We had some servers go down unexpectedly after we re-populated some SCCM(MECM) collections.
EVENT 1074
The process C:\Windows\SysWOW64\shutdown.exe (<servername>) has initiated the restart of computer <servername> on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x800000ff
Shutdown Type: restart
No on behalf of, no reason etc.. A regular SCCM patching reboot looks like this:
The process C:\Windows\CCM\CcmExec.exe (<servername>) has initiated the restart of computer <servername> on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80020001
Shutdown Type: restart
Comment: Your computer will restart at
2021-02-06 8:46:42 AM to complete the installation of applications and software
updates.
It turns our after looking in C:\windows\ccm\logs\execmgr.log on one of the servers around the same reboot time we saw that an old pre-reboot job had kicked in we had in place with no maintenance window.
Executing program as a script execmgr 2021-02-05
4:07:35 PM 14768 (0x39B0)
Successfully prepared command
line "C:\Windows\system32\shutdown.exe" /r /f /t 0 execmgr 2021-02-05
4:07:35 PM 14768 (0x39B0)
So it was SCCM after all.
