.local:52311/cgi-bin/bfgather.exe/mailboxsite1074185216)
Not Relevant - MS25-SEP: Cumulative Update for Windows Server 2016 - Windows Server 2016 - KB5065427 (x64) (fixlet:63183)
At 17:16:14 +0300 -
Encrypted Report posted successfully
At 17:16:35 +0300 -
Encrypted Report posted successfully
At 17:16:38 +0300 -
BigFix Restart (Force count:1) from ActionID 63183
At 17:17:13 +0300 - BES Support (http://sync.bigfix.com/cgi-bin/bfgather/bessupport)
Relevant - Restart Needed - Triggered by a BES Action (fixlet:390)
Fixed - Restart Needed - Not Triggered by a BES Action (fixlet:391)
At 17:18:00 +0300 - Enterprise Security (http://sync.bigfix.com/cgi-bin/bfgather/bessecurity)
Fixed - MS25-SEP: Servicing Stack Update for Windows Server 2016 - Windows Server 2016 - KB5065687 (x64) (fixlet:506568705)
At 17:18:02 +0300 - Patching Support (http://sync.bigfix.com/cgi-bin/bfgather/patchingsupport)
Fixed - Task: Windows Update Service - Start the service (fixlet:12003)
Relevant - Task: Windows Update Service - Stop the service (fixlet:12004)
At 17:18:09 +0300 -
BigFix Restart (Force count:2) from ActionID 63183
At 17:21:29 +0300 -
Encrypted Report posted successfully
At 17:21:32 +0300 -
BigFix Restart (Force count:3) from ActionID 63183
At 17:26:20 +0300 -
Encrypted Report posted successfully
At 17:26:23 +0300 -
BigFix Restart (Force count:4) from ActionID 63183
At 17:27:07 +0300 - Patching Support (http://sync.bigfix.com/cgi-bin/bfgather/patchingsupport)
Relevant - Task: Windows Update Service - Start the service (fixlet:12003)
Fixed - Task: Windows Update Service - Stop the service (fixlet:12004)
At 17:28:28 +0300 -
DownloadPing command received (ID=63190)
At 17:30:02 +0300 -
DownloadPing command received (ID=63191)
At 17:30:37 +0300 -
Encrypted Report posted successfully
At 17:30:39 +0300 -
BigFix Restart (Force count:5) from ActionID 63183
DownloadPing command received (ID=63193)
At 17:30:40 +0300 -

We’re trying to identify the root cause and provide a solution to prevent immediate restarts after updates.

image958×388 109 KB

image942×476 81.8 KB

Please refer to below posts:

Post action restart not working - Usage and Config / Patch - BigFix Forum

Post-Action Restart problem - Usage and Config / Platform - BigFix Forum

I see the EXE is supposedly triggering, that’s really strange. I would say there is something either in your baseline or the action prferences that isn’t quite right.

Before my time, years ago we had some weird things happen when GPO has Windows Updates enabled and inconsistent configs… servers would reboot and even patch on their own from time to time. Not sure if related but that is something to also consider.

Does this occur only on server with no logged in user? I’ve seen cases where the post action UI will not appear as there isn’t a user session for it to connect to (by design I suspect) and in cases like that when using the “Post Action” restart computer feature, the restart will occur immediately and bypass the delays and deadline.

Hi,

I’ve checked the action and found that this action will run independently of user presence. Which means that it is not related to any user logon.

From the screenshot in your first post I’m not exactly sure what is your expected behavior.

Based on the settings in the screenshot, what will happen is

• When the action is finished running it will reboot the system. NOTE that if nobody is logged on, the reboot will happen immediately after the action completes. That’s a common source of confusion.
• If someone is logged on, a message is displayed requesting the reboot and giving them the option to shut down now or to delay the message. After 8 hours they will not be able to delay the message any further and the system restarts.

There is no setting that will “reboot the system 8 hours after the action completes”. If you need to reboot at a specific time, you’ll need to use a second action for that restart and configure the action-start-time parameter accordingly.

I have encountered problems before around the user message, specifically if there’s a Remote Desktop Session that is active but disconnected, the shutdown message might not be able to be displayed, and this in turn prevents the restart from occurring. The articles linked by @vk.khurava detail a workaround for that by changing the behavior of the shutdown command when the user interface cannot be displayed.

Hope this helps!

What version of BigFix are you using?
There is a known issue in specific versions, see this article: