When you open the Services MMC (services.msc) and double-click Windows Update service properties, the Start and Stop buttons are grayed out. Also, you may be unable to change the service Startup type.
In some cases, the Startup type dropdown list box may be available. However, attempting to change the service startup type and clicking Apply or OK causes Access Denied error.
As a workaround, you can change the service startup and other settings using the registry or run the SC.exe command-line tool under the SYSTEM account and modify the service settings.
This article tells you how to make the Windows Update service configurable (by administrators) using the Services MMC.
Windows Update Service Options are Grayed Out in Services MMC
The Windows Update service properties may be grayed out due to corrupt service security descriptors or tightened permissions. To reset the Windows Update service security configuration, follow these steps:
Open an admin Command Prompt window and run the following command:
sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
The above command-line fixes the permissions for the Windows Update (wuauserv) service.
Restart Windows for the change to take effect.
Additional Information
The security descriptor (SDDL) D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) is the default security descriptor for Windows Update service in Windows 10.
The above SDDL translates to the following permissions (Discretionary Access Control List — DACL):
[0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
- SERVICE_QUERY_STATUS
- SERVICE_QUERY_CONFIG
- SERVICE_INTERROGATE
- SERVICE_ENUMERATE_DEPENDENTS
- SERVICE_START
- READ_CONTROL
[1] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
- SERVICE_ALL_ACCESS
[2] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
- SERVICE_ALL_ACCESS
It denotes that the builtin Administrators group and the SYSTEM account have full control (“SERVICE_ALL_ACCESS”) over the service. Authenticated Users have the right to query or start the service only.
Launch Services MMC and see if you can configure the Windows Update service now.
Alternately, if the Windows Update service security descriptors are corrupt or incorrect, the Windows Update Troubleshooter tool would offer to repair the problem automatically.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
It says Registry editor can not rename security how can i resolve this error ????
@abinash: Does running regedit.exe as LOCALSYSTEM help?
It did not work for me either. I tried running regedit as LOCALSYSTEM.
This was exactly what I needed — after spending hours looking at failed DISM/SFC Scans to resolve this issue. Like abinash, I couldn’t change the name due to a permissions issue. a search for “How to Gain Full Permissions to Edit Protected Registry Keys” led to an article that allowed me to resolve that issue. Once done, the instructions on this page worked.
Thank you so much, this was extremely helpful and efficient!
After getting nowhere for several hours, including reinstalling Windows 2019 Server, this resolved the powershell access denied issue set-service mpssvc -startuptype automatic. I used your instructions, except on mpssvc Windows Defender Firewall service by replacing your string with sc.exe sdset mpssvc… Now I can finally run the install for Microsoft Exchange Server.
I Can’t Rename Security into Security.old How Can I Solve It ???
Hi Ramesh,
Did exactly as per ur instructions. It worked for a while but soon the options were greyed out again. And in the reg edit window another security key appeared alongside security.old key. Should I delete the security key?
sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) didnt work. Access denied
@Michael: Can you pls upload a screenshot of the CMD window.
I was helped by simply unregistering and reregistering msiserver in cmd administrator:
C:\WINDOWS\system32>MSIEXEC /UNREGISTER
C:\WINDOWS\system32>MSIEXEC /REGSERVER
found in https://support.microsoft.com/en-us/help/319624/windows-installer-service-could-not-be-accessed-error-message-when-ins. This is old stuff for like win 2000, but it helped me out.
Jan
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\Win 10>sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
[SC] OpenSCManager FAILED 5:
Access is denied.
@khoi: This command has to be run from admin Command Prompt. Else the error 5 occurs.
Thanks Man that command worked awesomely!
Microsoft Windows [Version 10.0.19042.1110]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
[SC] SetServiceObjectSecurity FAILED 5:
Access is denied.
This is using Administer: Command Prompt
@Plinkyo: Can you re-run the command as TrustedInstaller. See this article on how to launch Cmd.exe as Ti.
https://www.winhelponline.com/blog/run-program-as-trustedinstaller-locked-registry-keys-files/