Windows Server 2022 Updates Anomaly

Hi,

I've got 4 Windows 2022 servers configured for automatic updates using the following Group Policy option on the 3rd Wednesday of each month:

2 - Notify for download and auto install

These servers are meant to have Windows updates manually installed by an Administrator.

One of those servers stopped reporting to WSUS and it turns out the computer certificate (issued by an internal Microsoft CA) was missing.  Once that was resolved, it reported to WSUS correctly.  To test, I ran the following commands:

• usoclient.exe startscan
• Get-WindowsUpdate

Several minutes after running the above commands, Event ID 44 was generated by the Windows Update Client downloading the updates.  This was quickly followed by Event ID 43 where it started installing the updates.

And about 12 hours later at 11:58PM, Event ID 1074 was generated where svchost.exe on behalf of NT AUTHORITY\SYSTEM initiated a reboot.  2 minutes later at 12:00AM, another Event ID 1074 saw TrustedInstaller on behalf of user NT AUTHORITY\SYSTEM initiated a reboot.

And finally at 12:03am, Event ID 19 was generated saying the update was successfully installed.  Event ID 19 was repeated again 1 minute later.

As far as I can tell, usoclient.exe startscan and Get-WindowsUpdate without any options does NOT initiated a download and install of the updates.

The other 3 servers behaved themselves until an Administrator went in and downloaded and installed the updates.  This 1 rogue server decided to take its own initiative and the only difference from the other 3 is the missing computer certificate which was subsequently restored.

Any pointers as to how this could happened would be much appreciated.

Thanks.