May 31st, 2018
Windows Update Management Tips
Windows Updates... Believe it or not, they've been around since the days of Windows 98. They are often despised by end users and IT support staff because they may interrupt the workday, delay leaving at the end of the day, or they may break functionality. Along the way, Microsoft has improved the deployment and installation process with functions such as Windows Server Update Services (WSUS). Despite usually minor inconveniences, Windows Updates are vital to the security of your computer, your network, and your data, and should not be ignored.
How does an admin know what updates were installed, which failed, and why? Unfortunately, there are limited options to verify which updates were installed, failed, etc., and reporting for Windows Updates is still lacking. You can review the logs on each Windows PC to identify and troubleshoot a failed update, and there are a few tricks to lessen the burden of log searching. There is an easier way; with the help of a handy utility built on PowerShell, you can get more visibility into your updates.
Logs are filled with useful information, but that can also be their downfall. Oftentimes, logs are so large and cryptic, it takes too much time to sift through and find what you're looking for when an IT"fire' is burning... Luckily, there are a few tips to ease your task of trudging through logs. Two places to look are the Windows Event Logs, and the Windows Update log itself (windowsupdate.log).
To simplify your search through Windows event logs, focus on the following section of logs in the Event Viewer tree: Application and Service Logs > Microsoft > Windows > WindowsUpdateClient > Operational. Here you will see only event logs related to Windows Updates. You can sort by date, or Event ID number to better troubleshoot your installation. You may wish to correlate an update error with another system events.
A seldom known tool to help correlate events and system issues is built-in to Windows, buried within System and Security tools; the Reliability Monitor. Simply search for"Reliability Monitor'. Here you can see recent events on a timeline spanning the last few days or weeks. More information on the Reliability Monitor can be found here: https://www.howtogeek.com/166911/reliability-monitor-is-the-best-windows-troubleshooting-tool-you-arent-using/
Depending on your version of Windows, the Windows Update log itself (windowsupdate.log) may not be directly viewable. However, it can be parsed in PowerShell. Launch the PowerShell console (powershell.exe) as an administrator and enter the following command to look for failures: select-string -path $env:SystemRoot\WindowsUpdate.log FATAL . Alternatively, you can enter the command without the trailing search criteria ("FATAL' in this example), and you will be prompted to enter the search criteria, then hit enter again when ready to start the search. For troubleshooting failures, you can search for"FATAL' and/or"WARNING' using this method. More information on the windowsupdate.log file can be found here: https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs
As any network administrator knows, visiting each computer to verify an installation can be extremely tedious and time consuming. Luckily, there is a handy GUI tool called Windows Update Utility (WUU) that can help! This utility, built on PowerShell, is explained and can be downloaded here: https://learn.microsoft.com/en-us/samples/browse/?redirectedfrom=TechNet-Gallery
If running WUU from a Windows 7 PC, you may need to update the Windows Management Framework, download information here: https://support.microsoft.com/en-us/topic/update-for-windows-management-framework-5-1-for-windows-7-and-windows-server-2008-r2-918077a1-ebc1-289f-bc04-8cc4546eafd0
After downloading the WUU.zip file and unzipping, you will also need the"PSExec.exe' utility placed in the same folder. This can be found here: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec As a side note, administrators should restrict execution of PSExec.exe to administrative accounts and systems only. Once unzipped and the PSExec.exe file has been placed in the same folder, you can launch WUU from PowerShell with the following command: .\WUU.ps1 From this utility, you can query the local computer, or multiple computers (manually entered, from AD, or from a text file). Once computers are loaded into the utility; you can: check for/download/install updates, show: available/installed/history/update log, launch remote desktop, restart the computer(s), and even manage the Windows Update service.
Windows Updates are a necessary step to ensure the security of your computer, network and data. Unfortunately, visibility into the success of the actual update installation is lacking. However, you do have built-in tools to help you verify installations and troubleshoot errors. Tools such as: Event Viewer, the Windows Update log file itself, Reliability Monitor and PowerShell are all capable of helping you troubleshoot your updates installation on a local computer or your network.
Additional information regarding Windows Updates can be found at the following links:
Pre-April 2017: https://technet.microsoft.com/en-us/security/bulletins
(Bulletin, KB and CVE Search Supported)
Post-April 2017: https://msrc.microsoft.com/update-guide/en-us
(Search by date range, product, severity, and impact; or search by KB or CVE number)
Authored by: Dave Kelly, CEH