Why is Group Policy not applying to some clients appropriately ?


  • This is a weird problem that I need help figuring out.

    I have mostly windows 7 32bit and 64bit client workstations.

    PDC is Windows 2008 R2

    SDC is Windows 2012 R2

    SDC has WSUS console and IIS installed and configured properly (supposedly).

    Default domain policy had Configure Automatic Updates disabled. I enabled the policy.

    I ran gpupdate /force on the offending computers that will not report to the console.

    Computers refuse to show up. The windows update log showed that AU was disabled by policy.

    I run gpresult /h and Configure Automatic Updates is disabled in the default domain policy.

    Both the AD and Sysvol versions on the client match up with the AD and Sysvol versions on the servers.

    The client can communicate with the PDC just fine. The Default domain policy is the winning GPO according to gpresult.

    What is the deal? I can post any logs or gpresults if needed.

    Wednesday, July 20, 2016 1:39 PM


  • Hi,
    I would suggest to refer to the following article and check if the registry settings of WSUS AU are configured correctly from registry editor.
    And you could do a test as below to try again:
    1. Create OU to organize the clients;
    2. Create a new GPO and configure WSUS settings as you request. Generally, it is suggested to leave Default domain policy alone and not touch it.
    3. Link the new GPO to OU and run gpupdate /force to see if it works.

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Thursday, July 21, 2016 2:01 AM