Windows Update Check for CheckMK

matthias1232 · November 8, 2024, 1:21pm

Hi CheckMK Community,

as part of our Community work, we are publishing our PowerShell written Windows Update Check now as Open Source Plugin for everyone.
It is completely new written and you can set all kind of warn and crit levels for your Windows Updates.
We have this Check Running since 2023 on all kind of Windows Systems, now feel free to use it too.
We tried to remove our OEM Branding for the end Users as good as possible.

Have fun!

Github Repo:

#Powered by K&P Computer - www.kpc.de

Available .mkp Package Releases:

CheckMK Exchange:

Windows Update Checks for CheckMK

Features:

Check for available Windows Updates (Important and Optional, intelligence updates will be shown under optional updates)
Checking for available Windows Updates sorted by Severity
Individual WARN/CRIT Level settings for each type of Updates (Mandatory, Critical, Important, Moderate, Low, Unspecified Severity)
Pending Reboot Check after Update Installation with WARN/CRIT Level Settings
CRIT Error if Update Search does not work for a while (Windows update not activated, WSUS Problem etc..)
Showing all available Updates in Detailed Summary
Check for Windows Update History. Shows the last time when this System installed an Windows Update and also the List of up to the last 80 installed updates in the summary details. (Intelligence Updates are excepted)
Warn/Crit level Settings if the System did not install any update during the last X days.
Included in Agent Rules for Agent bakery
No VBS Scripts anymore, only Powershell will be used
Tested with Windows 2012R2/2016/2019/2022

Added default Agent execution Settings for the Windows Agent Plugin (Agent Bakery):

Default cache interval of 3 Hours
Default asynchronous execution
Default execution timeout of 1 hour (long time needet for some older systems sometimes)

If you are not using the CheckMK agent bakery or if you are working with CheckMK Raw Edition, apply the following Settings to your check_cmk.user.yml

%ProgramData%\checkmk\agent\check_mk.user.yml

plugins:
    enabled: yes
    execution:
    - pattern     : '$CUSTOM_PLUGINS_PATH$\windows_updates_kpc.ps1'
      async       : yes
      run         : yes
      cache_age   : 3600
      timeout     : 3600

Screenshots:

gstolz · November 11, 2024, 8:38am

The file header currently states:

# Unauthorized copying of this file, via any medium is strictly prohibited
# Proprietary and confidential

do you want to change that to make this a proper release ?

matthias1232 · November 11, 2024, 8:42am

Yes, i changed it everywhere to GPL i guess…

Aurex · December 11, 2024, 1:06pm

Buenas,
¿Cómo puedo descargar el archivo powershell? Imagino que sin ese powershell, aunque instale y habite el mkp, no funcionará.
Gracias.

matthias1232 · January 15, 2025, 2:13pm

@Aurex, pardon, Sólo hablo un poco de español:

github.com

matthias1232/kpc_windows_updates/blob/main/local/share/check_mk/agents/windows/plugins/windows_updates_kpc.ps1

#This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the #License, or (at your option) any later version.
#
#This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU #General Public License for more details.
#
#You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
#
# Written by Matthias Binder m.binder@kpc.de, July 2023
#
################################################################################################################
#
# Author: K&P Computer Service- und Vertriebs-GmbH
# Author: Matthias Binder
# License: GNU General Public License
# License Changed to GPL: 11/2024
#
# 
# For Support and Sales Please Contact K&P Computer!
#
# E-Mail: hds@kpc.de
#

This file has been truncated. show original

Aurex · January 16, 2025, 10:51am

Muchas gracias. Se agradece tu esfuerzo.

Ya lo tengo funcionando.

matthias1232 · May 6, 2025, 3:28pm

Exciting News: CheckMK 2.4 is Here!

Hi everyone,

The latest version of CheckMK—2.4—has officially arrived!

To keep up with this fresh update, I’ve migrated and uploaded the newest Windows Update check to GitHub. Before I push it to the CheckMK Exchange, I’d love for some extra testing to ensure everything runs smoothly.

If you’re already using the previous version, be sure to remove all existing rules and .mkp files before installing the updated plug-in. For newcomers, there’s no extra setup required—just install and go!

Best of all, everything now runs seamlessly with the new CheckMK API.

Check it out and give it a spin: Windows Update Plugin v1.0.4

Looking forward to your feedback!

hansjoerg6790 · May 13, 2025, 6:25am

Hi Matthias

everything seems fine except for this error in the agent configurations page:

Failed to render value:
True
Traceback (most recent call last):
File “/omd/sites/sitexxx/lib/python3/cmk/gui/cee/agent_bakery/_misc.py”, line 291, in _describe_agent_configuration
totext = rulespec.valuespec.value_to_html(value)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/omd/sites/sitexxx/lib/python3/cmk/gui/valuespec.py”, line 6725, in value_to_html
return self._valuespec.value_to_html(self.to_valuespec(value))
^^^^^^^^^^^^^^^^^^^^^^^^
File “/omd/sites/sitexxx/lib/python3/cmk/gui/utils/rule_specs/legacy_converter.py”, line 373, in _remove_agent_config_match_type_key
raise TypeError(value)
TypeError: True

Can you please check that?

matthias1232 · May 13, 2025, 6:47am

Hi @hansjoerg6790 ,

did you remove the rules and mkps from the old plugin before installing and configuring the new one?
I did not develop the “Rule Migration” from old api to new wato api, thats why it doesnt work out of the box, with just updating the Package.

hansjoerg6790 · May 13, 2025, 6:58am

Hi Matthias I did see that and removed the old rules and created the new ones.
Let me check for the agent rule and then I’ll let you know!

thanks for your work really appreciate it

hansjoerg6790 · May 13, 2025, 7:01am

still not working. should I try to bake the agents anyway and see what happens?

matthias1232 · May 13, 2025, 7:08am

Which CheckMK Version do you use and on which Step exactly does this issue occur? We already tested with some of our customers but for now i cannot replicate this issue on my system.

hansjoerg6790 · May 13, 2025, 7:36am

Hi Matthias
we use Checkmk Enterprise Edition 2.3.0p26

I get th error when going to
https://monitoring.xxx.xx/sitexxx/check_mk/wato.py?mode=agents

there I see above mentioned error.

matthias1232 · May 13, 2025, 11:46am

Hi @hansjoerg6790
this still looks like, that the agent rule was not deleted before changing the mkp and checkmk tries to migrate the rules.

I guess there is no way with the gui to fix that. Only solution would be to go back to the old version and check if you missed any rule to delete with the old plugin. With 2.3.0p26 both versions of the Windows Update check should work, so you can delete the new rules and packages and go back to the old one to check if you missed some rule to delete.

hansjoerg6790 · May 14, 2025, 6:34am

Hi Matthias!
I baked the agents no and the display error is gone!
thanks for your support!

Christian1 · August 19, 2025, 1:22pm

Hello,
i use checkmk 2.4.0P8 and installed 1.0.5 of this extension. There is no way to drop the windows_updates_kpc.ps1 to the client via bakery.
The rules are created.
or is it not compatible with the bakery?

matthias1232 · August 19, 2025, 1:39pm

Hi @Christian1
The Ruleset for the Bakery is “Windows Updates (Agent Plugin)”

after update from an old version to the new ones, you need to create each rule new (deleting and creating again, no cloning)
After that you should be able to bake the agent again.

I guess the rule migration is just some code, but could not implement this correctly until now.
The issue is here:

github.com/matthias1232/kpc_windows_updates

KPC Windows Updates 1.0.4+not migrating rulesets from old to new ones.

opened 10:28AM - 11 Jul 25 UTC

KSJakobsen

enhancement help wanted

Hi, after installing and enabling the extension Package i got the following er…ror: Extension package installed, but ruleset migration failed. You can disable this mkp and see the complete error message running this command on the command line: 'cmk-migrate-extension-rulesets --log-level DEBUG KPC-Windows-Updates' when i ran the cmk-migrate-extension-rulesets command ig got the following output: cmk-migrate-extension-rulesets --log-level DEBUG KPC-Windows-Updates Migrating rulesets for mkps: ['KPC-Windows-Updates'] Skipping kpc_windows_updates/agent_based/windows_lastupdateinstalldate_kpc Skipping kpc_windows_updates/agent_based/windows_updates_kpc Discovered rule sets in enabled extensions: {'checkgroup_parameters:windows_updates_kpc_windows_lastupdateinstalldate', 'checkgroup_parameters:windows_updates_kpc_windows_updates', 'agent_config:windows_updates_kpc'} Traceback (most recent call last): File "/omd/sites/gpsol_test/bin/cmk-migrate-extension-rulesets", line 218, in <module> sys.exit(migrate_extension_rulesets(arguments)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/omd/sites/gpsol_test/bin/cmk-migrate-extension-rulesets", line 209, in migrate_extension_rulesets _load_and_transform_rulesets(affected_ruleset_names) File "/omd/sites/gpsol_test/bin/cmk-migrate-extension-rulesets", line 178, in _load_and_transform_rulesets transformed_rulesets = transform_wato_rulesets_params( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/omd/sites/gpsol_test/lib/python3/cmk/update_config/plugins/lib/rulesets.py", line 224, in transform_wato_rulesets_params rule.value = valuespec.transform_value(rule.value) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/omd/sites/gpsol_test/lib/python3/cmk/gui/watolib/rulespecs.py", line 1439, in transform_value return self._get_used_valuespec(value).transform_value(value) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/omd/sites/gpsol_test/lib/python3/cmk/gui/valuespec/definitions.py", line 6704, in transform_value return self.from_valuespec(self._valuespec.transform_value(self.to_valuespec(value))) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/omd/sites/gpsol_test/lib/python3/cmk/gui/valuespec/definitions.py", line 6410, in transform_value param: vs.transform_value(value[param]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/omd/sites/gpsol_test/lib/python3/cmk/gui/valuespec/definitions.py", line 6704, in transform_value return self.from_valuespec(self._valuespec.transform_value(self.to_valuespec(value))) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/omd/sites/gpsol_test/lib/python3/cmk/gui/utils/rule_specs/legacy_converter.py", line 2003, in _transform_levels_forth raise ValueError(value) ValueError: (2, 5, 'Enabled')

But if you create each rule again and bake the agents, everything should be working fine. After creating rules, you should not notice anything about it for any future update. The problem is just the migration of the rulesets from old to new checkmk api.

Christian1 · August 20, 2025, 6:06am

This morning i did it again.
i delete windows update history rule, windows update service rule and agent rule.
apply changes
bake agents
disable and remove plugin
apply changes

now the fresh installation:
upload and enable the plugin
apply changes
create service rule for windows update, update history and agent plugin
apply changes
bake agents
the server got the agent update but there is no powershell script in plugin folder.

what am I forgetting?

matthias1232 · November 25, 2025, 1:07pm

@Christian1 i noticed some problem with the mkp package itself. I didnt find the bug for a while and now i just created the .mkp again with the lastest checkmk version and now the Powershell Script will be applied again to the agent with the bakery.

New Package 1.0.6 is uploaded now on github and checkmk exchange and will be available after approval.

Sorry for the long delay, I’ve had very limited resources lately to take care of my open source projects.
It looks like there was indeed an issue with version 1.0.5 where the agent was missing in the Bakery. During troubleshooting I found that the code itself seemed fine.
Release Release 1.0.6 · matthias1232/kpc_windows_updates · GitHub
I’ve now created a new .mkp package with the exact same code but built against a newer CheckMK version.
I just tested the package with 2.4.0p16, and both the PowerShell script and the user config YAML are correctly included again.
After the agent update, the following files should be present:

- C:\ProgramData\checkmk\agent\plugins\windows_updates_kpc.ps1
- C:\ProgramData\checkmk\agent\bakery\check_mk.bakery.yml

The YAML file should contain:

plugins:
  enabled: true
  execution:
  - async: true
    cache_age: 10800
    pattern: $CUSTOM_PLUGINS_PATH$\windows_updates_kpc.ps1
    timeout: 3600

Best regards,