Is it possible to see what triggered an Azure VM reboot?

windows azure virtual-machines windows-server-2019

I have received some email notifications from Azure, containing this:

Activity log alert  Alert [Server Name] Health Status  
Properties {
    "title":"Reboot initiated from inside the machine",
    "details":"A reboot was triggered from inside the virtual machine. This could be due to a virtual machine operating system failure or as requested by an authorized user or process. The virtual machine will be back online after the reboot completes.",
    "currentHealthStatus":"Unavailable",
    "previousHealthStatus":"Unavailable",
    "type":"Downtime",
    "cause":"UserInitiated" }

This definitely was not 'UserInitiated' but could have been caused by Windows Update as the time falls within the 'out of hours' window defined.

However, is there any way to tell in the logs what triggered the reboot?


Have a look at "Resource health" to see if there are any other events in the history. You are right, if it falls into the "out of hours" windows it was probably Windows Update. In our environment we get exactly these notifications when Windows Update triggers a reboot.

If you want to be 100% sure it was Windows Updates, filter the system Event Log for IDs 1074, 6006 and 6008. Look for an event at the reboot time. It should say something like this:

    The process C:\windows\system32\wbem\wmiprvse.exe (HOSTNAME) has initiated the restart of computer HOSTNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x80070015
 Shutdown Type: restart
 Comment:

Microsoft could have added a reason so it would be easier to identify why...


Your only/best chance is to look inside the VM into whatever logging is active there.

Azure tells you - obviously for anyone reading - that the reboot was triggered from INSIDE the VM. That is where the platform knowledge ends, the VM asks for a reboot.

Now, inside you MAY find more Information, but a lot really depends on OS, setup and - worst case - even no the applications (i.e. whether they even log this).

You will not find anything on Azure as the outside has no knowledge.

Also note:

This definitely was not 'UserInitiated' but could have been caused by Windows Update as the time falls within the 'out of hours' window defined.

Per definition, from the point of view of the Azure environment, Windows Update running in the VM IS USER INITIATED. The user (i.e. the VM) asks for a reboot. So, it is absolutely user initiated.

Related

Attribute a static public ip for a pod in kubernetes and specify in service
OOBE not run after sysprep, only a login screen is displayed
SQL Converting strings to date [closed]
How to make a JPA query use primitive ID instead of managed instance?
android close current activity from WebView
Inserting non duplicate rows in a table without dropping the table
Access Iframe content with Javascript
How can you do dynamic, key-based SSH similar to GitHub?
Why is my RAIDZ2 pool larger than the expected size calculation?
Kerberos Event 4 servername showing username
IPSec VPN set up (Windows)
linux/solaris kill many proccess with one command