When did your Windows machine last update? It could be the reason you fail Cyber Essentials

Most people assume their Windows updates are ticking along in the background. Often, they're not — and it's one of the most common reasons businesses fail their Cyber Essentials assessment.

At Prestige Cyber Guard, we work with UK businesses every day to help them achieve and maintain Cyber Essentials certification. Security Update Management is one of the five core controls the scheme checks, and it catches organisations out more often than you'd expect — not because they don't care about patching, but because they've never actually verified it's happening.

This post gives you a free PowerShell script that checks your update status in under a minute and tells you clearly what needs fixing before your assessment.

What Cyber Essentials requires for security updates

Cyber Essentials is the UK government-backed certification designed to protect organisations from the most common cyber threats. When it comes to security updates, the scheme has four clear expectations:

• Automatic updates must be enabled and set to install automatically — not just download

• Critical and high-severity security patches must be applied within 14 days of release

• There must be no pending critical updates left waiting on your machines

• Your operating system must still be in vendor support — running an unsupported OS is an automatic fail

That last point is particularly relevant right now. Windows 10 reaches end of support in October 2025. Any business still running Windows 10 after that date will automatically fail Cyber Essentials — so if that's you, planning your upgrade needs to start now.

Why unpatched machines are such a big risk

When Microsoft releases a security update, they're essentially publishing a list of vulnerabilities that exist in the current version of Windows. Cybercriminals read those release notes too — and they know that most businesses take weeks or months to apply patches, leaving a window of opportunity to exploit the exact vulnerabilities that have just been publicly disclosed.

The most damaging ransomware attacks in recent years — including WannaCry, which caused billions in damage globally — exploited vulnerabilities that had already been patched by Microsoft weeks earlier. The organisations that got hit simply hadn't applied the update in time.

Cyber Essentials exists to close exactly this kind of gap.

The script: check your update status in under a minute

We've written a PowerShell script that runs five checks automatically and gives you a clear PASS, WARN, or FAIL on each one — with plain-English instructions on what to do if something needs attention.

How to run it (no technical experience needed)

1. Press the Windows key on your keyboard

2. Type PowerShell

3. Right-click on "Windows PowerShell" in the results

4. Click "Run as administrator"

5. Click "Yes" if a blue permission box appears

6. Paste this line and press Enter:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

7. Then paste the full script and press Enter

Note: This command temporarily allows the script to run in your current PowerShell window only. It makes no permanent changes to your machine — the restriction resets the moment you close the window.

The script

Write-Host ""
Write-Host "=====================================================" -ForegroundColor Cyan
Write-Host "  CYBER ESSENTIALS - SECURITY UPDATE CHECK" -ForegroundColor Cyan
Write-Host "=====================================================" -ForegroundColor Cyan
Write-Host ""

# CHECK 1: Windows Update service
Write-Host "CHECK 1: Windows Update service..." -ForegroundColor White
$wuService = Get-Service -Name wuauserv -ErrorAction SilentlyContinue
if ($wuService -and ($wuService.Status -eq "Running" -or $wuService.StartType -eq "Automatic")) {
    Write-Host "  [PASS] Windows Update service is running" -ForegroundColor Green
} else {
    Write-Host "  [FAIL] Windows Update service is not running or disabled" -ForegroundColor Red
    Write-Host "         Action: Press Windows key, type 'Services', find 'Windows Update'" -ForegroundColor Yellow
    Write-Host "         Right-click > Properties > Startup type: Automatic > Start" -ForegroundColor Yellow
}

Write-Host ""

# CHECK 2: Automatic updates
Write-Host "CHECK 2: Automatic updates configuration..." -ForegroundColor White
try {
    $auSettings = (New-Object -ComObject "Microsoft.Update.AutoUpdate").Settings
    switch ($auSettings.NotificationLevel) {
        4 { Write-Host "  [PASS] Automatic updates are fully enabled" -ForegroundColor Green }
        3 { Write-Host "  [WARN] Updates download but don't install automatically" -ForegroundColor Yellow
            Write-Host "         Action: Settings > Windows Update > Advanced Options > enable auto-install" -ForegroundColor Yellow }
        2 { Write-Host "  [WARN] Windows checks but doesn't download or install automatically" -ForegroundColor Yellow
            Write-Host "         Action: Settings > Windows Update > Advanced Options > enable auto-install" -ForegroundColor Yellow }
        default { Write-Host "  [FAIL] Automatic updates are disabled or not configured" -ForegroundColor Red
            Write-Host "         Action: Settings > Windows Update and enable automatic updates" -ForegroundColor Yellow }
    }
} catch {
    Write-Host "  [WARN] Could not read automatic update settings — check manually in Windows Update" -ForegroundColor Yellow
}

Write-Host ""

# CHECK 3: Last successful update
Write-Host "CHECK 3: Last successful Windows Update..." -ForegroundColor White
try {
    $updateSession = New-Object -ComObject "Microsoft.Update.Session"
    $updateSearcher = $updateSession.CreateUpdateSearcher()
    $lastUpdate = $updateSearcher.QueryHistory(0,1) | Select-Object -First 1
    $daysSince = [math]::Round(((Get-Date) - $lastUpdate.Date).TotalDays, 0)
    $dateFormatted = $lastUpdate.Date.ToString("dd MMM yyyy")
    if ($daysSince -le 30) {
        Write-Host "  [PASS] Last update $daysSince days ago ($dateFormatted)" -ForegroundColor Green
    } elseif ($daysSince -le 60) {
        Write-Host "  [WARN] Last update was $daysSince days ago ($dateFormatted)" -ForegroundColor Yellow
        Write-Host "         Action: Settings > Windows Update > Check for updates" -ForegroundColor Yellow
    } else {
        Write-Host "  [FAIL] Last update was $daysSince days ago ($dateFormatted) — significantly out of date" -ForegroundColor Red
        Write-Host "         Action: Run Windows Update immediately and restart when prompted" -ForegroundColor Red
    }
} catch {
    Write-Host "  [WARN] Could not retrieve update history — check Windows Update manually" -ForegroundColor Yellow
}

Write-Host ""

# CHECK 4: Pending updates
Write-Host "CHECK 4: Pending updates (scanning — may take 60 seconds)..." -ForegroundColor White
try {
    $searcher = (New-Object -ComObject "Microsoft.Update.Session").CreateUpdateSearcher()
    $pending = $searcher.Search("IsInstalled=0 and Type='Software'")
    $critical = ($pending.Updates | Where-Object { $_.MsrcSeverity -eq "Critical" -or $_.MsrcSeverity -eq "Important" }).Count
    if ($pending.Updates.Count -eq 0) {
        Write-Host "  [PASS] No pending updates — fully up to date" -ForegroundColor Green
    } elseif ($critical -gt 0) {
        Write-Host "  [FAIL] $($pending.Updates.Count) pending updates including $critical critical/important" -ForegroundColor Red
        Write-Host "         Action: Settings > Windows Update > Install all updates now and restart" -ForegroundColor Red
    } else {
        Write-Host "  [WARN] $($pending.Updates.Count) pending updates (none critical)" -ForegroundColor Yellow
        Write-Host "         Action: Install at your next opportunity" -ForegroundColor Yellow
    }
} catch {
    Write-Host "  [WARN] Could not scan for pending updates — check Windows Update manually" -ForegroundColor Yellow
}

Write-Host ""

# CHECK 5: Windows version
Write-Host "CHECK 5: Windows version support status..." -ForegroundColor White
$build = (Get-WmiObject Win32_OperatingSystem).BuildNumber
$os = (Get-WmiObject Win32_OperatingSystem).Caption
Write-Host "         Detected: $os (Build $build)" -ForegroundColor Gray
if ($build -ge 22000) {
    Write-Host "  [PASS] Windows 11 — currently supported" -ForegroundColor Green
} elseif ($build -ge 19041) {
    Write-Host "  [WARN] Windows 10 — reaches end of support October 2025" -ForegroundColor Yellow
    Write-Host "         Plan your Windows 11 upgrade to stay Cyber Essentials compliant" -ForegroundColor Yellow
} else {
    Write-Host "  [FAIL] This Windows version is out of support — automatic Cyber Essentials fail" -ForegroundColor Red
    Write-Host "         Action: Upgrade to Windows 11 as soon as possible" -ForegroundColor Red
}

Write-Host ""
Write-Host "  Need help? Contact Prestige Cyber Guard:" -ForegroundColor White
Write-Host "  hello@prestigecyberguard.co.uk" -ForegroundColor Cyan
Write-Host "  www.prestigecyberguard.co.uk" -ForegroundColor Cyan
Write-Host ""

What the results mean

[PASS] — that check meets the Cyber Essentials requirement. No action needed.

[WARN] — something needs attention. It may not stop you certifying right now, but it's a risk that should be resolved, and it could become a fail at your next renewal.

[FAIL] — this is a Cyber Essentials gap that must be fixed before you can achieve or renew certification. Each fail includes a plain-English action so you know exactly what to do.

A note on Windows 10

If your machine is running Windows 10, the script will flag a warning. Microsoft has confirmed that Windows 10 support ends in October 2025 — after that date, no further security updates will be released. Running an unsupported operating system is one of the criteria that will cause an automatic Cyber Essentials fail.

If you're still on Windows 10, now is the time to plan your upgrade. Most modern machines that run Windows 10 are eligible for a free upgrade to Windows 11 — and it's a straightforward process. If you'd like guidance on planning your upgrade across your business, get in touch with us and we can help.

This is part of a bigger picture

Security Update Management is one of the five Cyber Essentials controls. We've been building out this series with practical, free scripts for each one:

• ✅ User Access Control — Are your accounts running with more privilege than they need?

• ✅ Malware Protection — Is Windows Defender actually protecting you?

• ✅ Security Update Management — This post

• 🔜 Firewalls — Coming soon

• 🔜 Secure Configuration — Coming soon

Each post includes a free script you can run right now, with no technical experience needed.

Ready to work towards certification?

Running these scripts is a great way to understand where your gaps are — but achieving Cyber Essentials certification means evidencing all five controls across your whole organisation, not just one machine at a time.

At Prestige Cyber Guard, our Cyber Essentials support service takes you from initial gap assessment through to certification. We'll identify what needs fixing, help you fix it, and support you through the submission process so you can certify with confidence.

Get in touch today: 📧 hello@prestigecyberguard.co.uk 🌐 www.prestigecyberguard.co.uk

Cyber Essentials is a UK government-backed scheme managed by IASME on behalf of the National Cyber Security Centre (NCSC). Holding certification demonstrates that your organisation has the fundamental controls in place to protect against the most common cyber threats.