Open in app

Sign in

Write

Sign in

Checking the status of Windows update with Osquery

Zercurity
3 min readMar 15, 2022

--

Since the release of Osquery 4.3.0 a new table called windows_security_center has been added that reports on the current status of Windows Update.

The windows_security_center table supports more than just the auto update status of Windows. It also supports the following security center checks:

  • Firewall status firewall
    The health of the monitored Firewall products (see the Osquery windows_security_products table)
  • Windows Auto Update autoupdate
    The health status of the Windows Auto-update feature
  • Antivirus Status antivirus
    The health of the monitored Antivirus solution (see the Osquery windows_security_products table)
  • Anti-spyware Status antispyware
    The health of the monitored Anti-spyware solution (see the Osquery windows_security_products)
  • Internet Settings internet_settings
    The health of the Internet Settings. Please see the Windows Security Centers settings for best practice.
  • Windows Security Center Service windows_security_center_service
    The health of the Windows Security Center Service
  • User account control (UAC) user_account_control
    The health of the User Account Control (UAC) capability in Windows

The health status of each of these Window Security features can be “Good”, “Poor”. “Snoozed”, “Not Monitored” or “Error”. The following commands are run inside the Osquery shell. Which can be accessed via the osqueryi command.

osquery> SELECT autoupdate FROM windows_security_center;+------------+
| autoupdate |
+------------+
| Good       |
+------------+

The ideal state is naturally, is “ Good”. This can also been converted into a boolean value by using the CASE statement.

osquery> SELECT CASE WHEN autoupdate = 'Good' THEN TRUE ELSE FALSE END AS autoupdate FROM windows_security_center;+------------+
| autoupdate |
+------------+
| 1          |
+------------+

The above queries can also be applied to the other security center checks. You can also see a full list of installed security products should state of the security center check be anything other than “Good”.

osquery> SELECT * FROM windows_security_products;

Windows Group Policy Object check

For Windows 10 automatic updates will be enabled by default. Unless the NoAutoUpdate registry key is present and the value is not 0. Indicating that Windows Update is disabled. This registry key will usually be present if set manually or the system is managed by Active Directory and is apart of a Group Policy Object (GPO). Osquery can also use the registry table to check for the existence of the NoAutoUpdate and the value is set to 0.

SELECT
  COUNT(*) AS passed
FROM
  registry
WHERE
  key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
  AND name = 'NoAutoUpdate'
  AND data = '0';

You can test the status of Windows auto update locally by modifying the registry key directly. From the start menu run regedit.exe and navigate to the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

From here if the key doesn’t already exist you can create it by right clicking and creating a new DWORD. With the value of 1 to disable WindowsAutoUpdate or 0 to keep it enabled.

Its all over!

We hope you found this helpful. Please feel free to get in touch if you have any questions.

Osquery
Microsoft Windows Update
Windows
Security
Cybersecurity

--

--

Zercurity
Zercurity

Written by Zercurity

172 Followers
5 Following

Real-time security and compliance delivered.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams