Setting group policy to enforce automatic updates

This is a quick how-to for setting automatic updates using group policies in Windows Server 2003.

Start off by opening up Active Directory Users and Computers from the server.

Hopefully you have got a specific OU that you want to apply this group policy to. In my case, there are about 100 computers listed under the Computers OU in Active Directory. My servers are located in a different OU, which is just as well, because I don’t want this policy to apply to the servers.

Right click on the OU you want to apply the Group policy to, and select Properties. From this properties page, select the Group Policy tab. If you already have the Group policy managment snap-in installed, you will see something similar to the screenshot below – in this case just click “Open” to continue.

active-directory-gp

The group policy management window will open. Right-click the OU (In my case Computers), and select “Create and link a GPO here”

create-gpo1

Give the new GPO a name. I called mine “Install automatic updates”

gpo-name

Now, under the Linked Group Policy Objects tab, right click the new policy name, and select “Edit”

edit-new-gpo1

Now the Group Policy Object Editor will open. Under Computer Configuration, expand Administrative Templates, then Windows Components, then Windows Update.

automatic-update-gpo-settings

On the right panel, right-click “Configure Automatic Updates” and select “Properties” Set the status to “Enabled” and choose your automatic update setting – I used option 4, which will download and install updates on a schedule, which I set to 17h00 every day.

Click Apply, then OK.

configure-automatic-updates

You can optionally set the settings for the option “Delay restart for scheduled installations” otherwise the PCs will be given a count down timer of 5 minutes once updates are installed to auto restart. The user can delay this if they are logged in, otherwise configure this setting to set the count down timer up to a maximum of 30 minutes. The user can always click restart later anyway.

Close the policy editor, and group policy management down once you have set your various options for automatic updates. The GPO will now be linked to the OU “Computers” and any PC listed in this OU will have this policy applied the next time they login, or group policies are applied.

You can manually enforce policies on a PC by typing the following in command prompt, or the run dialog box :

gpupdate /force

Hope this helps anyone looking to achieve a similar result!

Leave a Comment