Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE

GPO for controlling Automatic Update Policies - Ignored

Copper Contributor

Good Morning,

 

Post recent updates we are noticing that a number of our configured GPO's for Windows Update for Business are being ignored, particularly troublesome is the "Configure automatic updates", we have this set to "3 - Auto download and notify for install".

 

Unfortunately all the servers in the specific environment, including our DC are ignoring this and other settings and is causing havoc, as we need the environment to be up daytime without any unwanted automatic restarts etc.

 

Is there something that has been broken post recent updates, or is there any kind of hint that people can give as to where to look? 

 

6 Replies
Apologies if this is all stuff you've tried, but have you checked GP inheritance, enforced GPOs/ GPOs blocked on the OUs?

@rj07thomas Hey no worries any hint is welcome at present!

To verify the correct GPOs are being applied I've been using gpresult with the html output, which definitely shows the Update policy being applied.

 

To double check this, via mmc I also used RSoP to determine what policies are being applied, and the windows update ones should definitely be being applied. I got my manager to alter the GPO for Windows Update(s) to Enforced and this has made 0 difference. 

 

I even (because this is happening both on this secondary network and our primary DC with Win10 PC's) tried to apply the setting at a local group policy, and the Windows Update screen on my Win 10 Machine did not budge and basically ignored whatever I set. I've even validated that the policies are being shown in the Windows Update App and within the Registry for the relevant policies.

As stated previously, this is only happening post recent updates.

 

 

apologies@mhopper29 - made the error of not expanding out your question!

 

This is hardly a fix by any stretch of the imagination, but have you tried running updates via PowerShell to see if that works (yes - I run the actual installation & scheduling of WSUS updates via PowerShell, as GPO just isn't flexible enough imho)

@rj07thomas haha indeed it was written rather in a hurry ... and could you expand on what your proposing as an option? 

@mhopper29ok, I don't think there's anything I need to take out of this and yes, the original source for this was a TechTarget email years and years ago. Just a warning: this will download and install any (and all) updates without any warning or prompting - I guess you could CTRL-C it but it doesn't prompt for anything. After this, worth looking in the WindowsUpdateClient & Setup logs in event viewer.

 

 

#Based on a script from a TechTarget email;
#This is going to automatically download and install updates, not provide options.

#Defines update criteria: we're interested in "software" (i.e. Windows/ Office, not drivers or anything) that are not yet installed
$newUpdateCriteria = "IsInstalled=0 and Type='Software'"

#Search for new updates.
$newUpdateSearcher = New-Object -ComObject Microsoft.Update.Searcher
$newSearchResults = $newUpdateSearcher.Search($newUpdateCriteria)

If ($newSearchResults.updates.Count -eq 0)
{
Write-Host "I couldn't find any updates..."
Start-Sleep 5
}
Else
{
#Download updates.
$updateSession = New-Object -ComObject Microsoft.Update.Session #creates a new update session object
$downloader = $updateSession.CreateUpdateDownloader() #creates an object for downloading the updates
$downloader.Updates = $newSearchResults.Updates #assigns the objects found above to the download object
$downloader.Download() #downloads the updates

#Install updates
$installer = New-Object -ComObject Microsoft.Update.Installer #creates a new update installer object
$installer.Updates = $newSearchResults.Updates #uses the updates from the initial search to populate what to download
$installUpdates = $Installer.Install() #installs the updates

#Reboot if required by updates.

If ($installUpdates.RebootRequired -eq $true)
{
Write-Host "This computer needs to be restarted"
}
Else
{
Write-Host "Reboot NOT required!"
Start-Sleep 5
}
}

@rj07thomas Ah okay ... yes i think I may have stumbled upon this during my hunt on the web for similar issues being reported recently ... it's so disappointing that a GPO that most certainly was working, is now not and being simply ignored.

 

As much as I admire your suggestion and comments, it's not practical as some of the users this affects are not technical users, and would make managing the update setup much more cumbersome. I can only hope that whatever has been broken is fixed soon