question

PaulNerie-9756 avatar image
0 Votes"
PaulNerie-9756 asked PaulNerie-9756 commented

Windows Update settings in domain group policy not applied to domain computers

I have read other posts about Windows Update policy settings not applied to domain computers, but I'm not sure about the WSUS requirement.

Is WSUS the update service from Microsoft itself, or the WSUS server role that can be installed on one of the network computers?

I'm trying to configure the Windows Update settings, but they are not being applied to domain computers.

I want the updates to be downloaded automatically but not automatically installed. I have set Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates to '3 - Auto download and notify to install', but domain computers settings is still set to 'Not configured'.

Is my understanding on this not correct? Or am I missing something in the process?

Thanks in advance

windows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexZhu-MSFT avatar image
0 Votes"
AlexZhu-MSFT answered AlexZhu-MSFT edited

Hi,

If you mentioned Not Configured, it may probably that you open the Local Group Policy Editor to view the settings we configured in Group Policy Management, this is normal since the domain group policy settings do not refelect locally.

To check if the domain policy settings has taken effect or not, we can use gpresult /h c:\temp\test0901.html (run as administrator to retrieve the computer configuration settings). After the file is exported, we can view it with any web browser.

Here's some screenshots from the lab, just for your reference.

domain policy settings (disabled)
128233-gp-02.png


domain computer local settings (not configured)
128271-gp-01.png


gpresult to confirm the effective value (winning GPO)

128177-gp-04.png

128262-gp-03.png

Alex
If the response is helpful, please click "Accept Answer" and upvote it.



gp-02.png (42.4 KiB)
gp-01.png (73.5 KiB)
gp-04.png (8.8 KiB)
gp-03.png (54.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulNerie-9756 avatar image
0 Votes"
PaulNerie-9756 answered

Hello AlexZhu-MSFT,

Thanks for the reply.

I have not checked yet using gpresult, but I have some settings in the domain group policy that do affect the domain controllers. Removing the background options is an example.

Assuming it is not reflected to the local group policy, why is this so? Can I force it to be pushed to the domain computers?

It it to my understanding that you use the domain group policy so you don't need to change the individual domain computers policies.

Sorry but I don't know if my terminology is correct. What I mean by domain group policy is opening the group policy in the PDC.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

Group Policy applies in layers. It is the sum of their layers that equal the resultant set of policies (RSOP) which GPResult /h gpo.html will show and help you diagnose the issue.

Remember, the "Domain Controllers" OU is off the root of the domain. Only policies attached to the domain or the specific Domain Controllers OU will be processed.

Local group policy is applied first, then domain GPOs. If something is set in the local GPO, and nothing in the domain GPOs override that value, then the resultant set of policies will show that it is set by the Local group policy.

There is 1 policy in the domain GPOs that allows you to globally set it to ignore local GPOs, but it's on a global scale so be careful if you're thinking of enabling it.

You should be managing Group Policy through GPMC.msc either on a Windows Client system using RSAT (Recommended) or directly on a domain controller or other server with RSAT tools enabled.

I'd recommend reading through:

https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

and then parts 4 and 5 of my blog series on How to Setup, Manage, and Maintain WSUS.

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/

I'd also recommend reading more of the guides on my site, especially

https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/
and
https://www.ajtek.ca/guides/role-based-access-security/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulNerie-9756 avatar image
0 Votes"
PaulNerie-9756 answered AlexZhu-MSFT commented

Hello AJTek-Adam-J-Marshall,

Thanks for the info.

I applied the updates to the Default Domain Policy of the domain.

I have run gpresult on one of the domain computers and I don't see any of settings I have set, like in AlexZhu's post.

For example I have this:


128541-gpo.png

But it does not appear in the gpresult output.

128531-gpresult.png



But the settings are applied though. I cannot use copy and paste for example from the VM to my home computer.


gpo.png (379.0 KiB)
gpresult.png (47.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

When export the file from command line, have you run the command prompt as administrator? For computer configuration setting, if run as the current logged on user, it cannnot be retrieved.

Alex
If the response is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered PaulNerie-9756 commented

It is recommended NOT to add policy settings to the Default Domain Policy, but rather create new GPOs and link them to the root of the domain (or elsewhere as needed).

Looks like the setting "Turn off Local Group Policy Objects processing" may be enabled. Computer Configuration > Administrative Templates > System > Group Policy.

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.GroupPolicy::DisableLGPOProcessing

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello AJTek-Adam-J-Marshall,

I have ran gpresult as administrator and I can see the settings in the results.

Thank you for you recommendation.

0 Votes 0 ·