Jump to content

Recommended Posts

Hello All, I am looking to create a regedit that check s for a set key value and if that key value isn't set to change it. i am looking to set the below all to a key value of 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DisableWindowsUpdateAccess 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableWindowsUpdateAccess 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DisableWindowsUpdateAccess 
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\DisableWindowsUpdateAccess

Is the below correct?

IF [REGISTRY HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate:Change DisableWindowsUpdateAccess]  =  1  THEN  Jump to :Change DisableWindowsUpdateAccess
:Change DisableWindowsUpdateAccess - Label
SET:  HKEY_CURRENT_USER\SOFTWARE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate:Change DisableWindowsUpdateAccess = 0
IF [REGISTRY HKEY_CURRENT_USER\SOFTWARE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:Change DisableWinidowsUpdateAccess]  =  1  THEN  Jump to :Change DisableWindowsUpdateAccess
:Change DisableWindowsUpdateAccess HKLM - Label
SET:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate:Change DisableWindowsUpdateAccess = 0
IF [REGISTRY HKEY_USERS\S-1-5-18\software\Microsoft\Windows\CurrentVersion\Policies\:Change DisableWinidowsUpdateAccess]  =  1  THEN  Jump to :Change DisableWindowsUpdateAccess
:Change DisableWindowsUpdateAccess - Label
SET:  HKEY_USERS\S-1-5-18\software\Microsoft\Windows\CurrentVersion\Policies\DisableWindowsUpdateAccess:Change DisableWindowsUpdateAccess = 0
Resend Config
Resend Patch information
Exit Script

 

Edited by ITGeek08
misspelled
Link to post
Share on other sites

You seem to be setting SYSTEM entries as well as user, so is there a reason you're not just taking the simpler route of applying a Microsoft Update patch policy which sets the UI to either hidden or managed?

Link to post
Share on other sites

HI Lgs,

This is my first attempt at scripting in Automate, I have never done it before. What i am trying to accomplish is a script i can roll out to my larger groups of say 100+ systems at one shot to change so no user can change the windows update settings. we want to try this way through Automate first before we go the Microsoft GPO route.

Link to post
Share on other sites

You will want to take advantage of CWA's built-in functionality via Patch Manager Microsoft Update Policies to lock-down the Windows Update GUI. If you apply that registry value DisableWindowsUpdateAccess to HKLM, you will brick Windows Update altogether (no patching will be possible). This setting should only be applied to user registry hives. But, CWA already does this correctly and saves you from doing it manually when you have patching policies setup correctly.

image.png.05b88ab102f98c3bc35118c307827db7.png

  • Like 1
Link to post
Share on other sites
  • 2 weeks later...

BlueToast, thanks for that information. I checked my policy and i already had the set for Managed Mode - UI Disabled.

so will that setting override my script i am testing? or will my script override that preset setting? 

and from your text, i should only do this for the local user hive, not the machine hive.

 

Thanks

M,

Edited by ITGeek08
updated
Link to post
Share on other sites

When using "Managed Mode - UI Disabled", ConnectWise Automate Agents automatically set registry value DisableWindowsUpdateAccess to data 1 in each user hive. This is how it yields a "UI Disabled" outcome. The agent will enforce this, so if you delete that registry value or modify its data to 0, you should expect to see the agent ensure the correct registry data exists with that registry value within 1-15 minutes (I forgot the exact interval). This can be observed through SysInternals procmon.exe.

Do not apply this registry value to the registry hive of NT AUTHORITY\SYSTEM (S-1-5-18) unless you are meaning to completely disable Windows Updates (no patching permitted).

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...