0

I have many Windows 10 and Windows 11 machines, which are in different states of windows update settings. Unfortunately, some machines have local policies active for windows update settings.

I need to have all PC's reset to the windows update defaults and I need to do it with a remote tool that can execute CLi commands (PowerShell and such).

Usually, I would just delete HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate. That works fine, until the machine is rebooted and the still existing local policy kicks in and changes windows update back to the previous setting.

I could, of course, remote to each machine by RDP or TeamViewer or whatever, start gpedit.msc and change the respective settings to "not configured", delete the registry key again and reboot.

However, I want to do it by command line, PowerShell script or similar.

I know how to delete the registry key that way, but I do not know how to set the group policy entries to "not configured" from the command line.

What would be a good way to achieve that?

I tried LGPO.exe, but frankly I do not understand how to use this tool for my purpose.

Improve this question
3
  • If policies are applied, you need to remove those policies. If policies are being reapplied after you reset them, you need to identify the source of those policies and stop applying them. Once you have removed the SOURCE of the policies, you can reset the system using it's policy backup. I've detailed that process in another post here: superuser.com/questions/834373/…
    – music2myear
    Commented May 23 at 21:25
  • Alternately, if you have control over the policy source, just set and apply the policies there. Intune, AD, GPO, whatever. The best way is to do it the way MS intends you to do it.
    – music2myear
    Commented May 23 at 21:26
  • In order to solve this problem I would first identify what policies are being applied, I would then configure each policy to the desired setting, and export those policies so I could build a single script that would implement them.
    – Ramhound
    Commented May 23 at 23:12

2 Answers 2

Reset to default
0

Given that gpedit.msc and RDP were mentioned, I'll assume you're referring to locally set group policies for Windows Update settings, not domain policies setting them.

To reset all user and computer local group policies including those related to Windows Update, you can delete two specific folders and a registry key using an elevated PowerShell session, as you are already familiar with.

PowerShell

Stop-Service wuauserv -Force;
Remove-Item "C:\Windows\System32\GroupPolicyUsers" -Recurse -Force ;
Remove-Item "C:\Windows\System32\GroupPolicy" -Recurse -Force;
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Recurse -Force;
Start-Service wuauserv;

Note: This stops the Windows Update service, deletes the \GroupPolicyUsers and \GroupPolicy folders, and the Windows Update registry key and everything within it. It then starts the Windows Update service up again—I've had to use this a few dozen or more times with success—it will wipe all local group policy settings.

Improve this answer
1
  • @Igrokit.... For remote execution you can put those commands in a scriptblock{} using invoke-command with or without -credential parameter. Work it out locally testing first on a local machine to confirm it sticks depending on how specific you need with your config, then wrapping in invoke-command as a -scriptblock{} with or without -credential is also trivial to work out.
    – Vomit IT - Chunky Mess Style
    Commented May 23 at 23:31
0

Thanks to all who responded.

Actually I dig into LGPO.exe once more and found it pretty simple at the end. RTFM was key.. reading the documentation really helps..

What I did for my specific case:

Created a file "clear.txt" with the following content:

; ----------------------------------------------------------------------
; PARSING Computer POLICY
; Source file:  .\Registry.pol

Computer
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
*
CLEAR

; PARSING COMPLETED.
; ----------------------------------------------------------------------

Executed the following command:

.\LGPO.exe /t .\clear.txt

The result is that the registry entry above is deleted, but in addition the respective local policy entry is deleted as well.

Dan

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .