This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 47%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
One thing that's always Just Worked for me is Group Policy, so this is pretty surprising.
One WS2019 server has a Configure Automatic Updates Policy that's set to 4 - Auto download and schedule the install, set to every Tuesday at 2AM. The other WS2019 and WS2012 are scoped to a different Policy which has 4 - Auto download and schedule the install set to every Tuesday at 3AM.
Aside from the install time, all other WSUS settings are the same between the 2 groups of servers. The 2AM auto-install is working. The 3AM auto-install is not. It used to prior to April 2023 updates.
When I run GPMC Modeling against a 3AM server, it shows 3 - Auto download and notify for install (which is, in fact, what is happening...the updates are waiting for me to click Install in Windows Update).
The Winning GPO reported in GPMC Modelling is the correct GPO. I have verified it is set to 4 - Auto download and schedule the install. This is not a Group Policy inheritance or scoping problem; the intended GPO is applying; the setting is just not being processed correctly.
On the problem servers, AUOptions in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU is set to 3. Should be 4. If I edit it to 4 and GPUPDATE /TARGET:COMPUTER, it reverts to 3. Likewise if I add the /FORCE parameter.
There are 2 DCs, but according to GPMC Status for the Policy in question, both DCs are in sync.
I have deleted and re-created the GPO; no change.
I set the Policy to all the other values offered (2, 3, 5, 7) then back to 4. No change. Not only that, but AUOptions was reported as 3 by GPMC Modelling (rerunning the query each time) no matter what value the Policy was set to.
ADMX files are W10 v22H2. I examined the relevant section of the WindowsUpdate.admx file and it appears to be correct.
Curiously, when I view the registry.pol for this policy file in SDM's Registry.pol Reader program, AUOptions is 4, as it should be. So the Policy is being written correctly to the registry.pol file.
Yet it's reported in GPMC Modeling and written to the Policies key in the computers' Registries as 3. And it works as expected on the 2AM server, the workstations, and on all machines where it's supposed to auto-install at other sites. It's just this one group of servers at this 1 site where it's a problem. Weird, hunh. What do I do about this?
Update: I audited all other GPOs in scope to check for any with 3 Auto download and notify for install. Another GPO, applied BEFORE (that is, lower Priority than) WSUS.Servers.Install.Tuesdays.3AM was set to 3 Auto download and notify for install. GPMC correctly reported that WSUS.Servers.Install.Tuesdays.3AM was the "Winning Policy", but in fact, let the lower priority GPO win, as did the computers processing Policy.
This means that it WAS a GPO Precedence issue...but it should NOT have been, and as such, was not reported by GPMC.
Something changed...and it wasn't these GPOs (until today). They've been in use for a long time and done what they were supposed to do until this month.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there, It seems you have correctly identified the cause for this behaviour and yes this might be due to GPO priority. GPOs are processed in the following order: The local GPO is applied. GPOs linked to sites are applied. GPOs linked to domains are applied. GPOs linked to organizational units are applied. By default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container. https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/group-policy-hierarchy You can try some Troubleshooting from here https://social.technet.microsoft.com/wiki/contents/articles/38043.group-policy-basic-troubleshooting-steps-for-beginners.aspx Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--
Well, no, that's not even close to the "answer". The GPO that GPMC Modelling REPORTED was the "Winning GPO" was not, in fact, the "Winning GPO". That's a pretty serious issue I've not seen before, in 2+ decades of using Group Policy. I worked around the problem but I did not solve it. Can't justify investing more time in it, however.