Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
Directory Tree
Check Windows Updates using Powershell
Checks:
- how many critical and optional updates are available
- whether the system is waiting for reboot after installed updates
Features:
- properly handles NRPE's 1024b limitation in return packet
- hidden updates return OK state
- Performance data in return packet shows titles of available critical updates
- caches updates in file to reduce network traffic, also dramatically increases script execution speed
Return Values for NRPE:
- No updates available - OK (0)
- Hidden Updates only - OK (0)
- Updates already installed, reboot required - WARNING (1)
- Optional updates available - WARNING (1)
- Critial updates available - CRITICAL (2)
- Script errors - UNKNOWN (3)
Installation Guide for NSClient++:
- copy check_windows_updates.ps1 to NSCLient++scripts
- open up a Powershell as an admin and set the execution policy:
Set-ExecutionPolicy remotesigned
- edit NSC.ini, add row (without quotation marks):
"check_updates=cmd /c echo scriptscheck_windows_updates.ps1; exit $LastExitCode | powershell.exe -command -"
- restart service NSClient++
- done
Now you can easily check for windows updates using nagios nrpe-check:
define service {
service_description WIN-UPDATES
use generic-service
check_command check_nrpe_wu!check_updates
hostgroup_name multiple-windows-servers
host_name single-windows-server
}
It could possibly happen that the script is unable to finish within the default plugin timeout of 10 seconds. To avoid this I recommend setting an extended timeout in the command definition:
define command {
command_name check_nrpe_wu
command_line /usr/lib64/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -t 60 -p 5666 -c $ARG1$
}
IMPORTANT:
Please make absolutely sure that your Powershell ExecutionPolicy is set to Remotesigned.
Also note that there are two versions of powershell on a 64bit OS! Depending on the architecture of your NSClient++ version you have to choose the right one:
- 64bit NSClient++ (installed under C:Program Files ):
%SystemRoot%SysWOW64WindowsPowerShellv1.0powershell.exe "Set-ExecutionPolicy RemoteSigned"
- 32bit NSClient++ (installed under C:Program Files (x86) ):
SystemRoot%syswow64WindowsPowerShellv1.0powershell.exe "Set-ExecutionPolicy RemoteSigned"
- properly handles NRPE's 1024b limitation in return packet
- hidden updates return OK state
- Performance data in return packet shows titles of available critical updates
- caches updates in file to reduce network traffic, also dramatically increases script execution speed
Return Values for NRPE:
- No updates available - OK (0)
- Hidden Updates only - OK (0)
- Updates already installed, reboot required - WARNING (1)
- Optional updates available - WARNING (1)
- Critial updates available - CRITICAL (2)
- Script errors - UNKNOWN (3)
Installation Guide for NSClient++:
- copy check_windows_updates.ps1 to NSCLient++scripts
- open up a Powershell as an admin and set the execution policy:
Set-ExecutionPolicy remotesigned
- edit NSC.ini, add row (without quotation marks):
"check_updates=cmd /c echo scriptscheck_windows_updates.ps1; exit $LastExitCode | powershell.exe -command -"
- restart service NSClient++
- done
Now you can easily check for windows updates using nagios nrpe-check:
define service {
service_description WIN-UPDATES
use generic-service
check_command check_nrpe_wu!check_updates
hostgroup_name multiple-windows-servers
host_name single-windows-server
}
It could possibly happen that the script is unable to finish within the default plugin timeout of 10 seconds. To avoid this I recommend setting an extended timeout in the command definition:
define command {
command_name check_nrpe_wu
command_line /usr/lib64/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -t 60 -p 5666 -c $ARG1$
}
IMPORTANT:
Please make absolutely sure that your Powershell ExecutionPolicy is set to Remotesigned.
Also note that there are two versions of powershell on a 64bit OS! Depending on the architecture of your NSClient++ version you have to choose the right one:
- 64bit NSClient++ (installed under C:Program Files ):
%SystemRoot%SysWOW64WindowsPowerShellv1.0powershell.exe "Set-ExecutionPolicy RemoteSigned"
- 32bit NSClient++ (installed under C:Program Files (x86) ):
SystemRoot%syswow64WindowsPowerShellv1.0powershell.exe "Set-ExecutionPolicy RemoteSigned"
Reviews (19)
bySylvie, March 2, 2020
I have the problem, that the script tell me there is 1 optional update. When I check Windows Updates there ar no updates needed.
This error is on different OS from Win Srv 2012, 2016 and 2019.
Some servers show it right, some wrong.
An other problem is, that sometimes it takes 24h until the status is shown that all is ok.
It is not a nagios problem, the wrong status is also when I run teh script local.
Has anybody an idea?
This error is on different OS from Win Srv 2012, 2016 and 2019.
Some servers show it right, some wrong.
An other problem is, that sometimes it takes 24h until the status is shown that all is ok.
It is not a nagios problem, the wrong status is also when I run teh script local.
Has anybody an idea?
byzamorag, September 26, 2019
I've had a few problems to monitorized this event with nagios and grafana because script didn't show well performance data, just critical output. So I changed some lines into powershell script:
Lines 148 to 154
"if ($returnString.length -gt 976) {
$estado=$countCritical+$countOptional+$countHidden
Write-Host ($returnString.SubString(0,975) +
"|critical=$countCritical optional=$countOptional
hidden=$countHidden state=$estado")
} else {
$estado=$countCritical+$countOptional+$countHidden
Write-Host ($returnString + "|critical=$countCritical
optional=$countOptional hidden=$countHidden
state=$estado ")
}
Now it works perfect!
Thanks and regards
Lines 148 to 154
"if ($returnString.length -gt 976) {
$estado=$countCritical+$countOptional+$countHidden
Write-Host ($returnString.SubString(0,975) +
"|critical=$countCritical optional=$countOptional
hidden=$countHidden state=$estado")
} else {
$estado=$countCritical+$countOptional+$countHidden
Write-Host ($returnString + "|critical=$countCritical
optional=$countOptional hidden=$countHidden
state=$estado ")
}
Now it works perfect!
Thanks and regards
bybhil923, August 17, 2017
I've tried a few different windows update checkers and constantly had issues with timeouts and such. I set this up and worked right away, and was fairly quick. I made one small mod (im not a programer at all).
Changed: $returnStateOptionalUpdates = $returnStateOK $returnStateWarning
To: $returnStateOptionalUpdates = $returnStateOK
I don't care to be warned for the Optional updates so this works for me.
Cyber_Saiyan, If you are still having issues running it, you do need to do modifications to your server running Nagios. You simply need to add the service to the config file (mine is in what i think was a default file windows.cfg, but you can add it to which one you'd like) The line is listed in the authors notes above. You also need the command for NRPE in the commands.cfg file as well (listed in the authors notes as well).
Changed: $returnStateOptionalUpdates = $returnStateOK $returnStateWarning
To: $returnStateOptionalUpdates = $returnStateOK
I don't care to be warned for the Optional updates so this works for me.
Cyber_Saiyan, If you are still having issues running it, you do need to do modifications to your server running Nagios. You simply need to add the service to the config file (mine is in what i think was a default file windows.cfg, but you can add it to which one you'd like) The line is listed in the authors notes above. You also need the command for NRPE in the commands.cfg file as well (listed in the authors notes as well).
byCyber_Saiyan, April 17, 2017
Can anyone help get this running? I have followed the instructions and updated the INI file on the windows server, recycled the service and placed the script in the SCRIPTS folder on the windows machine. What am I missing from here? It seems that I need to add something to my Ubuntu server but I am lost.
byt.brandt, September 29, 2016
Hi together,
I searched many days until I found this great script.
It works, of course.
But after I updated the Win2008R2 Server, the status is already warning. It shows, that 1 optional update ist outstanding.
I rebooted the server and lokked again after updates. Nothing therer. How can this be? :( Any idea?
Thanks in advance,
Timo
I searched many days until I found this great script.
It works, of course.
But after I updated the Win2008R2 Server, the status is already warning. It shows, that 1 optional update ist outstanding.
I rebooted the server and lokked again after updates. Nothing therer. How can this be? :( Any idea?
Thanks in advance,
Timo
byypid, September 8, 2016
Check_MK ships a [VBS plugin](https://github.com/ypid-bot/check_mk/blob/master/agents/windows/plugins/windows_updates.vbs) which was quite tricky to setup and was not reliable for me so I adopted this PowerShell script to make it a drop-in replacement for [windows_updates.vbs](https://github.com/ypid-bot/check_mk/blob/master/agents/windows/plugins/windows_updates.vbs).
https://github.com/ypid-bot/check_mk/pull/7
https://github.com/ypid/check_mk/blob/feature/windows_updates.ps1/agents/windows/plugins/windows_updates.ps1
https://github.com/ypid-bot/check_mk/pull/7
https://github.com/ypid/check_mk/blob/feature/windows_updates.ps1/agents/windows/plugins/windows_updates.ps1
byFractalSystems, December 3, 2015
I had a similar issue running cmd /c echo on a .wsf when the example showed using Nsclient, but I was able to get it to work. I'm not so lucky with this powershell one.
Anyone know how to define the command in nrpe.cfg using winrpe?
I've tried many variations. From the local machine, I can get an output like: "Updates: 0 critical, 1 optional" but getting Unable to read plugin output from the Nagios side. :( Any help is appreciated.
Anyone know how to define the command in nrpe.cfg using winrpe?
I've tried many variations. From the local machine, I can get an output like: "Updates: 0 critical, 1 optional" but getting Unable to read plugin output from the Nagios side. :( Any help is appreciated.
bypetr0s, October 23, 2015
Hi all,
i need some help. The NSclient version is 0.4.3.143 and im getting Unknown command. Can anyone help me to overcome this issue please?
Best regards,
Peter
i need some help. The NSclient version is 0.4.3.143 and im getting Unknown command. Can anyone help me to overcome this issue please?
Best regards,
Peter
byshades4321, October 18, 2015
The script does a good job, I'm not quite sure if this is the latest version of the script, but I noted a minor bug and some improvements that could be added.
1. Bug:
$critialTitles = "";
should read:
$criticalTitles = "";
The script works anyway despite the error.
2. Putting newlines into update string:
$criticalTitles += $update.Title + " "
Changed to:
$criticalTitles += $update.Title + " `n"
3. These 3 lines are used twice in if statements and ideally would be in a function, just for neatness and brevity.
$updateSession = new-object -com "Microsoft.Update.Session"
$updates=$updateSession.CreateupdateSearcher().Search(("IsInstalled=0 and Type='Software'")).Updates
Export-Clixml -InputObject $updates -Encoding UTF8 -Path $updateCacheFile
Otherwise script works quite nicely.
1. Bug:
$critialTitles = "";
should read:
$criticalTitles = "";
The script works anyway despite the error.
2. Putting newlines into update string:
$criticalTitles += $update.Title + " "
Changed to:
$criticalTitles += $update.Title + " `n"
3. These 3 lines are used twice in if statements and ideally would be in a function, just for neatness and brevity.
$updateSession = new-object -com "Microsoft.Update.Session"
$updates=$updateSession.CreateupdateSearcher().Search(("IsInstalled=0 and Type='Software'")).Updates
Export-Clixml -InputObject $updates -Encoding UTF8 -Path $updateCacheFile
Otherwise script works quite nicely.
bydidi, September 26, 2015
Check approves only for Windows Updates.
It's possible to check also for Office, SQL, Exchange, Sharepoint ... Updates?
It's possible to check also for Office, SQL, Exchange, Sharepoint ... Updates?
bySoccan, July 29, 2015
This is really a great and smooth running script, only adjusted the $returnStateOptionalUpdates parameter and then deployed it by Puppet to our windows boxes.
A thought thou, obviously Microsoft decided to list updates according to "Important" and "Optional", maybe one should let this script class updates in the same manor. I for example had a machine reporting 15 critical ant 18 optional by the script, in the Windows update GUI all 33 were listed as Important... I guess there is a XML attribute there somewhere telling what is important and not, trying to look into that myself for the moment...
A thought thou, obviously Microsoft decided to list updates according to "Important" and "Optional", maybe one should let this script class updates in the same manor. I for example had a machine reporting 15 critical ant 18 optional by the script, in the Windows update GUI all 33 were listed as Important... I guess there is a XML attribute there somewhere telling what is important and not, trying to look into that myself for the moment...
bySpik31, October 21, 2014
Plugin works well using NRPE, make sure you have your command definitions set correctly! My NRPE check wouldn't like the arguments and power-shell takes a little while to resolve so make sure you set your time-out to 30 seconds!
byBlue17, October 9, 2014
For those who have NSClient 0.4.1 +
1) Place check_windows_updates.ps1 in NSclient "scripts" folder
Copy these lines in nsclient.ini :
[/settings/external scripts/scripts]
check_updates = cmd /c echo scripts\check_windows_updates.ps1; exit($LastExitCode) | powershell.exe -command -
2) In nagios put your command line like this :
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_updates
Hope this could help someone.
1) Place check_windows_updates.ps1 in NSclient "scripts" folder
Copy these lines in nsclient.ini :
[/settings/external scripts/scripts]
check_updates = cmd /c echo scripts\check_windows_updates.ps1; exit($LastExitCode) | powershell.exe -command -
2) In nagios put your command line like this :
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_updates
Hope this could help someone.
byclarkseth, February 11, 2014
I've try this nagios plugin by local prompt, and it works fine, but if i implement it by nrpe.cfg it doesn't work:
I have this error:
'-' was specified with the -Command parameter: no other arguments to -Command are permitted.
Exit 0
I Don't understand why, it's declared correctly
command[check_win_upd]=cmd /c echo C:\nrpe\libexec\check_windows_updates.ps1 "$ARG1$"; exit $LastExitCode | powershell.exe -command -
It's very strange
I have this error:
'-' was specified with the -Command parameter: no other arguments to -Command are permitted.
Exit 0
I Don't understand why, it's declared correctly
command[check_win_upd]=cmd /c echo C:\nrpe\libexec\check_windows_updates.ps1 "$ARG1$"; exit $LastExitCode | powershell.exe -command -
It's very strange
I run this on my serer from powershell and it seems to run fine but when run ./check_nrpe -H sos-srv-dev -c check_updates!
from my nagios server i get no output back
from my nagios server i get no output back
What are those instructions?
byjbwaclawski, December 16, 2011
I don't quite have this working yet; I'm running into a bit of a snare. This may sound like a silly question, but I'm new to all of this so I'll ask.
I have NSClient++ installed on the server I'm testing this on and everything else I've thrown at it works. I don't have NRPE installed though because I'm trying to avoid that if possible because I don't want to have to A) Run around installing it on every server if I don't have to, B) Punch anymore holes in my firewall. I read that this works with NSClient++/NRPE, and I followed all the steps, but it's not really working. I get this error when I try to use it in Icinga:
## Error: Service check command 'check_nrpe' not defined anywhere!
Ideas?
I have NSClient++ installed on the server I'm testing this on and everything else I've thrown at it works. I don't have NRPE installed though because I'm trying to avoid that if possible because I don't want to have to A) Run around installing it on every server if I don't have to, B) Punch anymore holes in my firewall. I read that this works with NSClient++/NRPE, and I followed all the steps, but it's not really working. I get this error when I try to use it in Icinga:
## Error: Service check command 'check_nrpe' not defined anywhere!
Ideas?
Owner's reply
did you edit NSC.ini according to the instructions above?
Just created an account to thank you for this fine script!
The other review solved the original text bugs in the description, after that all worked fine!
The other review solved the original text bugs in the description, after that all worked fine!
Owner's reply
Thank you, origianl text bugs are fixed now...
You need Powershell 2.0 for Windows 2003 server else 'start-process' fails in execution.
Once Powershell is installed, you also need to right-click the .ps1 file, click properties, and unblock it.
24/10 - error in command path in install instructions! should read:
"check_updates=cmd /c echo scripts\check_windows_updates.ps1; exit $LastExitCode | powershell.exe -command -"
... Oh, review: Does exactly what it says on the tin!
I changed the script to return OK for Optional Updates - just change 'warn' to 'ok' on line 110 -- you might want to do this before unblocking it to avoid permission issues afterwards!
Once Powershell is installed, you also need to right-click the .ps1 file, click properties, and unblock it.
24/10 - error in command path in install instructions! should read:
"check_updates=cmd /c echo scripts\check_windows_updates.ps1; exit $LastExitCode | powershell.exe -command -"
... Oh, review: Does exactly what it says on the tin!
I changed the script to return OK for Optional Updates - just change 'warn' to 'ok' on line 110 -- you might want to do this before unblocking it to avoid permission issues afterwards!