Support Center > Search Results > SecureKnowledge Details
Microsoft WSUS support in Compliance blade Technical Level


Supported Versions

Client: E83.20 and above
Server: All


    This feature provides integration of Windows Updates checking into Endpoint Security Client Compliance Blade.
    On-premise WSUS and cloud Windows updates server are supported.
    Compliance Blade verifies presence of non-installed Windows updates. If there are non-installed updates whose "released date" are older then configured value – machine will be marked as non-compliant.

    How to use

    Using Registry (Compliance)

    1. Open policy configuration tool on "Smart Endpoint"
    2. Open Compliance policy
    3. Find "Latest Service Packs Installed" policy option, click on it and select "Clone Action"
    4. Set name of cloned policy. "WSUS check" for example
    5. Set comment. "WSUS check" for example
    6. Delete all rules
    7. Create a new rule and name it. "WSUS" for example.
    8. Create a new check
      1. Set check name. "WSUS_Check" for example.
      2. Choose arbitrary "Operating system"
      3. Set "Registry key" field
        Key should be in format:  wsus_check_<updates grace period in days>. Example: "wsus_check_35"
      4. Set "Registry value" field
        Value should be in format: wsus_check_<updates grace period in days>. Example: "wsus_check_35"
        Note: Number should be the same as in previous field

    9. Add check into Rule

    10. Save everything and deploy the policy to the EPS client
    *Notes -
    1. The feature can be added to client version lower then E83.20.
      For more information please Contact Check Point Support to get a Hotfixed package with this feature.
      A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.

    2. The WSUS integration with Compliance blade is scanning for machine drivers and OS update.
      In order to get a custom package that scanning only one of the components (Drivers or OS updates) please raise a new service request.

    Separating the WSUS API component scan

    From version E84.40, a new feature was added to the Compliance WSUS check.
    In general, when the WSUS check is configured in the Compliance blade, it will automatically check if there are missing updates for the machine Drivers, and for the OS.

    You can separate the WSUS scan process to scan only one component by following the steps:

    1. Open SmartEndpoint -> Compliance policy ->  WSUS configuration
    2. Double-click the 'WSUS_Check' rule
    3. At the same line, where are you adding the 'wsus_check_<days number>', type blank space and add the options below as per your request:
      • type_software - will scan only for Windows missing packages
      • type_driver - Will scan for the machines drivers updates
    4. Install policy
    In fact, the new configuration should look like the screenshot below:

    *Notes -
    1. A blank space must to added between 'wsus_check_51' and 'type_software' - 'wsus_check_35 type_software'
    2. If non of the options were added, the WSUS API will automatically check for both OS and Drivers updates.

    Give us Feedback
    Please rate this document