Skip to main content

In an effort to reduce our required outage time for patching, I’ve created a worklet that sets a few registry keys on Windows systems to enable Windows Update to download (but not install) any newly relevant patches. This should significantly improve our ability to execute patching windows quickly, especially for systems at remote locations or with restricted bandwidth.



Note: only the ‘NoAutoUpdate’ and ‘AUOptions’ keys are actually required to enable this behavior. There are two other keys we have included to better manage this process for our needs.



(Special shoutout to @Josh-W for some assistance/finishing touches!)



Evaluation Code:



# Check registry key/value to enable Automatic Downloading of all relevant patches - DOES NOT INSTALL


#############################################


$regPathAU = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'


$regPathWindowsUpdate = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate'





$regPropertyAUOptions = 'AUOptions'


$desiredValueAUOptions = '3'


$regPropertyNAU = 'NoAutoUpdate'


$desiredValueNAU = '1'


$regPropertyAIMU = 'AutoInstallMinorUpdates'


$desiredValueAIMU = '0'





$regPropertyENA = 'ElevateNonAdmins'


$desiredValueENA = '0' # ElevateNonAdmins = 0 - Only users in the Administrators user group can approve or disapprove updates





$response = ''


$registryFlag = $true #indicates registry keys are set correctly


#############################################


 


# Retrieve current values for comparison


$currentValueAUOptions = (Get-ItemProperty -Path $regPathAU -Name $regPropertyAUOptions -ErrorAction SilentlyContinue).$regPropertyAUOptions


$currentValueNAU = (Get-ItemProperty -Path $regPathAU -Name $regPropertyNAU -ErrorAction SilentlyContinue).$regPropertyNAU


$currentValueAIMU = (Get-ItemProperty -Path $regPathAU -Name $regPropertyAIMU -ErrorAction SilentlyContinue).$regPropertyAIMU


$currentValueENA = (Get-ItemProperty -Path $regPathWindowsUpdate -Name $regPropertyENA -ErrorAction SilentlyContinue).$regPropertyENA


 


# Compare current with desired and exit accordingly.


# 0 for Compliant, 1 for Non-Compliant


if ($currentValueAUOptions -eq $desiredValueAUOptions) {


    if ($currentValueNAU -eq $desiredValueNAU) {


        if ($currentValueAIMU -eq $desiredValueAIMU) {


            if ($currentValueENA -eq $desiredValueENA) {


            } else { $registryFlag = $false } #registry key is not set


        } else { $registryFlag = $false } #registry key is not set


    } else { $registryFlag = $false } #registry key is not set


} else { $registryFlag = $false } #registry key is not set





if (!$registryFlag) {


    $response = 'A registry key is missing'


    Write-Output $response


    Exit 1


} else {


    $response = 'All registry keys for Automox patching are set as expected'


    Write-Output $response


    Exit 0


}


Remediation Code:



# Define Registry paths, key(s) and variables


#############################################


# paths


$regPathAU = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'


$regPathWindowsUpdate = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate'





# key(s)/variables


$regPropertyENA = 'ElevateNonAdmins'


$desiredValueENA = '0' # ElevateNonAdmins = 0 - Only users in the Administrators user group can approve or disapprove updates


$response = ''


#############################################





#Test WU path, if path exists then create key, else create path then create key


if (Test-Path -Path $regPathWindowsUpdate) {


    Set-ItemProperty -Path $regPathWindowsUpdate -Name $regPropertyENA -Type DWord -Value $desiredValueENA -ErrorAction Stop


    $response = 'WU - ElevateNonAdmins key created.'


    Write-Output $response


} else {


    New-Item -Path $regPathWindowsUpdate -Force


        $response = 'Created Windows Update registry path.'


        Write-Output $response


    Set-ItemProperty -Path $regPathWindowsUpdate -Name $regPropertyENA -Type DWord -Value $desiredValueENA -ErrorAction Stop


    $response = 'WU - ElevateNonAdmins key created.'


    Write-Output $response


}





# Test AU path, if path exists then create keys, else create path then create keys


# NoAutoUpdate - 1 = enable Automatic Updates


# AUOptions - 3 = Automatically download and notify of installation


# AutoInstallMinorUpdates - 0 = Treat minor updates like other updates


if (Test-Path -Path $regPathAU) {


    'Name,Value,Type


    NoAutoUpdate,1,DWORD


    AUOptions,3,DWORD


    AutoInstallMinorUpdates,0,DWORD' | 


        ConvertFrom-Csv |


        Set-ItemProperty -Path $regPathAU -Name { $_.Name } 


      $response = 'AU Registry keys created.'


      Write-Output $response


    } else {


        New-Item -Path $regPathAU -Force


            $response = 'Created AU registry path.'


            Write-Output $response


        'Name,Value,Type


        NoAutoUpdate,1,DWORD


        AUOptions,3,DWORD


        AutoInstallMinorUpdates,0,DWORD' | 


            ConvertFrom-Csv |


            Set-ItemProperty -Path $regPathAU -Name { $_.Name } 


        $response = 'AU Registry keys created.'


        Write-Output $response


    }

How to add/modify a script to download MS patches from the local WSUS server instead from Windows Update directly. Please advise. THX!

Is this something you run once or do you have it on a schedule to also include any missed machines?

Has anyone else implemented this? For me, it didn’t seem to work until I reversed the logic and set NoAutoUpdate to 0 - i.e., automatic updates are *enabled* (still with AUOptions = 3, so they are downloaded but not installed).

On several machines I observed C:\Windows\SoftwareDistribution\Downloads remaining fairly empty with NoAutoUpdate =1, with content downloading pretty soon after setting NoAutoUpdate = 0.

 

At the very least I think this comment may be inaccurate - NoAutoUpdate = 1 would disable automatic updates, not enable them (Manage additional Windows Update settings - Windows Deployment | Microsoft Learn).

# NoAutoUpdate - 1 = enable Automatic Updates

 

(See also Automatic Updates Registry Configuration for Pre-Downloading Patches - Microsoft Q&A).

 

I could be missing something; I’m a long-time SCCM veteran and SCCM mostly ignores this setting, so I have not spent much time working with it. I’m curious if this worked as described elsewhere, or needed to be tweaked the same way.

Reply


Terms & ConditionsCookie settings