Windows Update Service Properties Grayed Out in Services MMC

When you open the Services MMC (services.msc) and double-click Windows Update service properties, the Start and Stop buttons are grayed out. Also, you may be unable to change the service Startup type.

windows update service properties tab grayed out - wuauserv sddl fix

As a workaround, you can change the service startup and other settings using the registry or run the SC.exe command-line tool under the SYSTEM account and modify the service settings.

This article tells you how to make the Windows Update service configurable (by administrators) using the Services MMC.

Windows Update Service Options are Grayed Out

The Windows Update service properties may be grayed out due to corrupt service security descriptors or tightened permissions. To reset the Windows Update service security configuration, follow these steps:

Open an admin Command Prompt window and run the following command:

sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

windows update service options grayed out - wuauserv sddl fix

The above command-line fixes the permissions for the Windows Update (wuauserv) service.

Restart Windows for the change to take effect.

Additional Information

The security descriptor (SDDL) D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) is the default security descriptor for Windows Update service in Windows 10 and Windows 11.

The above SDDL translates to the following permissions (Discretionary Access Control List — DACL):

[0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users



  • SERVICE_QUERY_STATUS
  • SERVICE_QUERY_CONFIG
  • SERVICE_INTERROGATE
  • SERVICE_ENUMERATE_DEPENDENTS
  • SERVICE_START
  • READ_CONTROL

[1] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators

  • SERVICE_ALL_ACCESS

[2] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM

  • SERVICE_ALL_ACCESS

It denotes that the “Administrators” group and the SYSTEM account have full control (“SERVICE_ALL_ACCESS”) over the service. Authenticated Users have the right to query or start the service only.

Launch Services MMC and see if you can configure the Windows Update service now.

windows update service properties tab grayed out - wuauserv sddl fix

Note: if the Windows Update service security descriptors are corrupt or incorrect, the Windows Update Troubleshooter tool will offer to repair the problem automatically.


Workaround: Enable the service via the registry

If the registry keys for the Windows Update service have the default permissions, you can enable the Windows Update via the registry.

  1. Open an admin Command Prompt
  2. Copy the following command and paste it into the CMD window:
    reg add HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start /d 3 /t REG_DWORD /f

    (You should see the message “The operation completed successfully.”)

  3. Restart Windows.

Editor’s note: You may also open Regedit.exe and set the Start value data to 3 in the above registry location. If you encounter an Access is Denied error, you need to take ownership of the registry key to modify the value. See the article Take Ownership of a Registry Key And Assign Full Permissions for more information.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

6 thoughts on “Windows Update Service Properties Grayed Out in Services MMC”

  1. This was exactly what I needed — after spending hours looking at failed DISM/SFC Scans to resolve this issue. I couldn’t change the name due to a permissions issue. a search for “How to Gain Full Permissions to Edit Protected Registry Keys” led to an article that allowed me to resolve that issue. Once done, the instructions on this page worked.

    Reply
  2. After getting nowhere for several hours, including reinstalling Windows 2019 Server, this resolved the powershell access denied issue set-service mpssvc -startuptype automatic. I used your instructions, except on mpssvc Windows Defender Firewall service by replacing your string with sc.exe sdset mpssvc… Now I can finally run the install for Microsoft Exchange Server.

    Reply
  3. Microsoft Windows [Version 10.0.19042.1110]
    (c) Microsoft Corporation. All rights reserved.

    C:\WINDOWS\system32>sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
    [SC] SetServiceObjectSecurity FAILED 5:

    Access is denied.

    This is using Administer: Command Prompt

    Reply

Leave a Reply