Monitor - Windows Update

1. Import-Module $env:SyncroModule -DisableNameChecking
2. # Todo: implement different maximums for Enterprise/Edu/IoT Enterprise/LTSB/LTSC
3.  
4. # Maximum age of builds you want to support in months
5. $Win10MaxAge = "18" # Standard EOL for Home/Pro is 18 months
6. $Win11MaxAge = "24" # Standard EOL for Home/Pro is 24 months
7.  
8. # Number of days to consider an update recent
9. $Recent = '50'
10.  
11. # UTC Time Offset: check yours @ https://www.timeanddate.com/time/difference/timezone/utc
12. $Offset = '-6'
13.  
14. # Check Windows 10/11 version age
15. $OSname = Get-CimInstance Win32_OperatingSystem | Select-Object -ExpandProperty Caption
16. if ((Get-CimInstance Win32_OperatingSystem).Version -like '10*' -and $OSname -notlike '*Server*') {
17.     if ($OSname -match 'Windows 10') {
18.         $MaxAge = $Win10MaxAge
19.         $CurrentDate = (Get-Date).AddMonths(-$MaxAge).ToString("yyMM")
20.         # Grab version and convert to numerical format, 19041 and older do not have DisplayVersion so we grab ReleaseID
21.         if ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").DisplayVersion) {
22.             $Version = ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").DisplayVersion).replace('H1', '05').replace('H2', '11')
23.         } else {
24.             $Version = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ReleaseId
25.         }
26.     }
27.     if ($OSname -match 'Windows 11') {
28.         # Adjustment for last version of Windows 10
29.         if ($Version -eq '22H2') {
30.             $MaxAge = 36
31.         } else { $MaxAge = $Win10MaxAge }
32.         $CurrentDate = (Get-Date).AddMonths(-$MaxAge).ToString("yyMM")
33.         # Grab version and convert to numerical format
34.         $Version = ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").DisplayVersion).replace('H1', '05').replace('H2', '11')
35.     }
36.     $Diff = $Version - $CurrentDate
37.     if ($Diff -lt '0') {
38.         Write-Host "$OSname $Version is over $MaxAge months old, needs upgrading"`n
39.         Rmm-Alert -Category "Monitor - Windows Update" -Body "$OSname $Version is over $MaxAge months old, needs upgrading"
40.         exit 1
41.     } else {
42.         Close-Rmm-Alert -Category "Monitor - Windows Update"
43.     }
44. } else {
45.     Write-Host "This script only supports Windows 10/11, exiting..."
46. }
47.  
48. # Check for disabled services
49. $DisabledServices = Get-Service WUAUServ, BITS, CryptSvc, RPCSS, EventLog | Where-Object -Property 'StartType' -eq 'Disabled'
50. if ($DisabledServices) {
51.     "Disabled Services:"
52.     $DisabledServices
53.     Rmm-Alert -Category "Monitor - Windows Update" -Body "Disabled Services: $DisabledService"
54.     exit 1
55. } else {
56.     Close-Rmm-Alert -Category "Monitor - Windows Update"
57. }
58.  
59. # Check if recent updates are installed
60. $WindowsUpdateObject = New-Object -ComObject Microsoft.Update.AutoUpdate
61.  
62. $SearchSuccessDate = $WindowsUpdateObject.Results | Select-Object LastSearchSuccessDate
63. $SSDLastDate = ([datetime]$SearchSuccessDate.LastSearchSuccessDate).AddHours($Offset)
64. $SSDDays = (New-TimeSpan -Start $SSDLastDate -End (Get-Date) | Select-Object Days).Days
65. Write-Host 'Last Search Success:' $SSDLastDate "($SSDDays days ago)"`n
66.  
67. $InstallSuccessDate = $windowsUpdateObject.Results | Select-Object LastInstallationSuccessDate
68. $ISDLastDate = ([datetime]$InstallSuccessDate.LastInstallationSuccessDate).AddHours($Offset)
69. $ISDDays = (New-TimeSpan -Start $ISDLastDate -End (Get-Date) | Select-Object Days).Days
70. Write-Host 'Last Installation Success:' $ISDLastDate "($ISDDays days ago)"`n
71.  
72. $Searcher = (New-Object -ComObject 'Microsoft.Update.Session').CreateUpdateSearcher()
73. $HistoryCount = $Searcher.GetTotalHistoryCount()
74.  
75. if ($HistoryCount -gt 0) {
76.     $xx = $Searcher.QueryHistory(0, $HistoryCount) | Where-Object { $_.Operation -like 1 -and $_.ResultCode -match '[123]' } | Select-Object Title
77. }
78.  
79. if (!$xx) {
80.     Write-Output 'WARNING - No updates returned'
81.     Rmm-Alert -Category "Monitor - Windows Update" -Body "WARNING - No updates returned"
82. } else {
83.     $LastMonth = (Get-Date).AddMonths(-1).ToString("yyyy-MM")
84.     $ThisMonth = (Get-Date).ToString("yyyy-MM")
85.     $xx = $xx | Where-Object { $_ -match "($LastMonth|$ThisMonth) (Security Monthly Quality Rollup for Windows|Cumulative Update for Windows)" -or $_ -match "Feature update" }
86.     if (!$xx -and $ISDDays -gt $Recent) {
87.         Write-Output "WARNING - No recent rollup/cumulative/feature update detected"
88.         Write-Output "Last updates:"
89.         $xx | Select-Object -ExpandProperty Title -First 1
90.         Rmm-Alert -Category "Monitor - Windows Update" -Body "WARNING - No recent rollup/cumulative/feature update detected"
91.         exit 1
92.     } else {
93.         Write-Output "Recent rollup or cumulative update detected:"
94.         $xx | Select-Object -ExpandProperty Title -First 1
95.         Close-Rmm-Alert -Category "Monitor - Windows Update"
96.     }
97. }
98.  
99.