2008 Standard domain controller policy for client windows updates

Posted on 2014-11-21
Medium Priority
Last Modified: 2014-11-22
I have a small network in my office. I am the network administrator.
I have a single DC, windows 2008 Standard server. I set it up from scratch.
I doubt this matters, but it is a virtual machine running on VMWARE ESXi 5.1
Most all PC's in the network are joined to the domain.

I want all PC's joined to the domain to download windows updates, but to ASK to install them. The middle of the night auto update reboots are infuriating!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I have made multiple attempts to resolve this, but I will admit Group Policy is incredibly confusing, and I can't find a straight step by step, go here, do this, go there do that, that will resolve my problem.

I have followed these steps:
Expand domains
Expand the local domain
Right click on Update services client computer policies.
Click edit
Computer Configuration > Policies / Administrative Templates > Windows Components > Windows Update.
Enable the setting and Set to:  3 - Auto download and notify to install.

But when I use gpupdate/force from the DC command prompt, followed by rebooting a domain PC. On that domain PC, I then go to: control panel>windows updates>change settings on the left side, and the settings still say install updates automatically, NOT auto download and notify for install (which is what I told the DC GPO to set it as) which is what I am expecting to be there.


#1 How do I Tell the DC to have a group policy that will tell the domain PC's to download updates and notify for install?
I am looking for a step by step instructions as to how to make this change. (based on my apparent level of knowledge. I don't need to be told what the start button is, but my frustration is that when I try to follow other net based instructions that say things like "Use an existing GPO, or add a new one", etc... I am lost as to how to do either of those, and then fall down on being able to go to the next steps...)

#2 How do I then test to see that the proper setting has been applied to the domain PC's?

Thanks to ALL of the EE community who take the time to read this, and even more thanks to ALL sincere help that is provided. YOU guys are greatly appreciated!!!
P.S. I don't see an option to put points onto this question. I would like to show my appreciation to anyone who provides the answer.
Question by:jwulf1092
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 37

Accepted Solution

Neil Russell earned 2000 total points
ID: 40459290
"But when I use gpupdate/force from the DC command prompt"

Your problem.

You dont use gpupdate to PUSH policies. You run it on the PC to PULL policies.  this "But when I use gpupdate/force from the DC command prompt" just refreshes the DC's policies NOT the PC's

Expert Comment

ID: 40459366
Follow this article to understand and implement group policy for WSUS.

LVL 70

Expert Comment

ID: 40459388
You are correct, you should see the GPO change in Windows Update Setup on client PC with something like "Some settings are managed by your administrator". Rebooting the PC should sync and apply GPOs. A gpupdate /force on the client might help to propagate GPO changes faster without rebooting.

Author Comment

ID: 40459776
DOH! (Said in the voice of Homer Simpson)
I should have known that, but I didn't. Important lesson learned. What this did validate for me is that I did a good job sharing all of the extremely pertinent details without assumptions, so that you could quickly zero in on my problem!!!
I went to a couple client PC's, and checked the settings before doing a Gpupdate /force, and they had already been updated, as the policy had now propagated.

Thank you for an absolutely pinpoint and perfect answer!!!
How do I give you points for this answer?

Author Closing Comment

ID: 40460312
Pinpoint perfect answer. I STILL don't see how to assign points :(

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question