10

On a freshly-installed, non-domain-joined Windows Server 2019 (with desktop experience) VM, the ability to change Windows Update installation settings seems to have vanished, with the "Some settings are managed by your organization" message:

Windows Update settings showing settings disabled

Viewing the configured update policies shows two set on the device, both with a type of Group Policy:

  • Download the updates automatically and notify when they are ready to be installed
  • Set automatic update options

However, running rsop and gpresult both (as expected) show no group policy objects applied. (It's a standalone system, so no domain policy applies.)

Is this expected?

Amazon also acknowledge this for their 2019 EC2 images, but it seems odd that using gpedit.msc is the only mechanism for enabling automatic update installation.

Uwe Keim
  • 2,370
  • 4
  • 29
  • 46
rmc47
  • 463
  • 2
  • 6
  • 15
  • Do the "configured update policies" go away when the server is rebooted? Have you checked the [relevant registry key](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720464(v=ws.10))? – Harry Johnston Jun 19 '19 at 03:01
  • Well, I'm now confused. I've just done two clean installs from the same ISO. In both of these cases, the Update GUI doesn't show the policies configured, and Server Manager shows "Install updates automatically" - but the `AUOptions` registry key is set to 3 (download an install only), and sconfig shows download only. On my original test system, sconfig shows automatic, and AUOptions is 4, but the GUI shows Download only...! – rmc47 Jun 19 '19 at 10:03
  • For what it's worth, the GUI does tend to lag behind when the settings change, hitting "Check for updates" can help with this, though it may also trigger the installation of updates so depending on circumstances it can be risky. – Harry Johnston Jun 19 '19 at 23:36
  • Maybe it's a subtle nudge toward using the AWS System Manager and Patch Manager to manage updates? – Mark Aug 17 '20 at 01:48
  • Have you checked local policies with gpedit.msc to see if they were configured? – SamErde Oct 12 '20 at 01:51
  • @rmc47 Did you ever find out what was causing this? – x3nr0s Nov 04 '20 at 17:44
  • @x3nr0s I _think_ it was some settings in HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU that were being reported as "group policy"-enforced, though it's been a little while since I looked. Maybe check in there? – rmc47 Nov 05 '20 at 20:13
  • @rmc47 Thanks - I had a look there and yes, they seem to be coming from the registry. Do you remember if you worked out if these were just here by default on this ISO? Bit strange they are reported as enforced by organisation. – x3nr0s Nov 05 '20 at 21:32
  • @x3nr0s I think they're there on the EC2 2019 AMI (but not the vanilla 2019 Microsoft ISO). Not sure why AWS add them? We override with: AUOptions = 4 NoAutoUpdate = 0 ScheduledInstallTime = ScheduledInstallDay = 0 (all days) ScheduledInstallEveryWeek = 1 ...and it seems to do the right thing. – rmc47 Nov 05 '20 at 22:18

2 Answers2

4

Popping this in an answer, as our workaround at least: we found the EC2 Server 2019 image had automatic update options set in the registry under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU.

You can probably just clear these out if you want to set them in the UI, but we overwrote them to force updates into automatic installation, with values:

  • AUOptions = 4
  • NoAutoUpdate = 0
  • ScheduledInstallTime =
  • ScheduledInstallDay = 0
  • ScheduledInstallEveryWeek = 1
rmc47
  • 463
  • 2
  • 6
  • 15
  • 2
    More setting values can be seen from: https://docs.microsoft.com/zh-tw/windows/deployment/update/waas-wu-settings – xinqiu Dec 07 '20 at 02:34
  • Here is the English link of @xinqiu's answer: https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings – Uwe Keim Nov 29 '21 at 16:14
-1

Option 1: use sconfig

  1. Open a CMD PROMPT as an Administrator
  2. Type SCONFIG and press ENTER
  3. Type 5 and press ENTER
  4. Type M for Manual (or D for Download Only) and press ENTER

If SCONFIG is not available or still shows WINDOWS UPDATES are set to CUSTOM, go to the next method:

Option 2: use LOCAL SECURITY POLICY or GROUP POLICY

  1. Click START and type GPEDIT.MSC and press ENTER (or open the GROUP POLICY MANAGEMENT CONSOLE and open an existing GPO or start a new one)
  2. Expand COMPUTER CONFIGURATION > ADMINISTRATIVE TOOLS > WINDOWS COMPONENTS > WINDOWS UPDATE
  3. Double click on CONFIGURE AUTOMATIC UPDATES
  4. Select either DISABLED (equivalent to MANUAL) or ENABLED and select what you would like from the drop down list
Gianpiero
  • 99
  • 3