After installing SEP 11.0.6300.803 on Windows Server 2008 64bit and declining a restart, SEP restarted the server by itself about 15 hours later. In the middle of the day, thus users losing data.
From Event viewer:
The process Smc.exe has initiated the restart of computer KANNEL on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: restart
Comment:
And also this appeared in the Application log a few times before the restart:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-1220945662-113007714-1957994488-1676:
Process 14832 (\Device\HarddiskVolume1\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1220945662-113007714-1957994488-1676\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
Process 1032 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1220945662-113007714-1957994488-1676\Printers\DevModePerUser
Before the restart, the setting "Changes requiring Auto-Protect reload" was on "Stop and reload Auto-Protect". After the restart, I set it on "Wait until the computer is restarted". Could this have something to do with the restart?