Checking the status of Windows update with Osquery
Since the release of Osquery 4.3.0 a new table called
windows_security_center has been added that reports on the current status of Windows Update.
windows_security_center table supports more than just the auto update status of Windows. It also supports the following security center checks:
- Firewall status
The health of the monitored Firewall products (see the Osquery
- Windows Auto Update
The health status of the Windows Auto-update feature
- Antivirus Status
The health of the monitored Antivirus solution (see the Osquery
- Anti-spyware Status
The health of the monitored Anti-spyware solution (see the Osquery
- Internet Settings
The health of the Internet Settings. Please see the Windows Security Centers settings for best practice.
- Windows Security Center Service
The health of the Windows Security Center Service
- User account control (UAC)
The health of the User Account Control (UAC) capability in Windows
The health status of each of these Window Security features can be “Good”, “Poor”. “Snoozed”, “Not Monitored” or “Error”. The following commands are run inside the Osquery shell. Which can be accessed via the
osquery> SELECT autoupdate FROM windows_security_center;+------------+
| autoupdate |
| Good |
The ideal state is naturally, is “ Good”. This can also been converted into a boolean value by using the
osquery> SELECT CASE WHEN autoupdate = 'Good' THEN TRUE ELSE FALSE END AS autoupdate FROM windows_security_center;+------------+
| autoupdate |
| 1 |
The above queries can also be applied to the other security center checks. You can also see a full list of installed security products should state of the security center check be anything other than “Good”.
osquery> SELECT * FROM windows_security_products;
Windows Group Policy Object check
For Windows 10 automatic updates will be enabled by default. Unless the
NoAutoUpdate registry key is present and the value is not
0. Indicating that Windows Update is disabled. This registry key will usually be present if set manually or the system is managed by Active Directory and is apart of a Group Policy Object (GPO). Osquery can also use the
registry table to check for the existence of the
NoAutoUpdate and the value is set to
COUNT(*) AS passed
key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
AND name = 'NoAutoUpdate'
AND data = '0';
You can test the status of Windows auto update locally by modifying the registry key directly. From the start menu run
regedit.exe and navigate to the following path:
From here if the key doesn’t already exist you can create it by right clicking and creating a new
DWORD. With the value of
1 to disable
0 to keep it enabled.
Its all over!
We hope you found this helpful. Please feel free to get in touch if you have any questions.