Automatic GPO updates disabled for no reason. RRS feed

  • Question

  • Originally our GPO settings allowed the users to update and restart whenever they wanted. I'm finally throwing that out the window and I'm forcing automatic updates and restarts. So here's the deal, I set all the group policy settings so that everything should update outside of active hours but, on each computer it says that the automatic updates are disabled. 

    Here is a picture from one of the users PC:

    Before I thought that it was because I didn't remove the automatic update restrictions off the default domain policy but, I've changed the default domain policy settings.

    Is there anywhere else that I need to change a setting like this?

    Again, the goal is to make all updates complete outside of active hours. 

    Thursday, September 12, 2019 2:02 PM

All replies

  • Run rsop.msc and gpresult/r on one of your PC to find applied group policy as below articles,

    Then you can find relevant Group policy object which has been configured WSUS settings..

    Then you can remove that group policy object from linked OU from AD.

    then check the status

    Thursday, September 12, 2019 2:46 PM
  • Hi,

    Could you show the GPOs that you have configured?

    Make sure the "Configure Automatic Updates" GPO is enabled, it can be found under:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update

    If the GPO is correctly configured, make sure it gets applied to the client computers, you can run the following command: GPResult /H "C:\Temp\GPResult.html" to check which GPOs are applied on a client .

    If the GPO is not applied, make sure the GPO is linked to the correct Organizational Unit (OU) where the computer objects are located.

    Best regards,

    Blog: LinkedIn:

    Thursday, September 12, 2019 2:48 PM
  • all the settings on rosp.msc are the ones that I want. Here are the settings I've set

    Thursday, September 12, 2019 3:04 PM
  • It is configured and applied. I have confirmed it in the above picture.
    Thursday, September 12, 2019 3:08 PM
  • Can you check the Windows registry on a client to see if there are the below registry keys?

    If the NoAutoUpdate registry entry exists and is set to 0, then the automatic updates is configured.

    Blog: LinkedIn:

    Thursday, September 12, 2019 3:12 PM
  • Here is the picture of the registry. Note that there was previous policy's in place to stop updates from restarting an such.

    Thursday, September 12, 2019 3:17 PM
  • We can now confirm that the automatic updates are indeed not enabled, is this the same for all client computers?

    So the GPO is being applied, but it's not configuring the settings as it should.

    Have you tried restarting or running a gpupdate /force on any of the clients?

    Blog: LinkedIn:

    Thursday, September 12, 2019 3:29 PM
  • It seems to be the same on all computers. This is a fresh install of Windows 10 aswell. I have restarted and ran many gpupdates. I did both just now but everything is the same. 
    Thursday, September 12, 2019 3:35 PM
  • Do you see the following in the GPO report?

    You could try re-creating the GPO, or try by creating a new GPO to a different OU just to see if it's a faulty/corrupted GPO or if the problem is somewhere else.

    Blog: LinkedIn:

    Thursday, September 12, 2019 3:51 PM
  • Yes I see that same exact thing on my end. There shouldn't be anything wrong with that GPO i just created it.
    Thursday, September 12, 2019 5:12 PM
  • I've got another GPO just like it. I had to create two because this one has different active hours. I'm going to see if this one works or not. 
    Thursday, September 12, 2019 5:39 PM
  • Please post gpresult /r output here from a client PC
    Thursday, September 12, 2019 6:33 PM
  • How the automatic update gpo is being filtered out for (unknown reason)

    Thursday, September 12, 2019 7:09 PM
  • Could it have something to do with this:
    MS16-072: Security update for Group Policy: June 14, 2016

    "MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles"

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    More information here:
    Microsoft Security Bulletin MS16-072 - Important

    Blog: LinkedIn:

    • Edited by Leon Laude Thursday, September 12, 2019 7:23 PM
    Thursday, September 12, 2019 7:20 PM
  • I did some research and came across this as well. I added domain computers to the delegation but, the issue still remains. Maybe we need to restart the server? 
    Thursday, September 12, 2019 7:56 PM
  • Try a reboot, could also for the sake of it try re-creating the GPO once more just to be sure.

    Blog: LinkedIn:

    Thursday, September 12, 2019 7:56 PM
  • Trust me, I've rebooted like 100 times. I'm using a test computer not my work computer. 
    Thursday, September 12, 2019 8:04 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    Would you please provide the gpresult file for us?

    For computer configuration:
    1. Logon one client with domain Administrator account.
    2. Open CMD, run as administrator.
    3. Type gpresult /h C:\report.html and click Enter.
    4. Open report file to check the policies under Computer Configuration.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, September 13, 2019 2:42 AM
  • It doesn't even matter. now the GPO doesn't even showing up on gpresult /r. I'm not sure why this isn't working.  
    Friday, September 13, 2019 3:27 PM
  • Hi,
    From the above information, it seems that we have not successfully configured this GPO.

    Do we enable the GPO?

    We can try to reconfigure this group policy settings as below:

    1. Re-create an OU and put the machines into this OU.

    2. Re-create a GPO and edit this GPO.

    3. Link this GPO to the OU in step 1.

    4. Reatart one machine in the above OU and check if it helps.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, September 16, 2019 2:14 AM
  • I have done all of these things. I know that the gpo is created correctly and enforced. I had the DC restarted over the weekend to see if it changes anything. 
    Monday, September 16, 2019 12:28 PM
  • Hi,
    OK. I am looking forwad to your reply.

    Meanwhile, we can run gpupdate /force on DC, then run gpupdate /force on one problematic client to see if there is any error message.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, September 17, 2019 1:41 AM
  • I'm out of the office till next Wednesday. I will try it then.
    Tuesday, September 17, 2019 3:52 PM
  • Hi,
    OK. I will I am looking forward to your reply. 

    Have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, September 18, 2019 2:04 AM