question

pavanvemula-8782 avatar image
0 Votes"
pavanvemula-8782 asked RitaHu-MSFT edited

Windows Update Service

Hello

Looking for windows update service registry keys and their importance

1) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
a) if we create a name: DisableWindowsUpdateAccess value:1
b) it would disable windows update service and its capabilities
2) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate/AU ( is this only related to enable or disable Auto update?)
a) here we have many options
b) noAutoUpdate Value:1 and 0

if we set above value as 1 - is that disable windows update capability not to look updates automatically - which means there should be WSUS?
or if we search for windows updates in control panel - does it look and show updates?

when we set this value as 1 - we see it throwing errors.

Please advice

windows-serverwindows-server-update-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@pavanvemula-8782
It seems that there are no updates for several days. May I know the status of the case? Is there any help I could provide?

Any updates will be appreciated. Thanks for your time.

Regards,
Rita

0 Votes 0 ·
RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

@pavanvemula-8782
Thanks for your posting on Q&A.

Here are some comments I want to share you:
1) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
a) if we create a name: DisableWindowsUpdateAccess value:1
b) it would disable windows update service and its capabilities

Yes. In fact, you enable the Turn off access to all Windows Update features policy on the clients and the DisableWindowsUpdateAccess value will be added to the registry. Please review the below screenshots:
122561-17.png

122554-18.png

2) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate/AU ( is this only related to enable or disable Auto update?)
a) here we have many options
b) noAutoUpdate Value:1 and 0

if we set above value as 1 - is that disable windows update capability not to look updates automatically - which means there should be WSUS?
or if we search for windows updates in control panel - does it look and show updates?
when we set this value as 1 - we see it throwing errors.

In fact, the noAutoUpdate value is related with Configuration Automatic Updates policy. Value 1 means that you disabled the Configuration Automatic Updates policy. However, you have enabled the clients do not access to the Windows Update. So the clients could not access any update service.
122571-19.png

122572-20.png

Please set the value 1 of noAutoUpdate.

Hope the above will be helpful.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


17.png (131.3 KiB)
18.png (52.1 KiB)
19.png (159.5 KiB)
20.png (17.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

pavanvemula-8782 avatar image
0 Votes"
pavanvemula-8782 answered RitaHu-MSFT edited

Thank you
@RitaHu-MSFT -

1) if we have enabled windows update service by not creating any Dword in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
but
2) disabled using Dword NoAutoUpdate=1 in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate/AU

we have to manually download and install any updates. Does this mean still check for updates in control panel works?

or do we need to use https://www.catalog.update.microsoft.com/Home.aspx to download KBs ?

above scenario when we look for updates (check updates option) - it giving errors HRESULT: 0x80240438 - when I set NoAutoUpdate=0 - it started working again.

need more clarity between two keys and what exactly they do. Please

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1) if we have enabled windows update service by not creating any Dword in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
but

In my opinion, the WindowsUpdate Key has been created by default and the other values will be added if we enabled the other group policies.
122850-1.png

above scenario when we look for updates (check updates option) - it giving errors HRESULT: 0x80240438 - when I set NoAutoUpdate=0 - it started working again.
As I pointed above, the NoAutoUpdate value will be added into the registry if you disable the Configuration Automatic updates policy. Of course, we could add this value directly. It means that we could also download and install udpates manually. Here are the explanation of this value for your reference:

 If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.

or do we need to use https://www.catalog.update.microsoft.com/Home.aspx to download KBs ?
You could get updates from this site. We could also configure the other tools to deploy updates in the internal, like WSUS or MECM.

Regards,
Rita

0 Votes 0 ·
1.png (50.4 KiB)

Thank you @RitaHu-MSFT

we use Windows update service to downlead and install updates across the fleet.

for now we only checking registry value - not checking AU options. Suspecting AU options also block windows update service to search and list available updates. If AU options only used for Auto updates - does not block windows update service completely. (you mean this might be the manual way of pulling updates - go to check updates -> push button to check for updates? does this fetch updates still or give error?)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
a) if we create a name: DisableWindowsUpdateAccess value:1

0 Votes 0 ·

I'm sorry that I didn't make myself clear. Here are all my opinions for your reference:

First of all, there are must be a update resources which the clients could get updates from, no matter the internal WSUS server or MECM or Windows Update. It seems that you haven't deploy the Management Tool to deploy updates in the internal. Am I right? However, you also added the DisableWindowsUpdateAccess registry value to prevent the clients from scanning updates from Internet. There is no update resource which clients could scan updates for. Please try to deploy WSUS or MECE to destribute the updates in the internal environment.

In addition, we have to check for updates manually if the noAutoUpdate registry value setted as "1" . The clients will not scan for updates as schedule.

Hope the above will be helpful.

Regards,
Rita

0 Votes 0 ·
Show more comments
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered pavanvemula-8782 commented

Hello,

this chains control the access in general to updates, independently of the source. The reason why you see errors, is because that chain does not accepted 1 or 0 as value.

For these registry values you have the next options.

NoAutoUpdate:
0 - Enable Automatic Updates (Default)
1 - Disable Automatic Updates
AUOptions:
2 - Notify for download and notify for install
3 - Auto download and notify for install
4 - Auto download and schedule the install

If you are looking into granular control of Windows Updates through registry (for instance through registry GPOs) I will recommend you the next article which covers this and more options.

Best regards,
Luis P

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. AU options only to allow Auto updates? hope it does not disable windows update service

Logic I am thinking here is
if we enable AU option - autoupdate =0 then only it will look itself and pull updates otherwise manual
if we enable above key - other keys have to have like download and notify or install - should be enabled

if we are not using WSUS - and AU /Autoupdate =1 -> how this will do updates? windows update service still scan and fetch updates ?

0 Votes 0 ·