Registry Keys modified when Patch Management is enabled or disabled

Last Modified

Wed 23 Aug 11:55 GMT 2023

Description

  • What Registry Keys get modified when Patch Management is enabled/disabled, or when the agent is uninstalled?

Environment

  • N-able N-central
  • Patch Management

Solution

  • These keys are required for Patch Management to function.
    • In some cases this is to accommodate the patch profile as the Registry Keys are how Windows determines who has access to which functions.
    • If a GPO was being used for WSUS these same keys would need to be changed to restrict user access.
    • In other cases, specifically for Windows 10, Windows will perform updates automatically without regard for patch management if the keys are not changed from their default state.
  • While the agent is intended to reset the configuration when removed, if you need to investigate a registry entry for Windows Update settings, we use the full set of Registry Keys from Microsoft to manage the settings depending on the profile used.
  • The keys and their associated values can be found in Configure Automatic Updates using Registry Editor (© 2016 Microsoft, available at www.microsoft.com, obtained on September 6, 2016).
  • The changed registry keys depend on the profile settings and are as follows:
  • -For All Users (Windows Default State)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate    DisableWindowsUpdateAccess    REG_DWORD    0x0    ElevateNonAdmins    REG_DWORD    0x1-Limited to Administrators and applications onlyHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate    DisableWindowsUpdateAccess    REG_DWORD    0x0    ElevateNonAdmins    REG_DWORD    0x0-Restricted to MSP N-central activity onlyHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate    DisableWindowsUpdateAccess    REG_DWORD    0x1    ElevateNonAdmins    REG_DWORD    0x0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccessDefault State: 0Changed for restricted Access (Administrator or N-central only): 1Then run:usoclient.exe startscan
  • The AutoUpdate of Windows Update is Disabled by enabling Patch Management and Microsoft Patching within N-central. The Agent sends a request to PME to set NoAutoUpdate=1 and AUOptions=1. The reason is that we want the N-central agent to download the files and install the patches, and the Windows Update Agent not to download or install automatically.
  • # Enable Patch Management and the following setting is applied:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUAUOptions = 1Explanation of these values from Microsoft forums:0 - Enable Automatic Updates (Default) 1 - Disable Automatic Updates AUOptions:2 - Notify for download and notify for install 3 - Auto download and notify for install 4 - Auto download and schedule the install
  • Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the N-able N-centralsoftware or documentation that you purchased from N-able, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

  • Some partners may ask if the Agent updates the setting for Give me updates for other Microsoft Products when I update windows. These settings are not modified by the agent:

  • # other updates and driversHKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdateHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AllowMUUpdateService

Article Number: 111887