Windows Update showing "Some settings are managed by your organization" on Azure Windows Server 2019 VM
Solution 1:
These are set in the Registry under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
as mentioned by @GregAskew. The two keys you mention seem to be the default for the public Server 2019 Datacentre VM image (certainly is for the 10 or so I've deployed in Azure so far) leaving the Server OS free to download and install updates at whim out of the box.
In the initial 'un-configured' state Group Policy will show all these settings as 'Not Configured', despite the fact there are at least two matching Registry Keys configuring parts of it as you've identified. As far as I can tell any settings that are not configured in the Registry or Group Policy are able to be manipulated by the user from the Control Panel interface. This is support by the Help text for 'Configure Automatic Updates' option in Group Policy editor
If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
Conversely as you would expect, only those that are specified in either Registry or Group Policy are locked out from the Control Panel.
As soon as you start to edit the settings via Group Policy, the registry keys are modified and/or added to (relative to the specific Group Policy settings you manipulate in GPEdit).
Windows Update will still function despite apparent lack of configuration of some of these settings in either Registry or Group Policy. For example to address your question in comments about whether the AUOption is even functioning, again looking carefully at the Help for 'Configure Automatic Updates' option in Group Policy editor it states:
If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)
In my own Azure Tenancy I've set 'Configure Automatic Updates' 3 via Group Policy, set 'Install updates for other Microsoft Products' to TRUE and left everything unconfigured. I'm then using Azure Update Management to handle maintenance windows for install/restart and monitoring of update state, while I'm still testing it seems to be working well for me so far.