How can I track Windows Update installation dates with Common Events and without Update Management?

%3CLINGO-SUB%20id%3D%22lingo-sub-1085541%22%20slang%3D%22en-US%22%3EHow%20can%20I%20track%20Windows%20Update%20installation%20dates%20with%20Common%20Events%20and%20without%20Update%20Management%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1085541%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20currently%20have%20servers%20forwarding%20logs%20to%20Azure%20via%20Security%20Center%20and%20the%20Microsoft%20Monitoring%20Agent.%20To%20reduce%20costs%20our%20log%20level%20is%20set%20to%20Common%20Events%20and%20we're%20using%20the%20North%20Europe%20region.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20of%20a%20way%20to%20track%20the%20installation%20dates%20of%20Windows%20Updates%20in%20this%20scenario%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIdeally%20we'd%20be%20using%20Update%20Management%20via%20an%20Automation%20account%20but%20this%20is%20not%20yet%20available%20in%20the%20North%20Europe%20region%20and%20Event%2019%20from%20the%20Windows%20Event%20Log%20is%20not%20included%20in%20the%20Common%20Events%20tier.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%20and%20UpdateSummary%20queries%20don't%20have%20installation%20dates%20and%20generate%20multiple%20events%20for%20a%20single%20update%20being%20installed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1085541%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1091849%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20track%20Windows%20Update%20installation%20dates%20with%20Common%20Events%20and%20without%20Update%20Manageme%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1091849%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449184%22%20target%3D%22_blank%22%3E%40endakelly%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESeems%20to%20me%20that%20Event%20ID%2020%20is%20what%20you're%20looking%20for...%3C%2FP%3E%0A%3CP%3ECan%20you%20use%20these%20queries%3F%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EEvent%20%7C%20where%20Source%3D%3D%22Microsoft-Windows-WindowsUpdateClient%22%0A%0AEvent%20%7C%20where%20EventID%20%3D%3D%2020%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1104513%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20track%20Windows%20Update%20installation%20dates%20with%20Common%20Events%20and%20without%20Update%20Manageme%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1104513%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54923%22%20target%3D%22_blank%22%3E%40Noa%20Kuperberg%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately.%20that%20event%20does%20not%20appear%20if%20Security%20Center%20is%20set%20to%20the%20Common%20data%20tier.%20Is%20there%20a%20way%20to%20add%20just%20a%20specific%20event%20ID%20to%20this%20tier%20without%20switching%20to%20the%20All%20event%20data%20tier%3F%20I%20am%20hesitant%20to%20log%20all%20events%20due%20to%20the%20volume.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnda%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

We currently have servers forwarding logs to Azure via Security Center and the Microsoft Monitoring Agent. To reduce costs our log level is set to Common Events and we're using the North Europe region.

 

Does anyone know of a way to track the installation dates of Windows Updates in this scenario?

 

Ideally we'd be using Update Management via an Automation account but this is not yet available in the North Europe region and Event 19 from the Windows Event Log is not included in the Common Events tier.

 

Update and UpdateSummary queries don't have installation dates and generate multiple events for a single update being installed.

 

2 Replies
Highlighted

@endakelly 

Seems to me that Event ID 20 is what you're looking for...

Can you use these queries?

Event | where Source=="Microsoft-Windows-WindowsUpdateClient"

Event | where EventID == 20
 
Highlighted

@Noa Kuperberg thanks for the reply.

 

Unfortunately. that event does not appear if Security Center is set to the Common data tier. Is there a way to add just a specific event ID to this tier without switching to the All event data tier? I am hesitant to log all events due to the volume.

 

Thanks,

 

Enda