7

I open the Windows Update control panel, and it says "some settings are managed by your system administrator." Problem is, I'm logged in as a domain admin.

Tried so far:

  • Searched the output of gpresult /z (see this previous SF question) for references to Windows Update, but everything there looked OK.
  • Searched the registry, and found a few more settings that looked relevant, but everything seemed to be set correctly.
  • Checked with gpedit to try to find anything suspicious
  • Checked with RSoP, confirmed that "Configure Automatic Updates" and "Allow Automatic Updates immediate installation" are enabled.

Everything looks fine. I logged out, logged back in (as domain admin), and I still can't manually check for updates or apply them. I just get that "some settings are managed by your system administrator" message.

Where else could this be disabled?

EDIT: Just found this in the event viewer -- could it be related?

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Event ID:      4107
Description:
Failed extract of third-party root list from auto update cab at:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> 
with error: A required certificate is not within its validity period when 
verifying against the current system clock or the timestamp in the signed file.
Community
  • 1
Jesse
  • 1,910
  • 3
  • 23
  • 28
  • 2
    It's gotta be a policy...either a local one or a GPO through AD. Do a gpresult /H /Z and really look through it paying attention to the Windows Update sections especially. – TheCleaner Aug 08 '12 at 12:55
  • @TheCleaner: there's no longer anything in the gpresult /z output related to WindowsUpdate that looks at all suspicious. Is there anything else I should be looking for? – Jesse Aug 08 '12 at 18:44

8 Answers8

8

David's comments were helpful. Further to David's Answer, found a similar key

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoWindowsUpdate (REG_DWORD) - changed value from 1 to 0 - fixed it.

user162193
  • 81
  • 1
  • 1
  • This was the issue for me, this time. Yes, we're running a Win7 box five years later. And yes, this happens repeatedly. – Evan May 23 '18 at 23:31
3

Double check to see if there is a DWORD entry called DisableWindowsUpdate located under the following registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate

If this key exists and has a value of 1, change it to 0.

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
David
  • 31
  • 1
  • This key did exist (with value 0). I deleted it, but the Windows Update control panel was not affected. – Jesse Aug 08 '12 at 14:42
  • This fixed it for me except there is a typo in the path above: "\windowsupdage" should be "\windowsupdate". – Jordan Rieger Sep 11 '13 at 21:37
3

Start, Run, gpedit.msc, Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Windows Update Configure Automatic Updates, Enable, Choose option 5

Dusan Bajic
  • 2,056
  • 1
  • 18
  • 21
  • Tried this; no luck. Tried to explicitly make my domain admin account a local admin, and hit another snag: http://serverfault.com/questions/415550/adding-a-new-local-user-hangs-netplwiz-on-server-2008-r2 – Jesse Aug 08 '12 at 15:08
2

I've seen this when trying to update the SUS server itself. It wants to run it's updates through SUS directly.

Joel Coel
  • 12,932
  • 14
  • 62
  • 100
  • How can I tell if this is an SUS server? – Jesse Aug 08 '12 at 14:43
  • You would know. SUS, or WSUS, is Windows Server Update Services. It's the mechanism you use to cache windows updates locally, so that you don't have to download the same updates once for each computer every month. – Joel Coel Aug 08 '12 at 15:26
1

for me it was in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess

I set it to 0

Jimmy Osinski
  • 11
  • 1
1

I had to search for the key "DisableWindowsUpdateAccess" from HKLM. On our server it was located under HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\ To note: Our server had been managed by NCentral (Solarwinds) and the agent managed the updates. I'm sure this was changed or modified by their agent. Windows Update didn't automatically start working after the agent was removed. We had to modify this key and now it works. (And had to reboot after editing the key).

Mars
  • 11
  • 1
0

I found it here, a similar but different location than mentioned in the above replies:

Reg Key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate

Was set to 1 – changed to 0 and Windows Update now unlocked.

Uwe Keim
  • 2,420
  • 5
  • 30
  • 47
John Kalivas
  • 1
0

I had to do both

Start, Run, gpedit.msc, Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Windows Update Configure Automatic Updates, Enable, Choose option 5

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess and set it to 0
Jenny D
  • 27,780
  • 21
  • 75
  • 114
C Tyrell
  • 1