Use Proactive remediations to report on or install the Microsoft Update Health tools

Microsoft recently made a download available for their Update Health tools – if you’re using Microsoft Endpoint Manager and enrolling or co-managing Windows devices these tools need to be installed to make use of the capability for expediting quality updates.

For devices connected to Windows Update or Windows Update for Business these tools should already be installed, but in some cases they aren’t – and those devices can’t have updates expedited.

If the tools aren’t installed, MS would like some feedback so they can figure out why – but since they made the tools available for download, we also have the option to manually deploy them if desired, which is something you might want to do when migrating from another software update solution like MEMCM to MEM / WUfB, for example – pre-deploy these tools so they will be ready to use the expedite feature right away.

I created some scripts that can be used with Proactive remediations – the detection script will report on whether the Update Health tools are installed, and optionally you can use the remediation script to go ahead and download and install the tools if they are missing, without needing to package them as an app.

Devices with the tools installed will report the tools version and install date in the Pre-remediation detection output. Devices where the tools are missing will report “Update tools not installed” and if remediated will show the same tools info in the Post-remediation detection output.

I’d suggest to just run a one-time deployment when you need rather than run it repeatedly on a schedule.

MEMCM Compliance Item Scripts to Secure PointAndPrint Registry Keys

Microsoft published some updated guidance yesterday for the Windows Print Spooler Vulnerability (CVE-2021-3457) and recommend securing a couple of Point and Print registry keys if they exist, in addition to deploying the security update:

  • After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
  • If the registry keys documented do not exist, no further action is required
  • If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

I published detection and remediation scripts here which can be used with a compliance item in Microsoft Endpoint Configuration Manager to check if these keys exist and set them to the recommended values if they do. You could also adjust them to run as Proactive remediations scripts in Microsoft Endpoint Manager if that’s your tool.