Windows Update settings in domain group policy not applied to domain computers

Paul Nerie 266 Reputation points
2021-09-01T02:02:01.017+00:00

I have read other posts about Windows Update policy settings not applied to domain computers, but I'm not sure about the WSUS requirement.

Is WSUS the update service from Microsoft itself, or the WSUS server role that can be installed on one of the network computers?

I'm trying to configure the Windows Update settings, but they are not being applied to domain computers.

I want the updates to be downloaded automatically but not automatically installed. I have set Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates to '3 - Auto download and notify to install', but domain computers settings is still set to 'Not configured'.

Is my understanding on this not correct? Or am I missing something in the process?

Thanks in advance

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,454 questions
0 comments No comments
{count} votes

Accepted answer
  1. AlexZhu-MSFT 5,551 Reputation points Microsoft Vendor
    2021-09-01T07:38:09.737+00:00

    Hi,

    If you mentioned Not Configured, it may probably that you open the Local Group Policy Editor to view the settings we configured in Group Policy Management, this is normal since the domain group policy settings do not refelect locally.

    To check if the domain policy settings has taken effect or not, we can use gpresult /h c:\temp\test0901.html (run as administrator to retrieve the computer configuration settings). After the file is exported, we can view it with any web browser.

    Here's some screenshots from the lab, just for your reference.

    domain policy settings (disabled)
    128233-gp-02.png

    domain computer local settings (not configured)
    128271-gp-01.png

    gpresult to confirm the effective value (winning GPO)

    128177-gp-04.png

    128262-gp-03.png

    Alex
    If the response is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Paul Nerie 266 Reputation points
    2021-09-01T08:59:34.313+00:00

    Hello AlexZhu-MSFT,

    Thanks for the reply.

    I have not checked yet using gpresult, but I have some settings in the domain group policy that do affect the domain controllers. Removing the background options is an example.

    Assuming it is not reflected to the local group policy, why is this so? Can I force it to be pushed to the domain computers?

    It it to my understanding that you use the domain group policy so you don't need to change the individual domain computers policies.

    Sorry but I don't know if my terminology is correct. What I mean by domain group policy is opening the group policy in the PDC.

    0 comments No comments

  2. Adam J. Marshall 9,041 Reputation points MVP
    2021-09-02T01:19:34.4+00:00

    Group Policy applies in layers. It is the sum of their layers that equal the resultant set of policies (RSOP) which GPResult /h gpo.html will show and help you diagnose the issue.

    Remember, the "Domain Controllers" OU is off the root of the domain. Only policies attached to the domain or the specific Domain Controllers OU will be processed.

    Local group policy is applied first, then domain GPOs. If something is set in the local GPO, and nothing in the domain GPOs override that value, then the resultant set of policies will show that it is set by the Local group policy.

    There is 1 policy in the domain GPOs that allows you to globally set it to ignore local GPOs, but it's on a global scale so be careful if you're thinking of enabling it.

    You should be managing Group Policy through GPMC.msc either on a Windows Client system using RSAT (Recommended) or directly on a domain controller or other server with RSAT tools enabled.

    I'd recommend reading through:

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

    and then parts 4 and 5 of my blog series on How to Setup, Manage, and Maintain WSUS.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/

    I'd also recommend reading more of the guides on my site, especially

    https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/
    and
    https://www.ajtek.ca/guides/role-based-access-security/

    0 comments No comments

  3. Paul Nerie 266 Reputation points
    2021-09-02T02:34:04.553+00:00

    Hello AJTek-Adam-J-Marshall,

    Thanks for the info.

    I applied the updates to the Default Domain Policy of the domain.

    I have run gpresult on one of the domain computers and I don't see any of settings I have set, like in AlexZhu's post.

    For example I have this:

    128541-gpo.png

    But it does not appear in the gpresult output.

    128531-gpresult.png

    But the settings are applied though. I cannot use copy and paste for example from the VM to my home computer.


  4. Adam J. Marshall 9,041 Reputation points MVP
    2021-09-02T12:37:40.22+00:00

    It is recommended NOT to add policy settings to the Default Domain Policy, but rather create new GPOs and link them to the root of the domain (or elsewhere as needed).

    Looks like the setting "Turn off Local Group Policy Objects processing" may be enabled. Computer Configuration > Administrative Templates > System > Group Policy.

    https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.GroupPolicy::DisableLGPOProcessing