Windows Update Settings via Registry Check

Powershell Component Monitors to check current Windows Update Settings and show Warning or Error when AU is enabled on the Server. Verified with Windows Server 2008. Registry values should be good for versions of Windows Server 2003 through 2012 - cahunt

  • If you are using the new Agent to update then the setting : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate will be Enabled (Disabling Updates, is Enabled = No Updates via WSUS or WindowsUpdate.

    Thus the WSUS Keys will be wrong since you are not using those and any components tied to the HKLM Settings can be disabled. 

      - I'll be looking for more values if present to provide further updates on this template.

    - CharlesH

  • Different values options are in the description or comments within the template if you want to adjust and use to alert for different settings other than Disabled Windows Updates.

      Specific info used to build is below with reference links at the bottom.

    The main keys and values pertaining to Windows Update on Server 2003 and 2008 R2 are as follows:

    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
      • DisableWindowsUpdateAccess entry that deals with whether or not to provide users with access to Windows Updates in control panel:
      • A value of 1 will disable the access or if you wish users to access the Windows update feature, use 0. If you are using 0, you might want to elevate users so that they can install updates on the machine. In that case, you have to change the value of ElevateNonAdmins to 1.

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      • Using the same registry method, you can disable Internet Explorer from opening Windows Update feature.
      • NoWindowsUpdate Dword.
      • To disable access to Windows Updates for people on Internet Explorer, change the value of the DWORD to 1. This will prevent users from accessing even the Windows Update website

    • HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication
      • You can use the registry editor to manage WSUS as well. For disabling the access to Windows Update on Windows Server systems.
      • DisableWindowsUpdateAccess DWORD.
        • Set the value to 1 to disable access to Windows Update. This will turn off all access to the Windows Update features on the user machines. Even the site of Windows Update is blocked so browsers, including Internet Explorer, cannot use it to update the individual computers until you want to.
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate

    Entry name

    Data type

    Values

    DisableWindowsUpdateAccess

    Reg_DWORD

    1 = Enabled. All Windows Update features are removed.

    0 = Disabled or not configured. All Windows Update features are available

    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

    Entry name

    Data type

    Values

    AUOptions

    Reg_DWORD

    2 = Notify before download.

    3 = Automatically download and notify of installation.

    4 = Automatically download and schedule installation. Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.

    5 = Automatic Updates is required and users can configure it.

    NoAutoUpdate

    Reg_DWORD

    0 = Enable Automatic Updates.

    1 = Disable Automatic Updates.

    UseWUServer

    Reg_DWORD

    1 = The computer gets its updates from a WSUS server.

    0 = The computer gets its updates from Microsoft Update.

    The WUServer value is not respected unless this key is set.

    Reference : http://www.thewindowsclub.com/configure-windows-updates-registry-server

    https://github.com/vFense/vFenseAgent-win/wiki/Registry-keys-for-configuring-Automatic-Updates-&-WSUS