Get Windows Update Events

What the Windows Update Events Worklet does

This Automox Worklet™ queries the Windows System and Application event logs to extract Update-related events and automatically displays them in the Activity Log. The Worklet searches for specific event IDs that correspond to update operations such as successful installations, failed updates, required reboots, and initiated installations.

The Worklet evaluates the specified time window (configurable by day count) and pulls all matching events. Common event IDs tracked include ID 19 for successful updates, ID 20 for failed installations, ID 21 for pending reboots, and ID 43 for update initiation. Administrators can customize which event IDs to monitor by editing the Worklet variables.

Why track Windows Update events

Windows Update failures occur silently on endpoints, leaving security gaps undetected. Patches fail due to disk space issues, interrupted installations, or dependency conflicts–but without centralized event monitoring, IT teams remain unaware until vulnerabilities are exploited. Manually checking Event Viewer on hundreds of endpoints is impractical, and organizations lack visibility into which systems are pending reboots to complete patch installation. This blind spot creates compliance risks and extends the window attackers have to exploit known vulnerabilities.

The Worklet centralizes update history directly in Automox, eliminating the need for manual Event Viewer inspection on hundreds of endpoints. This visibility helps you verify that critical security patches are being applied across your fleet, troubleshoot update-related system issues, and meet compliance audits that require proof of patching.

How Windows Update event collection works

1. Evaluation phase: The Worklet checks for the presence of Windows Update events in the System and Application logs. On evaluation schedule, it always flags for remediation, verifying the script runs to collect events.

2. Remediation phase: The Worklet queries the System and Application event logs using Get-WinEvent with a configurable time span. It filters for specified event IDs (default: 12, 13, 19, 21, 43, 1074, 1040, 1033) and outputs the results formatted with timestamp, event ID, and message details to the Activity Log.

Windows Update event collection requirements

• Windows 7 or later (all supported Windows client and server versions)

• PowerShell 2.0 or later (native to Windows 7+)

• Local administrator privileges to read System and Application event logs

• Configure $systemEventIDs variable with desired event IDs to monitor (comma-separated)

• Configure $daysOflogs variable to control lookback period (default: 1 day)

Expected Windows Update event visibility

After the Worklet completes, the Automox Activity Log displays a comprehensive update event history without requiring remote access to the endpoint. You see a formatted table listing all matching Windows Update events from the specified lookback period, with each entry showing the exact timestamp (e.g., "2024-01-15 14:32:17"), the specific event ID (e.g., "19" for successful install, "20" for failure, "21" for pending reboot), and the complete event message text extracted from the Windows System or Application logs. For example, Event ID 19 displays messages like "Installation Successful: Windows successfully installed the following update: Security Update for Windows (KB5034441)", while Event ID 20 shows failure details including error codes. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Use this data to verify successful patches, identify failed update attempts, detect systems requiring reboots, and troubleshoot patching issues. You can then adjust the $systemEventIDs and $daysOflogs variables as needed to focus on specific event types or longer historical periods for compliance reporting.

How to validate get windows update events changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for get windows update events.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Get-Date, New-TimeSpan, Get-WinEvent, then rerun evaluation for compliance.