Software Updates (Windows)

The Software Updates (Windows) section provides essential information and guidance on keeping your Windows operating system and third-party software up to date. Stay informed about the latest updates, including security patches, bug fixes, and new features, to enhance the performance, stability, and security of your Windows devices. Learn how to check for and install updates, manage update settings, and optimize compatibility with third-party applications. By regularly updating your Windows operating system and software, you can ensure an optimized and secure computing experience while taking advantage of the latest improvements and enhancements.

Windows Software Update Reporting

What

Starting from FileWave version 14.7+ there is a better overview of updates that should be deployed to the Windows devices managed by FileWave so that you can easier identify possible risks and deploy needed patches. 

When/Why

Security is more important every day. Knowing the state of security of your endpoints is critical to protecting your environment so this enhancement will help with more detailed reporting around Microsoft patches. The data is collected every 1 hour from devices.  Read the OS Software Updates article for more details on applying the updates to Apple or Microsoft Windows devices. 

How

In the Native Admin, there is a new tab in the Client Info window, called "Software Updates"

It is possible to filter at the top of the table by: 

In the Web Admin, there are two new information items in the Software Updates section of Device Info

In the Web Admin when going to the Software Updates tab of a device there is additional filtering and reporting of missing and installed software updates.

In both the Native and Web Admins there are new fields that are usable for reporting on Windows patches.

As shown here KBArticle, MsrcSeverity, Support URL, Category, and Description are the new fields.


This is an example of Support URL, KBArticle, and MsrcSeverity used in a report. 

These examples show Category and then Description. 

Installing Windows Updates that are not able to be automatically packaged

What

As a Windows administrator, you want to install some Windows Updates where FileWave reports that the item is missing, but it's not a security update where FileWave could automatically create a Fileset for that update.

When/Why

Since 14.7.0 of FileWave, there has been additional reporting on missing updates for Windows. With the increased reporting many administrators have asked how to install an update when it is missing from a device but isn't seen as an update that FileWave is capable of turning into a Fileset on its own. 

How

The first thing is to understand that Windows updates can come in .MSU files (Microsoft Standalone Updater). These updates can be processed by an exe %windir%\System32\Wusa.exe and installed.

For example, if the Windows6.0-KB934307-x86.msu file is in the D:\934307 folder, type the following command at a command prompt to install the update package:

wusa.exe /quiet /norestart d:\934307\Windows6.0-KB934307-x86.msu

To accomplish this in FileWave let's take a real example. First, we will go to https://www.catalog.update.microsoft.com/Home.aspx to look for this update. Download the MSU file once you see it.

Next, create a Fileset by making an Empty Fileset and then add the update as seen here:

To install the MSU you will need to add an Activation Script to it.

Here is the text of install.bat. 

You'll notice in the images and script that I shortened the name of the MSU file. That's just to make it easier to read. If you keep the long name it downloads with then just be sure to copy the entire name if you do keep it long. Notice the " marks around the filename as well in case you have spaces in the path. 

Install.bat

REM For all script types, returning an exit code of 0 (success) means the
REM script execution completed successfully.
REM Add the contents of your script below:
 
%windir%\System32\wusa.exe /quiet /norestart "c:\programdata\FileWave\Installers\windows10.0-kb5012599.msu"
 
exit 0

You may notice that this update has /norestart, but most security updates need a restart. You could go to Properties for the Fileset and have FileWave control the reboot as shown below. 

It's important to note that wusa.exe is smart enough to not install an update that a device already has or an update that does not really apply to a device. You shouldn't have to worry about if someone already patched their machine. If you want to be a bit fancier you could make a Requirements script that would check if an update is installed and then exit if it is there. 

Once an update is installed you would need the inventory to update for a client to see that the update is installed in the Software Updates section of the admin console. You can either wait for the verification to normally happen (once every 24 hours, or on restart) or send an explicit Verify command. That should be all you need to do. Repeat this process for any MSU file that you need to deploy via FileWave. 

Digging Deeper

More information on wusa.exe is here: 

https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19

When you are testing it may be difficult to repeat your testing once an update installs, but wusa has an /uninstall switch as well that can save you time. Below is an example that would remove a patch. Another alternative is to use a Virtual Machine for testing and use snapshots to be able to install and then roll back to before the update was installed. 

wusa /uninstall /kb: KB5000802 /quiet /promptrestart

For troubleshooting to view the Windows Update Standalone Installer event log on a client device, follow these steps:

  1. Click Start, type event viewer in the Start Search box, and then click Event Viewer in the Programs list. 
  2. In Event Viewer, expand Windows Logs, and then click Setup.
  3. Setup events appear in the middle pane.
  4. In the Actions pane, click Filter Current Log.
  5. In the Event sources list, click to select the WUSA check box, and then click OK.

Understanding and Utilizing the Windows Update Build Revision (UBR) Number

What

The Update Build Revision (UBR) number is a unique identifier for individual updates in Windows 10 and Windows 11 operating systems. It allows IT administrators to track, monitor, and ensure that their devices are up-to-date with the latest security patches, bug fixes, and feature improvements. The UBR number is not reported by FileWave by default; however, you can use Custom Fields in FileWave to collect and report on this information.

When/Why

Keeping devices updated is crucial for maintaining security, stability, and optimal performance. By monitoring UBR numbers, IT administrators can:

  1. Identify devices that are not up-to-date with the latest updates.
  2. Plan and execute update deployments effectively.
  3. Verify the success of update installations.
  4. Maintain compliance with internal and external policies or regulations.

This is particularly relevant for Education organizations, corporations, and state and local government agencies that rely on FileWave for their Unified Endpoint Management needs.

How

Using the below PowerShell code you can get the UBR from the Registry:

$ubr_version =(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
echo "$ubr_version"
exit 0

Using the below PowerShell code you can see how you can get both the OS version together with the UBR if that is desired:

$os_version = (Get-WmiObject -Class win32_OperatingSystem).Version
$sub_build_version = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
echo "$os_version.$sub_build_version"
exit 0

To implement this very easily simply:

  1. Download the below Custom Field file: Windows UBR.customfields.zip
  2. Extract the zip archive
  3. In FileWave Central go to Assistants → Custom Fields → Edit Custom Fields
  4. Click Import and pick the file you extracted
  5. Now make sure for one or both fields that you make sure to check the box to assign it to all devices so that they can report in their values. Then you can use the Custom Fields in any Query/Report/Smart Group