Windows Update showing "Some settings are managed by your organization" on Azure Windows Server 2019 VM

windows-update azure windows-server-2019

Solution 1:

These are set in the Registry under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU as mentioned by @GregAskew. The two keys you mention seem to be the default for the public Server 2019 Datacentre VM image (certainly is for the 10 or so I've deployed in Azure so far) leaving the Server OS free to download and install updates at whim out of the box.

In the initial 'un-configured' state Group Policy will show all these settings as 'Not Configured', despite the fact there are at least two matching Registry Keys configuring parts of it as you've identified. As far as I can tell any settings that are not configured in the Registry or Group Policy are able to be manipulated by the user from the Control Panel interface. This is support by the Help text for 'Configure Automatic Updates' option in Group Policy editor

If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.

Conversely as you would expect, only those that are specified in either Registry or Group Policy are locked out from the Control Panel.

As soon as you start to edit the settings via Group Policy, the registry keys are modified and/or added to (relative to the specific Group Policy settings you manipulate in GPEdit).

Windows Update will still function despite apparent lack of configuration of some of these settings in either Registry or Group Policy. For example to address your question in comments about whether the AUOption is even functioning, again looking carefully at the Help for 'Configure Automatic Updates' option in Group Policy editor it states:

If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)

In my own Azure Tenancy I've set 'Configure Automatic Updates' 3 via Group Policy, set 'Install updates for other Microsoft Products' to TRUE and left everything unconfigured. I'm then using Azure Update Management to handle maintenance windows for install/restart and monitoring of update state, while I'm still testing it seems to be working well for me so far.

Related

Asterisk ghost calls
Why is my rewrite rule resulting in "400: Bad Request"?
Rsyslog: From a custom log file, Forward only the messages matching a pattern
sendmail foward local mail to relay host
Nginx 404 for css js files
Windows 2008 R2 Task Schduler is raising the following error “0x41301”
AWS CodeDeploy Powershell Script fail to execute
is sharing the same TOTP across multiple servers any less secure?
What are the VPN configuration requirements for site-to-site VPN with Azure?
How to list EC2 security group *rules* from within instance?
Google Cloud Compute set /20 subnet mask to internal interface
Spamhaus XBL keeps adding my IP