Description
When using packer-plugin-windows-update inside Windows Audit Mode, updates are detected correctly from our internal WSUS server, but the installation phase never starts automatically.
From a UI perspective, it looks like the process stops at the “Update now” button in Windows Update — updates are available, but not actually installed.
Another organization we contacted says they do run updates in Audit Mode successfully, but in our case installation never starts.
We also tested running Windows Update installation via Task Scheduler jobs under SYSTEM, without using the plugin, and the behavior is the same: the job stays queued until manually triggered.
This suggests the problem is not the plugin itself, but rather how Packer runs provisioners in Audit Mode on Windows 11 23H2.
Environment
Packer version: 1.14.2 (Linux AMD64)
packer-plugin-windows-update version: Tested many, currently using 0.17.1
Windows version: Windows 11 23H2
Build context: Audit Mode (sysprep /audit) VM build
Update source: Internal WSUS server (configured via registry)
What works
The plugin successfully connects to WSUS.
Updates are listed and detected.
Services (wuauserv, BITS, TrustedInstaller) are running.
What fails
Updates never actually install in Audit Mode.
The plugin hangs or stays queued until timeout.
Even custom PowerShell or Task Scheduler SYSTEM jobs don’t install automatically — only when triggered manually.
Steps to reproduce
- Enter Audit Mode (Ctrl+Shift+F3) during Windows setup.
- Run a Packer build with packer-plugin-windows-update.
- Configure WSUS via registry or environment variables.
- Observe: updates are detected, but installation never begins.
Expected behavior
Updates should install automatically in Audit Mode once detected, without requiring manual intervention.
Actual behavior
Updates remain pending until manually started via GUI (“Update now”) or manually running the scheduled task.
Additional notes
We attempted workarounds using:
- Scheduled tasks under SYSTEM
- Direct COM API calls (Microsoft.Update.Session)
- Forcing detection (UsoClient StartScan)
- Enabling Task Scheduler history for debugging
In all cases, updates only install when triggered manually.
Another organization says they do get updates installed in Audit Mode with this plugin, so it may depend on Windows build or how Packer communicates with the guest VM.
Description
When using packer-plugin-windows-update inside Windows Audit Mode, updates are detected correctly from our internal WSUS server, but the installation phase never starts automatically.
From a UI perspective, it looks like the process stops at the “Update now” button in Windows Update — updates are available, but not actually installed.
Another organization we contacted says they do run updates in Audit Mode successfully, but in our case installation never starts.
We also tested running Windows Update installation via Task Scheduler jobs under SYSTEM, without using the plugin, and the behavior is the same: the job stays queued until manually triggered.
This suggests the problem is not the plugin itself, but rather how Packer runs provisioners in Audit Mode on Windows 11 23H2.
Environment
Packer version: 1.14.2 (Linux AMD64)
packer-plugin-windows-update version: Tested many, currently using 0.17.1
Windows version: Windows 11 23H2
Build context: Audit Mode (sysprep /audit) VM build
Update source: Internal WSUS server (configured via registry)
What works
The plugin successfully connects to WSUS.
Updates are listed and detected.
Services (wuauserv, BITS, TrustedInstaller) are running.
What fails
Updates never actually install in Audit Mode.
The plugin hangs or stays queued until timeout.
Even custom PowerShell or Task Scheduler SYSTEM jobs don’t install automatically — only when triggered manually.
Steps to reproduce
Expected behavior
Updates should install automatically in Audit Mode once detected, without requiring manual intervention.
Actual behavior
Updates remain pending until manually started via GUI (“Update now”) or manually running the scheduled task.
Additional notes
We attempted workarounds using:
In all cases, updates only install when triggered manually.
Another organization says they do get updates installed in Audit Mode with this plugin, so it may depend on Windows build or how Packer communicates with the guest VM.