2008 Standard domain controller policy for client windows updates

Posted on 2014-11-21
Last Modified: 2014-11-22
I have a small network in my office. I am the network administrator.
I have a single DC, windows 2008 Standard server. I set it up from scratch.
I doubt this matters, but it is a virtual machine running on VMWARE ESXi 5.1
Most all PC's in the network are joined to the domain.

I want all PC's joined to the domain to download windows updates, but to ASK to install them. The middle of the night auto update reboots are infuriating!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I have made multiple attempts to resolve this, but I will admit Group Policy is incredibly confusing, and I can't find a straight step by step, go here, do this, go there do that, that will resolve my problem.

I have followed these steps:
Expand domains
Expand the local domain
Right click on Update services client computer policies.
Click edit
Computer Configuration > Policies / Administrative Templates > Windows Components > Windows Update.
Enable the setting and Set to:  3 - Auto download and notify to install.

But when I use gpupdate/force from the DC command prompt, followed by rebooting a domain PC. On that domain PC, I then go to: control panel>windows updates>change settings on the left side, and the settings still say install updates automatically, NOT auto download and notify for install (which is what I told the DC GPO to set it as) which is what I am expecting to be there.


#1 How do I Tell the DC to have a group policy that will tell the domain PC's to download updates and notify for install?
I am looking for a step by step instructions as to how to make this change. (based on my apparent level of knowledge. I don't need to be told what the start button is, but my frustration is that when I try to follow other net based instructions that say things like "Use an existing GPO, or add a new one", etc... I am lost as to how to do either of those, and then fall down on being able to go to the next steps...)

#2 How do I then test to see that the proper setting has been applied to the domain PC's?

Thanks to ALL of the EE community who take the time to read this, and even more thanks to ALL sincere help that is provided. YOU guys are greatly appreciated!!!
P.S. I don't see an option to put points onto this question. I would like to show my appreciation to anyone who provides the answer.
Question by:jwulf1092
LVL 37

Accepted Solution

Neil Russell earned 500 total points
ID: 40459290
"But when I use gpupdate/force from the DC command prompt"

Your problem.

You dont use gpupdate to PUSH policies. You run it on the PC to PULL policies.  this "But when I use gpupdate/force from the DC command prompt" just refreshes the DC's policies NOT the PC's

Expert Comment

ID: 40459366
Follow this article to understand and implement group policy for WSUS.
LVL 68

Expert Comment

ID: 40459388
You are correct, you should see the GPO change in Windows Update Setup on client PC with something like "Some settings are managed by your administrator". Rebooting the PC should sync and apply GPOs. A gpupdate /force on the client might help to propagate GPO changes faster without rebooting.

Author Comment

ID: 40459776
DOH! (Said in the voice of Homer Simpson)
I should have known that, but I didn't. Important lesson learned. What this did validate for me is that I did a good job sharing all of the extremely pertinent details without assumptions, so that you could quickly zero in on my problem!!!
I went to a couple client PC's, and checked the settings before doing a Gpupdate /force, and they had already been updated, as the policy had now propagated.

Thank you for an absolutely pinpoint and perfect answer!!!
How do I give you points for this answer?

Author Closing Comment

ID: 40460312
Pinpoint perfect answer. I STILL don't see how to assign points :(

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now