none
Automatic GPO updates disabled for no reason. RRS feed

  • Question

  • Originally our GPO settings allowed the users to update and restart whenever they wanted. I'm finally throwing that out the window and I'm forcing automatic updates and restarts. So here's the deal, I set all the group policy settings so that everything should update outside of active hours but, on each computer it says that the automatic updates are disabled. 

    Here is a picture from one of the users PC:

    Before I thought that it was because I didn't remove the automatic update restrictions off the default domain policy but, I've changed the default domain policy settings.

    Is there anywhere else that I need to change a setting like this?

    Again, the goal is to make all updates complete outside of active hours. 

    Thursday, September 12, 2019 2:02 PM

All replies

  • Run rsop.msc and gpresult/r on one of your PC to find applied group policy as below articles,

    https://activedirectorypro.com/how-to-use-rsop-to-check-and-troubleshoot-group-policy-settings/

    http://woshub.com/diagnose-group-policies-issues-with-gpresult/

    Then you can find relevant Group policy object which has been configured WSUS settings..

    Then you can remove that group policy object from linked OU from AD.

    then check the status

    Thursday, September 12, 2019 2:46 PM
  • Hi,

    Could you show the GPOs that you have configured?

    Make sure the "Configure Automatic Updates" GPO is enabled, it can be found under:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update

    If the GPO is correctly configured, make sure it gets applied to the client computers, you can run the following command: GPResult /H "C:\Temp\GPResult.html" to check which GPOs are applied on a client .

    If the GPO is not applied, make sure the GPO is linked to the correct Organizational Unit (OU) where the computer objects are located.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, September 12, 2019 2:48 PM
  • all the settings on rosp.msc are the ones that I want. Here are the settings I've set

    Thursday, September 12, 2019 3:04 PM
  • It is configured and applied. I have confirmed it in the above picture.
    Thursday, September 12, 2019 3:08 PM
  • Can you check the Windows registry on a client to see if there are the below registry keys?

    If the NoAutoUpdate registry entry exists and is set to 0, then the automatic updates is configured.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, September 12, 2019 3:12 PM
  • Here is the picture of the registry. Note that there was previous policy's in place to stop updates from restarting an such.

    Thursday, September 12, 2019 3:17 PM
  • We can now confirm that the automatic updates are indeed not enabled, is this the same for all client computers?

    So the GPO is being applied, but it's not configuring the settings as it should.

    Have you tried restarting or running a gpupdate /force on any of the clients?


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, September 12, 2019 3:29 PM
  • It seems to be the same on all computers. This is a fresh install of Windows 10 aswell. I have restarted and ran many gpupdates. I did both just now but everything is the same. 
    Thursday, September 12, 2019 3:35 PM
  • Do you see the following in the GPO report?



    You could try re-creating the GPO, or try by creating a new GPO to a different OU just to see if it's a faulty/corrupted GPO or if the problem is somewhere else.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, September 12, 2019 3:51 PM
  • Yes I see that same exact thing on my end. There shouldn't be anything wrong with that GPO i just created it.
    Thursday, September 12, 2019 5:12 PM
  • I've got another GPO just like it. I had to create two because this one has different active hours. I'm going to see if this one works or not. 
    Thursday, September 12, 2019 5:39 PM
  • Please post gpresult /r output here from a client PC
    Thursday, September 12, 2019 6:33 PM
  • How the automatic update gpo is being filtered out for (unknown reason)

    Thursday, September 12, 2019 7:09 PM
  • Could it have something to do with this:
    MS16-072: Security update for Group Policy: June 14, 2016

    "MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles"

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    More information here:
    Microsoft Security Bulletin MS16-072 - Important


    Blog: https://thesystemcenterblog.com LinkedIn:


    • Edited by Leon Laude Thursday, September 12, 2019 7:23 PM
    Thursday, September 12, 2019 7:20 PM
  • I did some research and came across this as well. I added domain computers to the delegation but, the issue still remains. Maybe we need to restart the server? 
    Thursday, September 12, 2019 7:56 PM
  • Try a reboot, could also for the sake of it try re-creating the GPO once more just to be sure.

    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, September 12, 2019 7:56 PM
  • Trust me, I've rebooted like 100 times. I'm using a test computer not my work computer. 
    Thursday, September 12, 2019 8:04 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    Would you please provide the gpresult file for us?


    For computer configuration:
    1. Logon one client with domain Administrator account.
    2. Open CMD, run as administrator.
    3. Type gpresult /h C:\report.html and click Enter.
    4. Open report file to check the policies under Computer Configuration.




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 13, 2019 2:42 AM
    Moderator
  • It doesn't even matter. now the GPO doesn't even showing up on gpresult /r. I'm not sure why this isn't working.  
    Friday, September 13, 2019 3:27 PM
  • Hi,
    From the above information, it seems that we have not successfully configured this GPO.

    Do we enable the GPO?





    We can try to reconfigure this group policy settings as below:

    1. Re-create an OU and put the machines into this OU.

    2. Re-create a GPO and edit this GPO.

    3. Link this GPO to the OU in step 1.

    4. Reatart one machine in the above OU and check if it helps.





    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 16, 2019 2:14 AM
    Moderator
  • I have done all of these things. I know that the gpo is created correctly and enforced. I had the DC restarted over the weekend to see if it changes anything. 
    Monday, September 16, 2019 12:28 PM
  • Hi,
    OK. I am looking forwad to your reply.

    Meanwhile, we can run gpupdate /force on DC, then run gpupdate /force on one problematic client to see if there is any error message.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 17, 2019 1:41 AM
    Moderator
  • I'm out of the office till next Wednesday. I will try it then.
    Tuesday, September 17, 2019 3:52 PM
  • Hi,
    OK. I will I am looking forward to your reply. 

    Have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 18, 2019 2:04 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 26, 2019 9:12 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 30, 2019 9:56 AM
    Moderator
  • Sorry for the late response. I have been very busy with other projects.

    I figured out that the GPO will only apply to new devices for some reason. I've configured two new devices in the past week and they both adopt the auto update GPO. The GPO does not show up in gpresult /r /scope:user, I'm assuming that's because its a computer configuration. When I use RSOP.msc, the configurations are being enforced on the newly configured machines.

    On any other machines the windows update settings do show up on RSOP.msc. But they do not take effect. The attached screenshot shows RSOP and the windows update screen. The second screenshot shows the settings taking effect for windows updates. 

    Note: windows updates were disabled through the default domain policy but, I have disabled that setting. 

    Wednesday, October 9, 2019 1:57 PM
  • Hi,
    According to "Note: windows updates were disabled through the default domain policy but, I have disabled that setting. ", do we mean you have enabled that setting?


    Would you please check whether Configure Automatic Update is also configured to Disabled.


    For computer configuration:
    1. Logon one client with domain Administrator.
    2. Open CMD, run as administrator.
    3. Type gpresult /h C:\report.html and click Enter.
    4. Open report file to check the policies under Computer Configuration.

    Because:






    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 10, 2019 2:31 AM
    Moderator
  • Hi,

    "According to "Note: windows updates were disabled through the default domain policy but, I have disabled that setting. ", do we mean you have enabled that setting?"

    This meant that originally disabling automatic updates was a setting on the default domain policy. The windows update rules are on another GPO now because I need to set different active hours for different devices. Long story short, there isn't any other windows update GPO rules on any other group policy objects.

    Configure automatic updates is enabled.

    I checked on the machine, the GPO is being applied but, It still states that automatic updates are disabled on the device. Like I said previously, I can only get these automatic updates to work on newly configured devices.

    Thursday, October 10, 2019 1:51 PM
  • Hi,
    Configure automatic updates on Default Domain Policy is Not Configured or Enabled, is it right?

    If so, we can disjoin one problematic client and rejoin it to the domain, then check if it helps.




    Best Regards,
    Daisy Zhou



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 11, 2019 6:19 AM
    Moderator
  • Configure automatic updates on Default Domain Policy is Not Configured or Enabled, is it right?

    That is correct. It is set on not configured.

    If so, we can disjoin one problematic client and rejoin it to the domain, then check if it helps.

    Already tried with one of them.

    Friday, October 11, 2019 12:25 PM