I wanted to share some experiences I have been having on an existing AD topology I manage. Backstory: This site has been run by various contractors over a decade or so. Having been a contractor myself in the past, I got pretty familiar with poorly configured server deployments and gaining the task to cleaning them up.
Great. Back to the point, multiple group policies can get messy, but the slop comes into play when you are trying to set Internet Explorer settings to domain machines. IE 11 changes quite a bit of these options around and I actually had policies fail to apply, with IE 11 installed due to all the subsettings for the browser. This is the part where you review what settings were being modified and determine what ones are actually relevant. IMO, some of the settings are defined, for the sake of generating more service calls, than to actually implementing helpful security.
So about the faults. In this case, I had a few servers that did not report to the local WSUS patch server. Turns out bad policies were the cause of this. I removed the multi-policies that were not applying valid settings, and shortly after said servers started reporting to my WSUS list. Message here being, revisit your group policies, export them to XML and review them. If you have a bunch applying different settings, consider merging them. Policies can also be exported, so doing that before making changes, will give you a control of what the config was, before you made any changes.
Back to cleaning malware off a machine one of the helpdesk people ignored the other day. Living the dream. Lol not so much there.
Edit: Oh yes, let me add some helpful commands for tinkering with your group policy. It should be obvious, but keep notes of what you change, especially if changing the active policies. You do not want to break the parts that are working / critical to operations.
rsop.msc = Resultant Set of Policy. This will show you what policies are applied and what the settings are. Also errors will display here if the policy fails. gpupdate = Group Policy update tool. Run 'gpupdate /force' to apply all settings @ execution time.
Log into your WSUS server and confirm the machine in question is reporting to the patch server. You can run the following command to have it query the WSUS server for patches.
This should shortly display a tooltip bubble with pending updates. Assuming you approved them on the WSUS server, the client machines should see them and you can install them. Pick your install method via Group Policy to determine if you want them to auto install or prompt the user to install them. Review your reports in WSUS to see how many are being installed and if any are having errors installing.