Worklet: Enable Automatic Updates for Pre-downloading Patches

4 years ago
January 15, 2021
3 replies
462 views

habrnero
Novice
23 replies

In an effort to reduce our required outage time for patching, I’ve created a worklet that sets a few registry keys on Windows systems to enable Windows Update to download (but not install) any newly relevant patches. This should significantly improve our ability to execute patching windows quickly, especially for systems at remote locations or with restricted bandwidth.

Note: only the ‘NoAutoUpdate’ and ‘AUOptions’ keys are actually required to enable this behavior. There are two other keys we have included to better manage this process for our needs.

(Special shoutout to @Josh-W for some assistance/finishing touches!)

Evaluation Code:

# Check registry key/value to enable Automatic Downloading of all relevant patches - DOES NOT INSTALL
#############################################
$regPathAU = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'
$regPathWindowsUpdate = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate'

$regPropertyAUOptions = 'AUOptions'
$desiredValueAUOptions = '3'
$regPropertyNAU = 'NoAutoUpdate'
$desiredValueNAU = '1'
$regPropertyAIMU = 'AutoInstallMinorUpdates'
$desiredValueAIMU = '0'

$regPropertyENA = 'ElevateNonAdmins'
$desiredValueENA = '0' # ElevateNonAdmins = 0 - Only users in the Administrators user group can approve or disapprove updates

$response = ''
$registryFlag = $true #indicates registry keys are set correctly
#############################################
 
# Retrieve current values for comparison
$currentValueAUOptions = (Get-ItemProperty -Path $regPathAU -Name $regPropertyAUOptions -ErrorAction SilentlyContinue).$regPropertyAUOptions
$currentValueNAU = (Get-ItemProperty -Path $regPathAU -Name $regPropertyNAU -ErrorAction SilentlyContinue).$regPropertyNAU
$currentValueAIMU = (Get-ItemProperty -Path $regPathAU -Name $regPropertyAIMU -ErrorAction SilentlyContinue).$regPropertyAIMU
$currentValueENA = (Get-ItemProperty -Path $regPathWindowsUpdate -Name $regPropertyENA -ErrorAction SilentlyContinue).$regPropertyENA
 
# Compare current with desired and exit accordingly.
# 0 for Compliant, 1 for Non-Compliant
if ($currentValueAUOptions -eq $desiredValueAUOptions) {
    if ($currentValueNAU -eq $desiredValueNAU) {
        if ($currentValueAIMU -eq $desiredValueAIMU) {
            if ($currentValueENA -eq $desiredValueENA) {
            } else { $registryFlag = $false } #registry key is not set
        } else { $registryFlag = $false } #registry key is not set
    } else { $registryFlag = $false } #registry key is not set
} else { $registryFlag = $false } #registry key is not set

if (!$registryFlag) {
    $response = 'A registry key is missing'
    Write-Output $response
    Exit 1
} else {
    $response = 'All registry keys for Automox patching are set as expected'
    Write-Output $response
    Exit 0
}

Remediation Code:

# Define Registry paths, key(s) and variables
#############################################
# paths
$regPathAU = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'
$regPathWindowsUpdate = 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate'

# key(s)/variables
$regPropertyENA = 'ElevateNonAdmins'
$desiredValueENA = '0' # ElevateNonAdmins = 0 - Only users in the Administrators user group can approve or disapprove updates
$response = ''
#############################################

#Test WU path, if path exists then create key, else create path then create key
if (Test-Path -Path $regPathWindowsUpdate) {
    Set-ItemProperty -Path $regPathWindowsUpdate -Name $regPropertyENA -Type DWord -Value $desiredValueENA -ErrorAction Stop
    $response = 'WU - ElevateNonAdmins key created.'
    Write-Output $response
} else {
    New-Item -Path $regPathWindowsUpdate -Force
        $response = 'Created Windows Update registry path.'
        Write-Output $response
    Set-ItemProperty -Path $regPathWindowsUpdate -Name $regPropertyENA -Type DWord -Value $desiredValueENA -ErrorAction Stop
    $response = 'WU - ElevateNonAdmins key created.'
    Write-Output $response
}

# Test AU path, if path exists then create keys, else create path then create keys
# NoAutoUpdate - 1 = enable Automatic Updates
# AUOptions - 3 = Automatically download and notify of installation
# AutoInstallMinorUpdates - 0 = Treat minor updates like other updates
if (Test-Path -Path $regPathAU) {
    'Name,Value,Type
    NoAutoUpdate,1,DWORD
    AUOptions,3,DWORD
    AutoInstallMinorUpdates,0,DWORD' | 
        ConvertFrom-Csv |
        Set-ItemProperty -Path $regPathAU -Name { $_.Name } 
      $response = 'AU Registry keys created.'
      Write-Output $response
    } else {
        New-Item -Path $regPathAU -Force
            $response = 'Created AU registry path.'
            Write-Output $response
        'Name,Value,Type
        NoAutoUpdate,1,DWORD
        AUOptions,3,DWORD
        AutoInstallMinorUpdates,0,DWORD' | 
            ConvertFrom-Csv |
            Set-ItemProperty -Path $regPathAU -Name { $_.Name } 
        $response = 'AU Registry keys created.'
        Write-Output $response
    }

Andrey
Rookie
2 replies
3 years ago
April 6, 2021

How to add/modify a script to download MS patches from the local WSUS server instead from Windows Update directly. Please advise. THX!

srheins
Pro
49 replies
3 years ago
May 1, 2021

Is this something you run once or do you have it on a schedule to also include any missed machines?

matt_orn
Rookie
3 replies
1 year ago
November 20, 2023

Has anyone else implemented this? For me, it didn’t seem to work until I reversed the logic and set NoAutoUpdate to 0 - i.e., automatic updates are *enabled* (still with AUOptions = 3, so they are downloaded but not installed).

On several machines I observed C:\Windows\SoftwareDistribution\Downloads remaining fairly empty with NoAutoUpdate =1, with content downloading pretty soon after setting NoAutoUpdate = 0.

At the very least I think this comment may be inaccurate - NoAutoUpdate = 1 would disable automatic updates, not enable them (Manage additional Windows Update settings - Windows Deployment | Microsoft Learn).

# NoAutoUpdate - 1 = enable Automatic Updates

I could be missing something; I’m a long-time SCCM veteran and SCCM mostly ignores this setting, so I have not spent much time working with it. I’m curious if this worked as described elsewhere, or needed to be tweaked the same way.

Reply

Rich Text Editor, editor1

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Automation sending multiple emails off empty records to the same user

Repeating Group Automation Sends Multiple Emails

Multiple emails generated when a record's long-text field is updated

Airtable not responding as expected with several automations

AUTOMATION 101: One Email from Multiple Matching Recordsicon

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings