none
Managing Windows Updates with GPO not working.

    Question

  • This might not the be right forum but I'll start here..

    We are testing manging Windows Updates with GPO. We do not have a WSUS server yet.

    I have a very simple GPO, at the root of the domain, filtered to just 2 workstations. 1 Win7 and 1 XP Pro.

    Both workstations are getting the GPO just fine.  However, neither workstation is running updates at all. Nothing has happened for 3 days now.

    Policy is:

    Computer Config>Windows Componets>Windows Update

    Configure Automatic Updates: Enabled

    Option 4 - Auto download and scedule the install

    Every day

    08:00

    No Auto-restart with logged on users for sceduled auto updates: Enabled

    Rescedule Auto Updates scheduled installations: Enabled

    Turn on recommended updates: Enabled

    Both worstations have updates to do.

    Using Windows 2008 R2 servers.

    Thanks for any ideas!

    Wednesday, March 20, 2013 3:37 PM

Answers

  • Hello,

    First of all, is it correct that your client do not have to use a proxy server to access the internet?

    Please provide a reg query "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /s
    and a reg query  "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /s for us.

    Please also stop the Windows Update service.
    net stop wuauserv
    Emtpy the logfile C:\Windows\WindowsUpdate.log
    Start the Windows Update service.
    net start wuauserv
    wuauclt /detectnow
    Please wait 5 Minutes.
    Now please have a lock at the logfile again.


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Thursday, March 21, 2013 8:13 PM

All replies

  • Hello,

    Please check the logfile C:\Windows\WindowsUpdate.log for errors.


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Wednesday, March 20, 2013 4:13 PM
  • Here is what the WindowsUpdate.log shows for today. From boot time.

    2013-03-21 07:07:44:867 1004 d7c Misc ===========  Logging initialized (build: 7.6.7600.256, tz: -0500)  ===========
    2013-03-21 07:07:44:898 1004 d7c Misc   = Process: C:\windows\system32\svchost.exe
    2013-03-21 07:07:44:914 1004 d7c Misc   = Module: c:\windows\system32\wuaueng.dll
    2013-03-21 07:07:44:867 1004 d7c Service *************
    2013-03-21 07:07:44:914 1004 d7c Service ** START **  Service: Service startup
    2013-03-21 07:07:44:914 1004 d7c Service *********
    2013-03-21 07:07:45:536 1004 d7c Agent   * WU client version 7.6.7600.256
    2013-03-21 07:07:45:536 1004 d7c Agent   * Base directory: C:\windows\SoftwareDistribution
    2013-03-21 07:07:45:536 1004 d7c Agent   * Access type: No proxy
    2013-03-21 07:07:45:614 1004 d7c Agent   * Network state: Connected
    2013-03-21 07:08:31:044 1004 d7c Report CWERReporter::Init succeeded
    2013-03-21 07:08:31:044 1004 d7c Agent ***********  Agent: Initializing Windows Update Agent  ***********
    2013-03-21 07:08:31:044 1004 d7c Agent ***********  Agent: Initializing global settings cache  ***********
    2013-03-21 07:08:31:044 1004 d7c Agent   * WSUS server: <NULL>
    2013-03-21 07:08:31:044 1004 d7c Agent   * WSUS status server: <NULL>
    2013-03-21 07:08:31:044 1004 d7c Agent   * Target group: (Unassigned Computers)
    2013-03-21 07:08:31:044 1004 d7c Agent   * Windows Update access disabled: No
    2013-03-21 07:08:31:060 1004 d7c DnldMgr Download manager restoring 0 downloads
    2013-03-21 07:08:31:091 1004 d7c AU ###########  AU: Initializing Automatic Updates  ###########
    2013-03-21 07:08:31:091 1004 d7c AU AU setting next sqm report timeout to 2013-03-21 12:08:31
    2013-03-21 07:08:31:091 1004 d7c AU   # AU disabled through Policy
    2013-03-21 07:08:31:091 1004 d7c AU   # Will interact with non-admins (Non-admins are elevated (User preference))
    2013-03-21 07:08:31:091 1004 d7c AU Initializing featured updates
    2013-03-21 07:08:31:107 1004 d7c AU Found 0 cached featured updates
    2013-03-21 07:08:31:526 1004 d7c Report ***********  Report: Initializing static reporting data  ***********
    2013-03-21 07:08:31:526 1004 d7c Report   * OS Version = 6.1.7601.1.0.65792
    2013-03-21 07:08:31:526 1004 d7c Report   * OS Product Type = 0x00000030
    2013-03-21 07:08:31:526 1004 d7c Report   * Computer Brand = Hewlett-Packard
    2013-03-21 07:08:31:526 1004 d7c Report   * Computer Model = HP Compaq 6005 Pro SFF PC
    2013-03-21 07:08:31:542 1004 d7c Report   * Bios Revision = 786G6 v01.11
    2013-03-21 07:08:31:542 1004 d7c Report   * Bios Name = Default System BIOS
    2013-03-21 07:08:31:542 1004 d7c Report   * Bios Release Date = 2010-08-04T00:00:00
    2013-03-21 07:08:31:542 1004 d7c Report   * Locale ID = 1033
    2013-03-21 07:08:31:604 1004 d7c AU Successfully wrote event for AU health state:0
    2013-03-21 07:08:31:604 1004 d7c AU Successfully wrote event for AU health state:0
    2013-03-21 07:08:31:604 1004 d7c AU AU finished delayed initialization
    2013-03-21 07:08:31:604 1004 d7c AU AU setting next sqm report timeout to 2013-03-22 12:08:31
    2013-03-21 07:08:36:610 1004 e40 Report CWERReporter finishing event handling. (00000000)

    The XP log is almost exactly the same.

    2 things stand out to me:

    2013-03-21 07:08:31:044 1004 d7c Agent   * WSUS server: <NULL>
    2013-03-21 07:08:31:044 1004 d7c Agent   * WSUS status server: <NULL>
    2013-03-21 07:08:31:044 1004 d7c Agent   * Target group: (Unassigned Computers)

    Do I have to have a WSUS server?

    Is my GPO not targeted correctly even though the gpresult says it is applied?

    Thanks again for any help!

    Thursday, March 21, 2013 1:55 PM
  • Enable "Allow non-administrators to receive update notifications"

    Do your users have admin rights on the Windows 7 workstation?

    Thursday, March 21, 2013 2:50 PM
  • Yes, they are. However, shouldn't the GPO (computer policy, targeted at workstations) ignore any user stuff?

    Thursday, March 21, 2013 3:14 PM
  • Hello,

    First of all, is it correct that your client do not have to use a proxy server to access the internet?

    Please provide a reg query "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /s
    and a reg query  "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /s for us.

    Please also stop the Windows Update service.
    net stop wuauserv
    Emtpy the logfile C:\Windows\WindowsUpdate.log
    Start the Windows Update service.
    net start wuauserv
    wuauclt /detectnow
    Please wait 5 Minutes.
    Now please have a lock at the logfile again.


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Thursday, March 21, 2013 8:13 PM
  • So sorry this was late! We had spring break last week.

    Clearing the WindowsUpdate.log and viewing a fresh one is what helped the most.

    We have a GPO at root level that has Windows Computer Preference REG edit:

    HKLM/Software/policies/Microsoft/Windows/WindowsUpdate/AU

    NoAutoUpdate

    REG_DWORD

    0x1

    I'm going to assume that this is the problem. I will talk it over with my Admin and see if it's OK to turn this off now.

    Thanks for your help!

    Monday, April 01, 2013 12:29 PM