Documentation
Powered by

# WinUpdate-Pause Intune Remediation

# Purpose

Documents both the detection and remediation scripts for paused Windows Update status via Intune Remediation.

# Overview

This page covers both:

  • Detection script: Detects if Windows Update is paused by checking registry values and policy keys, with targeting logic to spread load.
  • Remediation script: Removes pause-related registry values and policies, restarts update services, and triggers update scan/install.

# Detection Script

Logic:

  • Targeting logic (spread scheduling):
  • Only runs on weekdays (Monday–Friday).
  • Uses the last character of the device hostname and the day of week to determine if the device is targeted for this run.
  • If not targeted, exits with code 0 (compliant/skipped).
  • Pause detection:
    • Checks for:
      • PauseUpdates=1 in HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
      • Existence of PauseStartTime in the same key
      • SetDisablePauseUXAccess=0 in HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    • If any are found, considers Windows Update paused and exits with code 1 (non-compliant).
    • Otherwise, exits with code 0 (compliant).

Inputs: None required; uses environment and registry.

Outputs:

  • Compliance status (paused or not paused)
  • Reasons for pause (if detected)
  • Log/output to console

# Remediation Script

Logic:

  • Removes pause-related registry values from HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings:
    • PauseUpdates
    • PauseStartTime
    • PauseEndTime
  • Removes SetDisablePauseUXAccess from HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate if present.
  • Restarts Windows Update services (wuauserv, bits).
  • Triggers a Windows Update scan and attempts to install available updates using the Windows Update COM API.
  • Logs all actions and results.
  • Exits with code 0 on success, 1 on error.

Inputs: None required; uses environment and registry.

Outputs:

  • Actions taken (registry changes, service restarts, update scan/install)
  • Log/output to console

# Usage

  • Both scripts are deployed as part of an Intune Remediation package.
  • Detection runs first; if update is paused, remediation is triggered.

# Inputs

  • No external parameters; all logic is self-contained.

# Outputs

  • Detection: Pause status, reasons, log/output.
  • Remediation: Actions taken, log/output.

# Notes

  • See project standards for logging, error handling, and accessibility.