Configure Automatic Updates to Download Patches

What the Auto-Patch Download Enforcer does

This Automox Worklet™ enforces the Windows Update Automatic Updates (AU) policy on Windows endpoints by writing two registry values under HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU: AUOptions to 3 (download the updates automatically and notify when they are ready to be installed) and AutoInstallMinorUpdates to 0 (do not silently install minor updates). The combination tells the Windows Update Agent to pull patches in the background as soon as they publish, then wait for an admin-approved install instead of running an unattended install during the user's work session.

The Worklet runs in two stages. Evaluation reads the current AUOptions and AutoInstallMinorUpdates values with Get-ItemProperty and exits 0 only when both already match the baseline. Remediation creates the AU subkey if it is missing, writes both DWORDs with Set-ItemProperty -Force, and re-reads them to confirm the write before returning exit 0. If the verification step fails, the script writes "Failed to update property value." to stderr and exits with code 2839.

Why enforce the Automatic Updates AU policy

The Windows Update AU registry keys decide whether a managed endpoint downloads patches in the background or waits for the user to open Settings and click Check for updates. Those keys drift constantly. A Windows feature update can rewrite the Policies hive, a user with admin rights can toggle Pause updates, and an OEM utility that piggybacks on Windows Update can set its own values. When the baseline drifts, the patching team sees endpoints sit at "Updates available" while the security team's compliance report quietly slips.

Setting AUOptions to 3 and AutoInstallMinorUpdates to 0 separates the download step from the install step. Patches move to disk on their own, so they are staged and ready when the maintenance window opens. The install itself stays under admin control, which avoids surprise reboots during work hours and keeps minor updates from auto-installing outside the change window. Schedule the Worklet on a recurring policy against your workstation and server groups so the AU baseline is reasserted after every Group Policy refresh, feature update, or third-party tool that touches the hive.

How AU policy enforcement works

1. Evaluation phase: The evaluation script runs Get-ItemProperty against HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU and reads the AUOptions and AutoInstallMinorUpdates values. When AUOptions equals 3 and AutoInstallMinorUpdates equals 0, the endpoint reports compliant and exits 0. If either value is missing or set to anything else, the script writes "Evaluation failed. Flagging for remediation." and exits 1.

2. Remediation phase: The remediation script creates the AU subkey with New-Item -Force if Test-Path returns false, then writes AUOptions = 3 and AutoInstallMinorUpdates = 0 as DWORDs using Set-ItemProperty -Force. Each write is wrapped in a try/catch so a failure is printed without aborting the run. The script then re-reads both values and exits 0 on success or exit 2839 with "Failed to update property value." sent to stderr if the post-write verification does not match.

Automatic Updates policy requirements

• Windows 10, Windows 11, or Windows Server 2016 and later with PowerShell 5.1 or PowerShell 7

• Local administrator or SYSTEM privileges so the agent can write under HKLM:\SOFTWARE\Policies (the default Automox agent context satisfies this)

• No conflicting Group Policy or Intune configuration profile setting the AU keys to a different value; if one exists, update the source policy instead of running this Worklet on those endpoints

• Network access from the endpoint to Microsoft Update or the configured WSUS server so the background download can actually fetch patches

• A separate Automox policy or runbook step to trigger or approve the install once patches are staged, because AUOptions = 3 stops short of installing them

Expected Windows Update state after remediation

After a successful run, Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' returns AUOptions = 3 and AutoInstallMinorUpdates = 0. The Windows Update Agent picks up the new policy on its next scheduled scan and begins downloading available patches in the background, then leaves them in the "ready to install" state for a follow-up policy or scheduled maintenance window. Subsequent Automox policy runs report the endpoint as compliant unless a drift source has reset the keys, at which point the next evaluation flags it and remediation re-applies the baseline.

Validate on a single endpoint by running Get-ItemProperty against the AU key before and after the policy and confirming both values flip to the target. For audit evidence, capture the before-and-after registry output and store it with the policy run identifier. If the keys revert between runs, the most common cause is an Intune configuration profile, a Group Policy refresh, or a third-party Windows Update tool overwriting the AU hive; investigate those sources before assuming the Worklet itself has failed.