Migrating machines - change Automatic Update?
I am migrating 11 Windows XP machines from our AD Domain to an external Workgroup. On the AD Domain, the machines are using SMS, so Automatic Updates are disabled through Group Policy. On the external Workgroup, we set Automatic Update on "Automatic", and let them pull updates from Microsoft. I can't get the migrated machines to stay configured though.
The problem is, even though I have turned off the Group Policies, Automatic Updates keeps getting disabled. (Control panel > Automatic Updates shows "Off", and everything is greyed out.)
The following key keeps getting set to 1 after any system restart.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ WindowsUpdate \ DisableWindowsUpdateAccess
I can delete the key (or set it to 0), and my Control Panel will work normally for Automatic Updates - UNTIL I restart the system, when the value gets reset to 1 again somehow.
The WindowsUpdate.Log file (in C:\Windows) shows "AU disabled through Policy."
I have changed the Group policies (GPEDIT.MSC) for these two entries to "Not Configured" in an attempt to reset Automatic updates:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates
User Configuration >Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features
Thes policies stay put after system restarts, so they don't seem to be the cause. But something is still kicking the "DisableWindowsUpdateAccess" key to 1 again.
Any ideas?
November 7th, 2008 2:29am
I investigated what was causing the Registry key to flip, and found a (temporary) solution:
I used regedit to find the key that kept flipping
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ WindowsUpdate \ DisableWindowsUpdateAccess
Then I changed the permissions, and added "Deny" for SYSTEM for every action except Read and Query value.
Set the value of DisableWindowsUpdateAccess back to 0, and rebooted the machine. Sure enough, Windows update remained active this time.
Out of curiosity, I checked the Application Event log for errors, and found the following 5 entries for USERENV:
1-Windows could not access the registry policy file C:\Documents and Settings\All Users\ntuser.pol
2-Windows cannot create registry key Software\Policies\Microsoft\Windows\WindowsUpdate (Access is denied)
3-Windows cannot access the registry policy file C:\WINDOWS\System32\GroupPolicy\Machine\registry.pol (Access is denied)
4-Windows cannot create registry key Software\Policies\Microsoft\Windows\WindowsUpdate (Access is denied)
5-Windows cannot access the registry policy file, C:\Documents and Settings\All Users\tempntuser.pol (Access is denied)
I'm still trying to hunt down the root cause of why DisableWindowsUpdateAccess keeps (trying) to get forced to 1. It doesn't seem to be the group policies accessed through GPEDIT (at least not the two settings listed in my first post). I can switch those policy settings, restart, and the policies are still set where I had them; only that registry key keeps trying to flip.
The Permissions solution is working for now, but it seems like there should be a way to "legitimately" fix this...
The error messages open up a new question: why can't windows read those two files? (They both exist, and System and Administrator both have full rights...)
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2008 8:09pm
Further investigation points to SP3 and/or the Group Policy for "Remove access to use all Windows Update features":
I returned FULL CONTROL to SYSTEM on the DisableWindowsUpdateAccess registry key.
I opened GPEDIT, and ENABLED "Remove access to use all Windows Update features"
As soon as I did, the red Security Center shield popped up, with "Automatic Updates are disabled".
Hoping for the best, I DISABLED the same policy - nope, Automatic Updates were still off. So I editted the Registry key, changing it back to 0. (Presto, Automatic Updates are on again)
I then restarted the machine, and as soon as the dekstop appeared, Automatic updates are off again (The WindowsUpdate Log shows again it was disabled by Group Policy)
Something in the SP3 update seems to have changed the behavior of the policy key "Remove access to use all Windows Update features" - it permanently disabled WIndows Update, instead of toggling it.
Restarting the machine now toggles Updates off, unless I remove permissions on that registry key.
Changing the key to 0, and deleting it also have no lasting effect: it pops back into the registry as disabled.
November 7th, 2008 11:49pm
I also tried updating to the latest Windows Update client; no effect.
I tried stopping AutomaticUpdate Service, re-registering WUPS2.DLL, and restarting AutomaticUpdates - no effect.
I tried a newer WUAU.ADM template for XP - also no change.
I tried a commercial "fix" named au_check_v78a, but still no effect.
This is very aggravating, and it looks like my "Temporary" fix of removing SYSTEM permissions from the key is the only thing that will ensure future automatic updates.
Free Windows Admin Tool Kit Click here and download it now
November 8th, 2008 12:12am
Hi,
This forum is for Exchange server not handle the issue related to the Operating System. To get help, please post it on the below link:
http://www.microsoft.com/communities/newsgroups/default.mspx
Thanks
Allen
November 10th, 2008 12:18pm