windows 2012 security update from wsus

i have a windows 2012 domain controller and wsus server. Our group gpo says only local administrator can install updates on servers.
But domain controller none local admin.
How can i make all security updates on domain controller server
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Domain controllers indeed don't have local administrators - you have to be a member of the Administrators group of the Domain itself.

Administrators group in Domain
Begin a member of this group will give you administrator access over all Domain Controllers.  Domain Admins are also a memver of this group, so if you are a Domain Admin, then you already have sufficient rights.
apollo-13Author Commented:
i am in administartors group, but still cant server wsus update .if i log the DC with domain\superuser  (superuser=DOMAIN ADMIN) windows update cant and says windows updates systemadmistrator.
Abdul Khadja AlaoudineTechnical ConsultantCommented:
Domains admins are local administrator on Domain Controllers. Therefore, you don't have to make any further changes. Have you tried installing updates on DC?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

This actually sounds like a UAC issue (User Account Control), but this is pretty much clutching at straws.

Try log in as DOMAIN\Administrator (i.e. the actual Administrator).  This account is not UAC limited by default.  If it works logged in Administrator, then it will confirm if this is a UAC issue or not.  The resolution to that would be to change the default domain controller policy to disable "User Account Control: Run all administrators in admin approval mode"

Turn off UAC for All Administrators
apollo-13Author Commented:
Have you tried installing updates on DC?---YES
apollo-13Author Commented:
i logged to Domain controller domain\administrator .Thats mean is i have like local admin isnt.

But windows updates says me . some configurations make configure from systemadministrator(Yellow).
apollo-13Author Commented:
UAC ist disabled before.
apollo-13Author Commented:
can be some where WSUS makes problem .when i need to windows update on the other server then i log local admin and make updates
It's hard to think that WSUS would be the cause of the issue - all it does is present a list of updates to your WSUS Client.

Can you post some screenshots showing the error messages?
apollo-13Author Commented:
hi clayton

I think my problem ,Domain controller local admin ,because i dont any problem with other servers.

example. i log on my other win2012 terminal server like ts1\administrator then i can make all updateson this server.

But how i do on DC ,because there is no local admin ,i mean i cant log in DC1\administrator  for updates.
There is no local administrator - you cannot log on as a local administrator.

Please post some screenshots showing the errors  you are getting.
apollo-13Author Commented:
also comes out UPDATES INSTALL screen sometimes ,i click install but comes other (yellow) screen and says some configurations make configure from systemadministrator

even i loged domain admin on dc
apollo-13Author Commented:
errors you mean wsus logs on dc?
apollo-13Author Commented:
2014-09-30      12:07:40:983       928      1210      AU      ###########  AU: Initializing Automatic Updates  ###########
2014-09-30      12:07:40:983       928      1210      AU      AIR Mode is disabled
2014-09-30      12:07:40:983       928      1210      AU        # Policy Driven Provider: http://wsusserver:8530
2014-09-30      12:07:40:983       928      1210      AU        # Detection frequency: 22
2014-09-30      12:07:40:983       928      1210      AU        # Approval type: Pre-install notify (Policy)
2014-09-30      12:07:40:983       928      1210      AU        # Auto-install minor updates: No (User preference)
2014-09-30      12:07:40:983       928      1210      AU        # Will interact with non-admins (Non-admins are elevated (User preference))
2014-09-30      12:07:41:076       928      1210      AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80240037
2014-09-30      12:07:41:076       928      1210      AU      AU finished delayed initialization
2014-09-30      12:07:41:092      1500      dac      Misc      ===========  Logging initialized (build: 7.8.9200.16693, tz: +0200)  ===========
2014-09-30      12:07:41:092      1500      dac      Misc        = Process: C:\Windows\Explorer.EXE
2014-09-30      12:07:41:092      1500      dac      Misc        = Module: C:\Windows\system32\wucltux.dll
2014-09-30      12:07:41:092      1500      dac      CltUI      FATAL: CNetworkCostChangeHandler::RegisterForCostChangeNotifications: CoCreateInstance failed with error 80004002
2014-09-30      12:07:41:092      1500      dac      CltUI      WARNING: RegisterNetworkCostChangeNotification: Error 80004002
2014-09-30      12:18:18:361       928      1210      AU      ###########  AU: Uninitializing Automatic Updates  ###########
2014-09-30      12:18:18:408       928      1210      WuTask      Uninit WU Task Manager
2014-09-30      12:18:18:439       928      1210      Service      *********
2014-09-30      12:18:18:439       928      1210      Service      **  END  **  Service: Service exit [Exit code = 0x240001]
2014-09-30      12:18:18:439       928      1210      Service      *************
Here is your error code:

FATAL: CNetworkCostChangeHandler::RegisterForCostChangeNotifications: CoCreateInstance failed with error 80004002

From the looks of things, you have had this issue already:

You accepted multiple peoples answers as solutions.

Unfortunately, I have no first hand experience with this error code, so I am unsubscribing from this topic.  Hopefully, others can help.
DonNetwork AdministratorCommented:
Try reinstalling the Windows Update Agent on this server

You should install from command line using  /quiet /norestart /wuforce

so  windowsupdateagent30-x64.exe /quiet /norestart /wuforce
DonNetwork AdministratorCommented:
You also will need to update your WSUS to support 2012

Make sure you install this latest update on your WSUS server, which includes KB 2734608
apollo-13Author Commented:
this server is main Domain controller which we want agent uninstall, do i need to consider something before agent uninstall?
DonNetwork AdministratorCommented:
uninstall ???

The agent *MUST* be installed in order for windows update to work.
apollo-13Author Commented:
Try reinstalling the Windows Update Agent on this server ---  no sucess ,reinstalled but still cant updates.

2014-10-02      11:31:26:596       916       44      Agent        * Found 58 updates and 69 categories in search; evaluated appl. rules of 488 out of 964 deployed entities
2014-10-02      11:31:26:596       916       44      Agent      *********
2014-10-02      11:31:26:596       916       44      Agent      **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2014-10-02      11:31:26:596       916       44      Agent      *************
2014-10-02      11:31:26:596       916      f94      AU      >>##  RESUMED  ## AU: Search for updates [CallId = {BE4A6117-88AC-4B89-AE58-AC9D3FA4A6FB} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-10-02      11:31:26:596       916      f94      AU        # 58 updates detected
2014-10-02      11:31:26:596       916      f94      AU      #########
2014-10-02      11:31:26:596       916      f94      AU      ##  END  ##  AU: Search for updates  [CallId = {BE4A6117-88AC-4B89-AE58-AC9D3FA4A6FB} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-10-02      11:31:26:596       916      f94      AU      #############
2014-10-02      11:31:26:596       916      f94      AU      All AU searches complete.
DonNetwork AdministratorCommented:

# 58 updates detected

Did you update your WSUS also ???
apollo-13Author Commented:
wsus log says:
IsSessionRemote: WinStationQueryInformationW(WTSIsRemoteSession) failed for session 2, GetLastError
DonNetwork AdministratorCommented:
Again, have you installed  ?????

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
apollo-13Author Commented:
DonNetwork AdministratorCommented:
What comment actually helped you solve your problem??? Accepting multiple answers is of no help to the database.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.