Muokkaa

Jaa


Conflicting configurations

Important

The information in this article or section only applies if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have activated Windows Autopatch features.

Feature activation is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.

For more information, see Licenses and entitlements. If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in Business premium and A3+ licenses.

During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the Not ready tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issues. You can review any device marked as Not ready and remediate them to a Ready state.

Windows Autopatch monitors conflicting configurations. You're notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it's possible that other services write back the registry keys. It's recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.

The most common sources of conflicting configurations include:

  • Active Directory Group Policy (GPO)
  • Configuration Manager Device client settings
  • Manual registry updates
  • Local Group Policy settings applied during imaging (LGPO)

Registry keys inspected by Autopatch

Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations Value=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess Value=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate Value=Any

Resolving conflicts

Windows Autopatch recommends removing the conflicting configurations. The following remediation examples can be used to remove conflicting settings and registry keys when targeted at Autopatch-managed devices.

Important

It's recommended to only target devices with conflicting configuration alerts. The following remediation examples can affect devices that aren't managed by Windows Autopatch, be sure to target accordingly.

Intune Remediation

Navigate to Intune Remediations and create a remediation using the following examples. It's recommended to create a single remediation per value to understand if the value persists after removal.

If you use either Detect and/or Remediate actions, ensure to update the appropriate Path and Value called out in the Alert. For more information, see Remediations.

Detect

if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {
    Exit 1
} else {
    exit 0
}
Alert details Description
Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Value DoNotConnectToWindowsUpdateInternetLocations

Remediate

if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations"
}
Alert details Description
Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Value DoNotConnectToWindowsUpdateInternetLocations

PowerShell

Copy and paste the following PowerShell script into PowerShell or a PowerShell editor, and save it with a .ps1 extension. For more information, see Remove-ItemProperty (Microsoft.PowerShell.Management).

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DisableWindowsUpdateAccess"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate"

Batch file

Copy and paste the following code into a text editor, and save it with a .cmd extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service. For more information, see Using batch files: Scripting: Management services.

@echo off
echo Deleting registry keys...
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /f
echo Registry keys deleted.
Pause

Registry file

Copy the following code to a Notepad file, save as a .reg extension, and execute against affected devices. This removes registry keys that affect the Windows Autopatch service. For more information, see How to add, modify, or delete registry subkeys and values by using a .reg file.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotConnectToWindowsUpdateInternetLocations"=-
"DisableWindowsUpdateAccess"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=-

Common sources of conflicting configurations

The following examples can be used to validate if the configuration is persistent from one of the following services. The list isn't an exhaustive, and Admins should plan for changes can affect devices not managed by Windows Autopatch.

Group Policy management

Group Policy management is the most popular client configuration tool in most organizations. For this reason, it's most often the source of conflicting configurations. Use Result Set of Policy (RSOP) on an affected client can quickly identify if configured policies conflict with Windows Autopatch. For more information, see Use Resultant Set of Policy to Manage Group Policy.

  1. Launch an Elevated Command Prompt and enter RSOP.
  2. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
  3. If a Policy doesn't exist in Windows Update, then it appears to not be Group Policy.
  4. If a Policy exists in Windows Update is present, modify or limit the target of the conflicting policy to resolve the Alert.
  5. If the Policy name is labeled Local Group Policy, these settings are applied during imaging or by Configuration Manager.

Configuration Manager

Configuration Manager is a common enterprise management tool that, among many things, can help manage Windows Updates. For this reason, we see many environments misconfigured when moving to either a 100% cloud or co-managed workloads even when the workloads are configured correctly. The client settings are often missed. For more information, see About client settings and software updates.

  1. Go the Microsoft Endpoint Configuration Manager Console.
  2. Navigate to Administration > Overview > Client Settings.
  3. Ensure Software Updates isn't configured. If configured, it's recommended to remove these settings to prevent conflicts with Windows Autopatch.

Third-party solutions

Third-party solutions can include any other product that might write configurations for the devices in question, such as MDMs (Mobile Device Managers) or Policy Managers.