Windows Update: can't apply updates even as domain admin on Server 2008 R2
Solution 1
David's comments were helpful. Further to David's Answer, found a similar key
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoWindowsUpdate (REG_DWORD) - changed value from 1 to 0 - fixed it.
Solution 2
Double check to see if there is a DWORD entry called DisableWindowsUpdate
located under the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
If this key exists and has a value of 1, change it to 0.
Solution 3
Start, Run, gpedit.msc, Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Windows Update Configure Automatic Updates, Enable, Choose option 5
Solution 4
I've seen this when trying to update the SUS server itself. It wants to run it's updates through SUS directly.
Solution 5
for me it was in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess
I set it to 0
Jesse
Updated on September 18, 2022Comments
-
Jesse almost 2 years
I open the Windows Update control panel, and it says "some settings are managed by your system administrator." Problem is, I'm logged in as a domain admin.
Tried so far:
- Searched the output of
gpresult /z
(see this previous SF question) for references to Windows Update, but everything there looked OK. - Searched the registry, and found a few more settings that looked relevant, but everything seemed to be set correctly.
- Checked with
gpedit
to try to find anything suspicious - Checked with
RSoP
, confirmed that "Configure Automatic Updates" and "Allow Automatic Updates immediate installation" are enabled.
Everything looks fine. I logged out, logged back in (as domain admin), and I still can't manually check for updates or apply them. I just get that "some settings are managed by your system administrator" message.
Where else could this be disabled?
EDIT: Just found this in the event viewer -- could it be related?
Log Name: Application Source: Microsoft-Windows-CAPI2 Event ID: 4107 Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
-
kralyk almost 12 yearsIt's gotta be a policy...either a local one or a GPO through AD. Do a gpresult /H /Z and really look through it paying attention to the Windows Update sections especially.
- Searched the output of
-
Jesse almost 12 yearsThis key did exist (with value 0). I deleted it, but the Windows Update control panel was not affected.
-
Jesse almost 12 yearsHow can I tell if this is an SUS server?
-
Jesse almost 12 yearsTried this; no luck. Tried to explicitly make my domain admin account a local admin, and hit another snag: serverfault.com/questions/415550/…
-
Joel Coel almost 12 yearsYou would know. SUS, or WSUS, is Windows Server Update Services. It's the mechanism you use to cache windows updates locally, so that you don't have to download the same updates once for each computer every month.
-
Jordan Rieger almost 11 yearsThis fixed it for me except there is a typo in the path above: "\windowsupdage" should be "\windowsupdate".
-
Evan about 6 yearsThis was the issue for me, this time. Yes, we're running a Win7 box five years later. And yes, this happens repeatedly.