2

This is a Windows Server 2019 created in May 2020 on Azure.. It is a standalone server. In Settings > Update and Security > Windows Update, I see the message 'Some settings are managed by your organisation.' When I click 'View configured update policies', I see that there are Policies set on my device:

Automatically download updates and install them on the specified schedule
Source: Administrator
Type: Group Policy

Set Automatic Update options
Source: Administrator
Type: Group Policy

I have opened Local Group Policy Editor and navigated to Computer Configuration > Administrative Templates > Windows Components > Windows Update. All of these settings are set to 'Not configured'.

Next, I checked if the computer was on a domain of some kind.

  1. systeminfo says that DOMAIN is 'WORKGROUP'.

  2. I ran dsregcmd /status and saw that AzureAdJoined, EnterpriseJoined, DomainJoined are all 'No'.

  3. Using gpresult /r with elevated command prompt, I can see that in both Computer Settings and User Settings, no Group Policies have been applied.

So where are these Windows Update policies coming from? I have seen the similar question here, but it is unanswered.

x3nr0s
  • 279
  • 2
  • 5
  • 11
  • Policies are stored in the registry. Have you checked the registry location? `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU` `HKLM\Software\Microsoft\Windows\WindowsUpdate\AU` – Greg Askew Nov 04 '20 at 18:15
  • @GregAskew Hi Greg, I've checked this and indeed, there is a registry key 'AUOptions' which is set to 4 meaning 'Automatically download updates and install them on the specified schedule', and a 'NoAutoUpdate' key set to 0 which means 'automatic updates are enabled'. So this matches up. I wonder if this is a system default? These are the only two keys and there are no ScheduledInstallDay or ScheduledInstallTime keys, so I presume this AUOption isn't even functioning? – x3nr0s Nov 05 '20 at 10:34
  • More setting values can be seen from: https://docs.microsoft.com/zh-tw/windows/deployment/update/waas-wu-settings – xinqiu Dec 07 '20 at 02:34

1 Answers1

2

These are set in the Registry under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU as mentioned by @GregAskew. The two keys you mention seem to be the default for the public Server 2019 Datacentre VM image (certainly is for the 10 or so I've deployed in Azure so far) leaving the Server OS free to download and install updates at whim out of the box.

In the initial 'un-configured' state Group Policy will show all these settings as 'Not Configured', despite the fact there are at least two matching Registry Keys configuring parts of it as you've identified. As far as I can tell any settings that are not configured in the Registry or Group Policy are able to be manipulated by the user from the Control Panel interface. This is support by the Help text for 'Configure Automatic Updates' option in Group Policy editor

If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.

Conversely as you would expect, only those that are specified in either Registry or Group Policy are locked out from the Control Panel.

As soon as you start to edit the settings via Group Policy, the registry keys are modified and/or added to (relative to the specific Group Policy settings you manipulate in GPEdit).

Windows Update will still function despite apparent lack of configuration of some of these settings in either Registry or Group Policy. For example to address your question in comments about whether the AUOption is even functioning, again looking carefully at the Help for 'Configure Automatic Updates' option in Group Policy editor it states:

If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)

In my own Azure Tenancy I've set 'Configure Automatic Updates' 3 via Group Policy, set 'Install updates for other Microsoft Products' to TRUE and left everything unconfigured. I'm then using Azure Update Management to handle maintenance windows for install/restart and monitoring of update state, while I'm still testing it seems to be working well for me so far.

Chris Butler
  • 146
  • 6
  • 1
    Very detailed response. This makes sense, thanks. I appreciate it. – x3nr0s Jan 14 '21 at 13:25
  • I struggled with this for quite a while trying to get my Azure VMs to only install/restart in the maintenance window specific in Azure Update Management. Took me quite a while to realise that you had to configure the VM to not try and install things on it's own. Currently I'm working on seeing if I can create a Runbook that will apply the correct Group Policy settings are enforced on every VM Tenancy wide. – Chris Butler Jan 14 '21 at 20:36