2008 Standard domain controller policy for client windows updates

ENVIRONMENT
I have a small network in my office. I am the network administrator.
I have a single DC, windows 2008 Standard server. I set it up from scratch.
I doubt this matters, but it is a virtual machine running on VMWARE ESXi 5.1
Most all PC's in the network are joined to the domain.

PROBLEM
I want all PC's joined to the domain to download windows updates, but to ASK to install them. The middle of the night auto update reboots are infuriating!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ATTEMPTS
I have made multiple attempts to resolve this, but I will admit Group Policy is incredibly confusing, and I can't find a straight step by step, go here, do this, go there do that, that will resolve my problem.

I have followed these steps:
gpmc.msc
Expand domains
Expand the local domain
Right click on Update services client computer policies.
Click edit
Expand:
Computer Configuration > Policies / Administrative Templates > Windows Components > Windows Update.
Enable the setting and Set to:  3 - Auto download and notify to install.

But when I use gpupdate/force from the DC command prompt, followed by rebooting a domain PC. On that domain PC, I then go to: control panel>windows updates>change settings on the left side, and the settings still say install updates automatically, NOT auto download and notify for install (which is what I told the DC GPO to set it as) which is what I am expecting to be there.

QUESTIONs:

#1 How do I Tell the DC to have a group policy that will tell the domain PC's to download updates and notify for install?
I am looking for a step by step instructions as to how to make this change. (based on my apparent level of knowledge. I don't need to be told what the start button is, but my frustration is that when I try to follow other net based instructions that say things like "Use an existing GPO, or add a new one", etc... I am lost as to how to do either of those, and then fall down on being able to go to the next steps...)

#2 How do I then test to see that the proper setting has been applied to the domain PC's?

Thanks to ALL of the EE community who take the time to read this, and even more thanks to ALL sincere help that is provided. YOU guys are greatly appreciated!!!
P.S. I don't see an option to put points onto this question. I would like to show my appreciation to anyone who provides the answer.
LVL 1
jwulf1092Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neil RussellTechnical Development LeadCommented:
"But when I use gpupdate/force from the DC command prompt"

Your problem.

You dont use gpupdate to PUSH policies. You run it on the PC to PULL policies.  this "But when I use gpupdate/force from the DC command prompt" just refreshes the DC's policies NOT the PC's
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DeoraliCommented:
Follow this article to understand and implement group policy for WSUS.

http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
You are correct, you should see the GPO change in Windows Update Setup on client PC with something like "Some settings are managed by your administrator". Rebooting the PC should sync and apply GPOs. A gpupdate /force on the client might help to propagate GPO changes faster without rebooting.
0
jwulf1092Author Commented:
Neilsr.
DOH! (Said in the voice of Homer Simpson)
I should have known that, but I didn't. Important lesson learned. What this did validate for me is that I did a good job sharing all of the extremely pertinent details without assumptions, so that you could quickly zero in on my problem!!!
I went to a couple client PC's, and checked the settings before doing a Gpupdate /force, and they had already been updated, as the policy had now propagated.

Thank you for an absolutely pinpoint and perfect answer!!!
How do I give you points for this answer?
0
jwulf1092Author Commented:
Pinpoint perfect answer. I STILL don't see how to assign points :(
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.