Windows Update Settings Audit

Scan Windows Update Settings

Managing Windows updates is almost a job on its own. With new version being released every year and updates every month, it is enough to keep you busy. Luckily Windows does have settings you can use to make your life a little easier. Settings that control when updates are downloaded and installed or when not to do it. Additionally, there are many other optional settings that can be enabled like Active Hours, Insider Program and more.

To help you report on these, we have a Windows Update Settings blog post that covers some of the settings available for scanning in the latest Windows versions and where you can find more of them if you are interested.

The report below shows assets where the pause status, update deferral, or reboot registry key has been scanned. To have these values scanned you must configure the following registry keys in your registry scanning configuration.

Please Note: The registry keys used may not be available on older Windows 10 versions.

Rootkey: HKEY_LOCAL_MACHINE
Regpath: SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
Regvalue 1: PausedFeatureStatus
Regvalue 2: PausedQualityStatus

Rootkey: HKEY_LOCAL_MACHINE
Regpath: SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
Regvalue 1: QualityUpdatesDeferralInDays
Regvalue 2: FeatureUpdatesDeferralInDays

Rootkey: HKEY_LOCAL_MACHINE
Regpath: SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Regvalue: RebootRequired

Windows Update Settings Query

Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
SubQuery1.PausedFeature,
SubQuery2.PausedQuality,
SubQuery4.FeatureUpdatesDeferralInDays,
SubQuery3.QualityUpdatesDeferralInDays,
SubQuery5.RebootRequired,
Case
When TsysLastscan.Lasttime < GetDate() - 1 Then
'Last registry scan more than 24 hours ago! Scanned registry information 
may not be up-to-date. Try rescanning this machine.'
End As Comment,
tblAssets.Lastseen,
tblAssets.Lasttried,
TsysLastscan.Lasttime As LastRegistryScan
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Left Join (Select Top 1000000 tblRegistry.AssetID,
Case
When tblRegistry.Valuename Is Not Null And tblRegistry.Valuename <> ''
Then 'Yes'
Else 'No'
End As RegistryKeysFound,
Case
When tblRegistry.Valuename Like '%PausedFeatureStatus%' And
tblRegistry.Value = 1 Then 'Yes'
Else 'No'
End As PausedFeature
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings' And
tblRegistry.Valuename Like '%PausedFeatureStatus%') SubQuery1 On
SubQuery1.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
Case
When tblRegistry.Valuename Is Not Null And tblRegistry.Valuename <> ''
Then 'Yes'
Else 'No'
End As RegistryKeysFound,
Case
When tblRegistry.Valuename Like '%PausedQualityStatus%' And
tblRegistry.Value = 1 Then 'Yes'
Else 'No'
End As PausedQuality
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings' And
tblRegistry.Valuename Like '%PausedQualityStatus%') SubQuery2 On
SubQuery2.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
Case
When tblRegistry.Valuename Is Not Null And tblRegistry.Valuename <> ''
Then 'Yes'
Else 'No'
End As RegistryKeysFound,
tblRegistry.Value As QualityUpdatesDeferralInDays
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState' And
tblRegistry.Valuename Like '%QualityUpdatesDeferralInDays%') SubQuery3 On
SubQuery3.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
Case
When tblRegistry.Valuename Is Not Null And tblRegistry.Valuename <> ''
Then 'Yes'
Else 'No'
End As RegistryKeysFound,
tblRegistry.Value As FeatureUpdatesDeferralInDays
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState' And
tblRegistry.Valuename Like '%FeatureUpdatesDeferralInDays%') SubQuery4 On
SubQuery4.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
Case
When tblRegistry.Valuename Is Not Null And tblRegistry.Valuename <> ''
Then 'Yes'
Else 'No'
End As RegistryKeysFound,
Case
When tblRegistry.Valuename Like '%RebootRequired%' And
tblRegistry.Value = 1 Then 'Yes'
Else 'No'
End As RebootRequired
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables' And
tblRegistry.Valuename Like '%RebootRequired%') SubQuery5 On
SubQuery5.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry' And
(SubQuery1.AssetID Is Not Null Or SubQuery2.AssetID Is Not Null Or
SubQuery3.AssetID Is Not Null Or SubQuery4.AssetID Is Not Null Or
SubQuery5.AssetID Is Not Null)
Order By tblAssets.Domain,
tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit

Harness the Power of Reporting