Checking the status of Windows update with Osquery

  • Windows Auto Update autoupdate
    The health status of the Windows Auto-update feature
  • Antivirus Status antivirus
    The health of the monitored Antivirus solution (see the Osquery windows_security_products table)
  • Anti-spyware Status antispyware
    The health of the monitored Anti-spyware solution (see the Osquery windows_security_products)
  • Internet Settings internet_settings
    The health of the Internet Settings. Please see the Windows Security Centers settings for best practice.
  • Windows Security Center Service windows_security_center_service
    The health of the Windows Security Center Service
  • User account control (UAC) user_account_control
    The health of the User Account Control (UAC) capability in Windows
osquery> SELECT autoupdate FROM windows_security_center;+------------+
| autoupdate |
+------------+
| Good |
+------------+
osquery> SELECT CASE WHEN autoupdate = 'Good' THEN TRUE ELSE FALSE END AS autoupdate FROM windows_security_center;+------------+
| autoupdate |
+------------+
| 1 |
+------------+
osquery> SELECT * FROM windows_security_products;

Windows Group Policy Object check

For Windows 10 automatic updates will be enabled by default. Unless the NoAutoUpdate registry key is present and the value is not 0. Indicating that Windows Update is disabled. This registry key will usually be present if set manually or the system is managed by Active Directory and is apart of a Group Policy Object (GPO). Osquery can also use the registry table to check for the existence of the NoAutoUpdate and the value is set to 0.

SELECT
COUNT(*) AS passed
FROM
registry
WHERE
key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
AND name = 'NoAutoUpdate'
AND data = '0';
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Its all over!

We hope you found this helpful. Please feel free to get in touch if you have any questions.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Zercurity

Zercurity

Real-time security and compliance delivered.