Windows Update: can't apply updates even as domain admin on Server 2008 R2

windows-server-2008-r2 windows-update

59,342

Solution 1

David's comments were helpful. Further to David's Answer, found a similar key

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoWindowsUpdate (REG_DWORD) - changed value from 1 to 0 - fixed it.

Solution 2

Double check to see if there is a DWORD entry called DisableWindowsUpdate located under the following registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate

If this key exists and has a value of 1, change it to 0.

Solution 3

Start, Run, gpedit.msc, Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Windows Update Configure Automatic Updates, Enable, Choose option 5

Solution 4

I've seen this when trying to update the SUS server itself. It wants to run it's updates through SUS directly.

Solution 5

for me it was in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess

I set it to 0

View more solutions

59,342

Author by

Jesse

Updated on September 18, 2022

Comments

Jesse almost 2 years
I open the Windows Update control panel, and it says "some settings are managed by your system administrator." Problem is, I'm logged in as a domain admin.

Tried so far:
- Searched the output of gpresult /z (see this previous SF question) for references to Windows Update, but everything there looked OK.
- Searched the registry, and found a few more settings that looked relevant, but everything seemed to be set correctly.
- Checked with gpedit to try to find anything suspicious
- Checked with RSoP, confirmed that "Configure Automatic Updates" and "Allow Automatic Updates immediate installation" are enabled.
Everything looks fine. I logged out, logged back in (as domain admin), and I still can't manually check for updates or apply them. I just get that "some settings are managed by your system administrator" message.

Where else could this be disabled?

EDIT: Just found this in the event viewer -- could it be related?
```
Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Event ID:      4107
Description:
Failed extract of third-party root list from auto update cab at:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> 
with error: A required certificate is not within its validity period when 
verifying against the current system clock or the timestamp in the signed file.
```
- kralyk almost 12 years
  
  It's gotta be a policy...either a local one or a GPO through AD. Do a gpresult /H /Z and really look through it paying attention to the Windows Update sections especially.
Jesse almost 12 years

This key did exist (with value 0). I deleted it, but the Windows Update control panel was not affected.
Jesse almost 12 years

How can I tell if this is an SUS server?
Jesse almost 12 years

Tried this; no luck. Tried to explicitly make my domain admin account a local admin, and hit another snag: serverfault.com/questions/415550/…
Joel Coel almost 12 years

You would know. SUS, or WSUS, is Windows Server Update Services. It's the mechanism you use to cache windows updates locally, so that you don't have to download the same updates once for each computer every month.
Jordan Rieger almost 11 years

This fixed it for me except there is a typo in the path above: "\windowsupdage" should be "\windowsupdate".
Evan about 6 years

This was the issue for me, this time. Yes, we're running a Win7 box five years later. And yes, this happens repeatedly.