html
When Windows Update displays "some settings are managed by your system administrator" even for domain admins on Server 2008 R2, it typically indicates deeper policy or system issues. Let's break down the troubleshooting steps:
- Group Policy Enforcement: Run these commands to verify actual policy application:
gpresult /h gpresult.html
rsop.msc
- Certificate Store Issues: The CAPI2 error suggests certificate validation problems. Check with:
certmgr.msc
Get-ChildItem cert:\LocalMachine\Root | Where {$_.NotAfter -lt (Get-Date)}
Try this PowerShell script to reset Windows Update components:
$services = @('wuauserv','cryptSvc','bits','msiserver')
$services | ForEach-Object {
Stop-Service $_ -Force
Start-Service $_
}
Remove-Item "$env:systemroot\SoftwareDistribution\*" -Recurse -Force
For the CAPI2 4107 error, manually update the root certificates:
$url = "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
$tempFile = "$env:temp\roots.cab"
Invoke-WebRequest -Uri $url -OutFile $tempFile
expand $tempFile "$env:temp\roots.sst"
certutil -addstore -f root "$env:temp\roots.sst"
Examine these critical registry paths:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
When all else fails, use the Microsoft Update Catalog:
- Download updates manually from catalog.update.microsoft.com
- Install using:
wusa.exe update.msu /quiet /norestart
When you encounter the message "some settings are managed by your system administrator" while logged in as a domain admin on Windows Server 2008 R2, it's time for some serious troubleshooting. This issue typically stems from either Group Policy conflicts or system certificate problems.
First, let's verify the complete Group Policy inheritance chain. Run these commands in an elevated command prompt:
gpresult /h gp_report.html
gpresult /z > gp_verbose.txt
Get-GPResultantSetOfPolicy -ReportType Html -Path "C:\temp\rsop.html"
Key areas to examine in the output:
- Computer Configuration > Administrative Templates > Windows Components > Windows Update
- User Configuration > Administrative Templates > Control Panel > Add/Remove Programs
The CAPI2 error (Event ID 4107) indicates certificate validation failures. Let's check and repair the certificate store:
certmgr.msc
certutil -verifystore -v root
certutil -generateSSTFromWU roots.sst
For automation, this PowerShell script might help:
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root","LocalMachine"
$rootStore.Open("ReadWrite")
$certs = (New-Object System.Net.WebClient).DownloadData("http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab")
# Process certs and add to store
$rootStore.Close()
Sometimes the Windows Update components themselves get corrupted. Try this reset sequence:
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver
Verify these registry keys haven't been locked down:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
Use this PowerShell to check permissions:
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$acl.Access | Format-Table IdentityReference,RegistryRights,AccessControlType -AutoSize
When all else fails, try these workarounds:
- Download updates manually from Microsoft Update Catalog
- Use WSUS offline update tool
- Create a scheduled task running as SYSTEM to trigger updates
Example scheduled task command:
schtasks /create /tn "Force Windows Update" /tr "cmd /c echo y | wuauclt /detectnow /updatenow" /sc once /st 00:00 /ru SYSTEM