I am having an issue with my Windows 7 machines and a GPO to enforce update rules. I have setup a WSUS server and configured all the rules for updates. However, some of the machines are sticking with their old update settings no matter what I do. Here is the rsop result showing the policy is getting to the machine:

Which you can see is set to auto download and schedule the install for 3:00 PM. But the updates were not being installed so. I checked in control panel and here are the settings I see:

As you can see, it isn't getting set to automatically install. Instead its sticking with its old config (which was done locally via control panel) to download but not install. It doesn't even have the correct

Hello!

This machines are in the same OU that this GPO is applied?

Here is the rsop result showing the policy is getting to the machine:

So the first issue is characterizing these dialogs as an RSOP result... these dialogs are not from RSOP.

The second issue is erroneously assuming that the greyed out values in the dialog reflect an actual configuration of the client. They don't.

So, you have several options at this point to perform a valid configuration check of the client:

• You can inspect the registry values in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU.
• You can restart the WindowsUpdate service (or reboot the client) and review the log entries in the WindowsUpdate.log
• You can download and run the SolarWinds Diagnostic Tool for the WSUS Agent.
• You can actually run RSOP and review the results in the RSOP Console.

That is the result of running rsop.msc on a Win 7 machine, drilling down to the specific policy in question and double clicking. What would you prefer I call it? Here is the full screenshot:

I took a look in regedit and I see two keys for WindowsUpdate. One is just simply "WindowsUpdate" and the values point at localhost. The other is "WindowsUpdate-{guid here}" and that one has the WSUS server I'm using.

I have restarted the update service. Is there anything in particular I should be looking for in the log files?

Ran the SolarWinds tool from my desktop and I'm seeing some issues. First thing I noticed is that it reports the WSUS server address as http://127.0.0.1:1550 which is obviously not correct. Here are the settings I defined in my GPO:

And I verified via rsop.msc and the command line version as well that the policy is being applied to my machine.

Also confirmed that there are no update settings in the local policy on the machine. I can see some of the settings change if I change the policy, but others like the server address don't seem to be working. And this policy worked on most of the computers.

Hi,

As far as I know, if computer is set to WSUS to update, then under the registry key:

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

we should see following values:

If Automatic Updates policy is applied, then under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU, we could see following values

For this issue, I suggest you we first check the below setting under group policy:

Computer(User) Configuration > Administrative Templates > Windows Components > Windows Update\Specify intranet Microsoft update service location

For more details, please refer to the below articles:

http://technet.microsoft.com/en-us/library/cc720532(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc720539(ws.10).aspx

Regards,

Yan Li

The strange thing is, I see two entries for WindowsUpdate:

The one that just says "WindowsUpdate" is showing localhost as the server. The one with the GUID is showing the server set by the policy. And the AU folder is showing the settings from the policy. I checked another machine that is having issues to see what was going on there and it also had two WindowsUpdate entries. But the second one didn't contain an AU folder or any settings.

And as best I can tell, my GPO (see my post a couple up for a screenshot of the settings) is setup the same as the description in the articles you linked. Do you see anything I'm missing. Been staring at it too long, and if there is something wrong I wouldn't be surprised if I'm just skimming right over it.

Hi,

It seems like that the Windows update registry's permission is corrupt, so I would like to suggest you export the Windows update registry key, and then delete both those two Windows update registry key and then force update group policy and check the result.

Regards,

Yan Li