I sent out some servers(running server 2008R2 x64) without checking their windows update settings...fail. By default they are set to automatically download and install. I need them to download but not install. Can this be done through command-line? RDP is not an option.
Asked
Active
Viewed 4.5k times
5 Answers
7
Sure. Download, notify for install:
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /t REG_DWORD /d 3
Check out Group Policy Search for reference if you need to modify other parts of the policy directly via the registry - it's a lot more pleasant than digging through ADMX files.
absynce
- 103
- 4
Shane Madden
- 114,520
- 13
- 181
- 251
-
3That key simulates Group Policy behaviour, i.e. it locks the setting so that it may not be modified via GUI. This may or may not be what you want. The key I described is the actual one controlling the setting. – Massimo Oct 18 '11 at 20:04
-
@Massimo Indeed, good point. – Shane Madden Oct 18 '11 at 21:13
-
Here some useful information regarting registry entries related to Windows Update https://technet.microsoft.com/en-us/library/dd939844(v=ws.10).aspx – Junior Mayhé Jan 15 '16 at 18:28
7
If the computers are in a domain, you can configure this setting via Group Policy.
Otherwise, you can manually configure the relevant Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions
- Don't check
- Check but don't download
- Download but don't install
- Download and install
Massimo
- 70,200
- 57
- 200
- 323
4
If you have this server in a Domain environment you should do this through a Windows Update group policy. If you do using another method you won't be able to revert this changes with a GPO.
If you are in a non-domain environment you can do the change using the command line. I don't know any tool that let you do this change directly so you will need to do the change modifying the Windows registry.
From a command line you can change the Windows registry using the command REG ADD.
The registry settings that you need to change are placed on HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU. Particularly the AUOption value which is responsible for enabling or disabling the Windows Update setting.
If the value is:
0 Let the local administrator to choose the settings
1 Means never check
2 Check but don't download neither install
3 Check, download but don't install
4 Download and install automatically
To run the command that you create in the remote computers you can use the Microsoft Sysinternals command line tool PSExec. You should restart the Windows Update Service using Net Stop and Net start.
So you should use something like this:
psexec.exe \\@Servers.txt net stop "Automatic Updates"
psexec.exe \\@Servers.txt REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 00000004
psexec.exe \\@Servers.txt net start "Automatic Updates"
You can also force a Windows Update check using
psexec.exe \\@Servers.txt WUAUCLT /DETECTNOW
Where Servers.txt is a simple notepad file with a IP or a server name for each line.
If you don't want to use Psexec you can also run the REG command remotely.
For REG or Psexec you will need to have enable the Firewall exeption File and printer sharing and should run the commands with an user account with administrative privileges on the remote servers. See https://stackoverflow.com/q/828432 for more info other Access is denied issues when using Psexec.
Ricardo Polo Jaramillo
- 2,039
- 2
- 18
- 35
1
I am a little surprised no one offered the kb: http://support.microsoft.com/kb/328010
gregg
- 629
- 4
- 11
- 26
-
2Possibly because SE, in general, prefers answers are [more than just links](http://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers). – jscott Sep 05 '13 at 19:11
0
figured it out:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 3 /f
Reference: