Windows Update configurations required for patch management checks

The Nanitor Patch Management requires Windows Update to be enabled on Windows endpoints. This is required for missing security patches to be reported correctly.

Check the DisableWindowsUpdateAccess field of the registry key:

HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate

If using a 3rd party patching solution and not using Windows Update or WSUS, then we recommend setting the NoAutoUpdate field of

HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

If your machines are locked off or you are concerned about internet traffic, then you may need to set up a WSUS server that the desktops can access for patch checks.

How do I check my Windows Update configuration?

In PowerShell, run

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

To learn more about those configurations, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings

How can I use WSUS?

WSUS can be used instead of Windows Update. This may be desired when devices are firewalled and cannot connect outside, or by compliance requirements, or in order to reduce network traffic.  WSUS can then be installed and maintained on an internal Windows server that the devices can access.

This configuration on Windows endpoints can be found by the WUServer and WUStatusServer properties of the WindowsUpdate registry key discussed above.

They should both be set to the same value and should point to the WSUS server HTTP URL. The device should be able to access this URL.

SCCM support

When using SCCM, then the patch-checking mechanism is different. SCCM actually has its own WSUS server that it uses, but all the normal Windows Update functionality is turned off. When using SCCM, Nanitor collects information from the SCCM client and reports on those, and thus those work together correctly.