Azure Windows Server – Windows Update Managed by Organization

azurewindows-server-2019windows-update

This is a Windows Server 2019 created in May 2020 on Azure.. It is a standalone server.
In Settings > Update and Security > Windows Update, I see the message 'Some settings are managed by your organisation.' When I click 'View configured update policies', I see that there are Policies set on my device:

Automatically download updates and install them on the specified schedule
Source: Administrator
Type: Group Policy

Set Automatic Update options
Source: Administrator
Type: Group Policy

I have opened Local Group Policy Editor and navigated to Computer Configuration > Administrative Templates > Windows Components > Windows Update. All of these settings are set to 'Not configured'.

Next, I checked if the computer was on a domain of some kind.

systeminfo says that DOMAIN is 'WORKGROUP'.
I ran dsregcmd /status and saw that AzureAdJoined, EnterpriseJoined, DomainJoined are all 'No'.
Using gpresult /r with elevated command prompt, I can see that in both Computer Settings and User Settings, no Group Policies have been applied.

So where are these Windows Update policies coming from?
I have seen the similar question here, but it is unanswered.

Best Answer

These are set in the Registry under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU as mentioned by @GregAskew. The two keys you mention seem to be the default for the public Server 2019 Datacentre VM image (certainly is for the 10 or so I've deployed in Azure so far) leaving the Server OS free to download and install updates at whim out of the box.

In the initial 'un-configured' state Group Policy will show all these settings as 'Not Configured', despite the fact there are at least two matching Registry Keys configuring parts of it as you've identified. As far as I can tell any settings that are not configured in the Registry or Group Policy are able to be manipulated by the user from the Control Panel interface. This is support by the Help text for 'Configure Automatic Updates' option in Group Policy editor

If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.

Conversely as you would expect, only those that are specified in either Registry or Group Policy are locked out from the Control Panel.

As soon as you start to edit the settings via Group Policy, the registry keys are modified and/or added to (relative to the specific Group Policy settings you manipulate in GPEdit).

Windows Update will still function despite apparent lack of configuration of some of these settings in either Registry or Group Policy. For example to address your question in comments about whether the AUOption is even functioning, again looking carefully at the Help for 'Configure Automatic Updates' option in Group Policy editor it states:

If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)

In my own Azure Tenancy I've set 'Configure Automatic Updates' 3 via Group Policy, set 'Install updates for other Microsoft Products' to TRUE and left everything unconfigured. I'm then using Azure Update Management to handle maintenance windows for install/restart and monitoring of update state, while I'm still testing it seems to be working well for me so far.

Best Answer

Related Solutions

Automatic Restart of Windows Server 2012R2 after Windows Update

Windows Server 2019 – Automatic Installation of Updates

Related Topic