Configure Automatic Updates to Download Patches

What the Windows Update download Worklet does

This Automox Worklet™ configures Windows Automatic Updates to download patches automatically but postpone installation until you trigger it manually. The Worklet modifies the Windows Update registry settings to set the AUOptions policy to 3 (download and notify) and disables AutoInstallMinorUpdates by setting it to 0.

The Worklet works without requiring Group Policy deployment or domain controller configuration. It creates the necessary registry path if it does not exist and handles errors gracefully with exception reporting, making it suitable for both workstations and servers.

Why configure automatic patch downloads separately

Update failures occur silently, leaving endpoints vulnerable. Deploying patches across hundreds or thousands of endpoints simultaneously strains network bandwidth and can cause connectivity issues. By configuring endpoints to download patches during off-peak hours but delay installation, you distribute bandwidth usage over time and reduce network congestion during enforcement windows.

This approach gives IT Operations teams the flexibility to schedule patch installation separately from download, allowing you to coordinate remediation with maintenance windows, endpoint availability, and business requirements without network performance penalties.

The Worklet also eliminates dependency on Group Policy, which is especially valuable for managing mixed environments with standalone systems, workgroup computers, or endpoints not connected to a domain controller.

How Windows Update policy configuration works

1. Evaluation phase: The Worklet checks the current registry values at HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU. It verifies that AUOptions equals 3 and AutoInstallMinorUpdates equals 0, indicating the download-only configuration is already applied.

2. Remediation phase: If settings are missing or incorrect, the Worklet creates the registry path if needed, then sets AUOptions to 3 and AutoInstallMinorUpdates to 0. After modification, it re-evaluates the settings to confirm successful application.

Windows Update configuration requirements

• Windows 10, Windows 11, or Windows Server 2016 and later

• Local administrator privileges required to modify registry keys

• PowerShell execution capability on the endpoint

• Windows Update service must be enabled (not disabled)

• No other conflicting Group Policy Objects managing automatic updates

Expected endpoint update behavior after remediation

After the Worklet runs successfully, endpoints automatically download patches from Windows Update when new updates become available. The endpoint notifies the logged-in user that updates are ready but does not install them automatically. Users see a system notification or toast message indicating that updates are available and ready for installation. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

You can then use Automox or manual processes to initiate patch installation on a schedule that minimizes disruption. The Worklet ensures this behavior persists across reboots and future Windows Update cycles, eliminating the need to reconfigure endpoints or apply Group Policy updates.

How to validate configure automatic updates to download patches changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for configure automatic updates to download patches.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-ItemProperty, Write-Output.

4. Validate remediation effects from script operations such as New-Item, Out-Null, Set-ItemProperty, then rerun evaluation for compliance.