Spontaneous Restart after patching

Hi, I took action on a patch baseline for testing on my workstation and while I was logged on my machine spontaneously restarted. Any ideas? Let me know if more info is needed, this is my first post here… Thanks!

Action Behavior:
Messages
No user interface will be shown before running this action.

No message will be shown while running this action.

Users
This action will run independently of user presence.

User interface will be shown to all users.

Execution
This action will never expire.

It will run at any time of day, on any day of the week.

If the action becomes relevant after it has successfully executed, the action will not be reapplied.

If the action fails, it will not be retried.

If a member action fails, the action group will continue to run.

Post-Action
After the action completes, the user will be requested to restart the computer.

The restart request will have a deadline of 3 days after it is initially shown.

When the deadline is reached, the user will be forced to respond to the restart request.

The user will be allowed to cancel the reboot/shutdown.

The following message will be displayed as the reboot/shutdown request:

Please Restart
In an effort to reduce Spencer Stuart's Cyber Security Risk, the Information Security team has installed security updates on your computer. Please restart at your earliest convenience. If this time is not convenient for you, please click the Snooze button to perform the restart at a later time. There is a deadline of 3 days to perform the restart because not doing so may result in instability and data loss. 

Log File:
At 09:45:51 -0500 - actionsite (http://bigfix.spencerstuart.com:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded parameter “PowerShellexe”=“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” (action:93003)
Command succeeded delete __appendfile (action:93003)
Command succeeded delete script.ps1 (action:93003)
Command succeeded appendfile (new-object net.webclient).downloadfile(“https://api.ipify.org/","{pathname of parent folder of client}\mypublicaddress.txt”) (action:93003)
Command succeeded (file created) appendfile (new-object net.webclient).downloadfile(“https://api.ipify.org/","C:\Program Files (x86)\BigFix Enterprise\BES Client\mypublicaddress.txt”) (action:93003)
Command succeeded appendfile (new-object net.webclient).downloadfile(“https://api.ipify.org/","C:\Program Files (x86)\BigFix Enterprise\BES Client\mypublicaddress.txt”) (action:93003)
Command succeeded copy __appendfile script.ps1 (action:93003)
Wow64 redirection disabled. action uses wow64 redirection false (action:93003)
Command started - waithidden “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -file “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\CustomSite_Windows_Settings\script.ps1” (action:93003)
Fixed - Spencer Stuart - Clients - Pending Restart and Nobody Logged On (fixlet:8678)

Event Viewer:
The process C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe (USWK4DQQ7Y1) has initiated the restart of computer USWK4DQQ7Y1 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Planned)
Reason Code: 0x80000000
Shutdown Type: restart
Comment: IBM BigFix Restart from ActionID 280752

Notice the actionid. The reboot was triggered by acton 280752, but most of this log is from action 93003. Sounds like you had a separate policy action set to reboot whenever it becomes relevant.

I checked that action and it would not have caused the restart… I guess it was just a fluke because no one else that was included in the testing experienced this.

Thanks!

It shouldn’t be a fluke. There are triple checks to make sure an action can restart a computer so action 280752 must have caused it in some fashion. The action is checked to make sure it was relevant, that it requested an restart and is still present on the system and still an action, so I’m confused if it wasn’t intentional by that action.

I just ran into the exact same issue but I think I know what happened in our case.

1. Multi Action Group started against the target.
2. Action expires before the client is able to send status
   2.1 Patches are actually queued on the box for install but there is no way to know that looking at the console because the client status never got there before the action expired.
3. server is rebooted two weeks later and the patches install
4. The action ID reported in the windows event viewer isn’t anywhere close to any of our action ID’s I even went so far as to query the database for deleted actions.

So, I suspect the reboot was actually triggered elsewhere and the BigFix data in the event log was a glitch of some kind due to a pending restart flag.

Thoughts anyone?
@JasonWalker @AlanM