Software Updates (Windows)
The Software Updates (Windows) section provides essential information and guidance on keeping your Windows operating system and third-party software up to date. Stay informed about the latest updates, including security patches, bug fixes, and new features, to enhance the performance, stability, and security of your Windows devices. Learn how to check for and install updates, manage update settings, and optimize compatibility with third-party applications. By regularly updating your Windows operating system and software, you can ensure an optimized and secure computing experience while taking advantage of the latest improvements and enhancements.
- Windows Software Update Reporting
- Installing Windows Updates that are not able to be automatically packaged
- Understanding and Utilizing the Windows Update Build Revision (UBR) Number
Windows Software Update Reporting
What
Starting from FileWave version 14.7+ there is a better overview of updates that should be deployed to the Windows devices managed by FileWave so that you can easier identify possible risks and deploy needed patches.
- The number of missing updates is reported for each Windows device
- A list of all installed updates is reported for each Windows device
- A list of all requested updates is reported for each Windows device
- Regardless of the enrolment type, all devices are reporting the status
When/Why
Security is more important every day. Knowing the state of security of your endpoints is critical to protecting your environment so this enhancement will help with more detailed reporting around Microsoft patches. The data is collected every 1 hour from devices.
FileWave uses the Offline CAB method to scan for missing updates and then you will see them as described below. When going to Assistants -> Find Software Updates... in FileWave Central you will only see Security updates listed. In FileWave all of the. Microsoft updates are reported, but only the Security updates are available for one-click Fileset creation. Refer to this article for an easy way to deploy other non-Security updates: Installing Windows Updates that are not able to be automatically packaged
How
In the Native Admin, there is a new tab in the Client Info window, called "Software Updates"
- The Software Updates section displays all installed patches
- The Software Updates section displays all requested patches
- The device reports the status regardless of the way how it was patched (FW, manually, other tools)
- Additionally, a new property called Category is displayed to show what type of update is listed
It is possible to filter at the top of the table by:
- requested (default status), installed, all
- category (those with at least one result will be listed)
- critical (yes/no)
In the Web Admin, there are two new information items in the Software Updates section of Device Info.
- The overall number of missing and the number of (missing) critical updates are displayed
- Both link to the Software Updates tab with the responding filter applied
- In case of no results, the value "0" is displayed, but the link does not exist
- Regardless of the enrolment type, this section is available and functional for all Windows devices
In the Web Admin when going to the Software Updates tab of a device there is additional filtering and reporting of missing and installed software updates.
- Filters can be applied to the whole table:
- All / Missing / Installed
- Columns can be filtered:
- Critical (dropdown)
- Categories (multiselection)
- Status (multiselection)
In both the Native and Web Admins there are new fields that are usable for reporting on Windows patches.
|
As shown here KBArticle, MsrcSeverity, Support URL, Category, and Description are the new fields. |
|
|
This is an example of Support URL, KBArticle, and MsrcSeverity used in a report. |
|
|
These examples show Category and then Description. |
|
Related Content
Installing Windows Updates that are not able to be automatically packaged
What
As a Windows administrator, you want to install some Windows Updates where FileWave reports that the item is missing, but it's not a security update where FileWave could automatically create a Fileset for that update.
When/Why
Since 14.7.0 of FileWave, there has been additional reporting on missing updates for Windows. With the increased reporting many administrators have asked how to install an update when it is missing from a device but isn't seen as an update that FileWave is capable of turning into a Fileset on its own.
How
The first thing is to understand that Windows updates can come in .MSU files (Microsoft Standalone Updater). These updates can be processed by an exe %windir%\System32\Wusa.exe and installed.
For example, if the Windows6.0-KB934307-x86.msu file is in the D:\934307 folder, type the following command at a command prompt to install the update package:
wusa.exe /quiet /norestart d:\934307\Windows6.0-KB934307-x86.msuTo accomplish this in FileWave let's take a real example. First, we will go to https://www.catalog.update.microsoft.com/Home.aspx to look for this update. Download the MSU file once you see it.
Next, create a Fileset by making an Empty Fileset and then add the update as seen here:
To install the MSU you will need to add an Activation Script to it.
Here is the text of install.bat.
You'll notice in the images and script that I shortened the name of the MSU file. That's just to make it easier to read. If you keep the long name it downloads with then just be sure to copy the entire name if you do keep it long. Notice the " marks around the filename as well in case you have spaces in the path.
Install.bat
REM For all script types, returning an exit code of 0 (success) means the
REM script execution completed successfully.
REM Add the contents of your script below:
%windir%\System32\wusa.exe /quiet /norestart "c:\programdata\FileWave\Installers\windows10.0-kb5012599.msu"
exit 0You may notice that this update has /norestart, but most security updates need a restart. You could go to Properties for the Fileset and have FileWave control the reboot as shown below.
It's important to note that wusa.exe is smart enough to not install an update that a device already has or an update that does not really apply to a device. You shouldn't have to worry about if someone already patched their machine. If you want to be a bit fancier you could make a Requirements script that would check if an update is installed and then exit if it is there.
Once an update is installed you would need the inventory to update for a client to see that the update is installed in the Software Updates section of the admin console. You can either wait for the verification to normally happen (once every 24 hours, or on restart) or send an explicit Verify command. That should be all you need to do. Repeat this process for any MSU file that you need to deploy via FileWave.
Related Content
Digging Deeper
More information on wusa.exe is here:
When you are testing it may be difficult to repeat your testing once an update installs, but wusa has an /uninstall switch as well that can save you time. Below is an example that would remove a patch. Another alternative is to use a Virtual Machine for testing and use snapshots to be able to install and then roll back to before the update was installed.
wusa /uninstall /kb: KB5000802 /quiet /promptrestartFor troubleshooting to view the Windows Update Standalone Installer event log on a client device, follow these steps:
- Click Start, type event viewer in the Start Search box, and then click Event Viewer in the Programs list.
- In Event Viewer, expand Windows Logs, and then click Setup.
- Setup events appear in the middle pane.
- In the Actions pane, click Filter Current Log.
- In the Event sources list, click to select the WUSA check box, and then click OK.
Understanding and Utilizing the Windows Update Build Revision (UBR) Number
What
The Update Build Revision (UBR) number is a unique identifier for individual updates in Windows 10 and Windows 11 operating systems. It allows IT administrators to track, monitor, and ensure that their devices are up-to-date with the latest security patches, bug fixes, and feature improvements. The UBR number is not reported by FileWave by default; however, you can use Custom Fields in FileWave to collect and report on this information.
When/Why
Keeping devices updated is crucial for maintaining security, stability, and optimal performance. By monitoring UBR numbers, IT administrators can:
- Identify devices that are not up-to-date with the latest updates.
- Plan and execute update deployments effectively.
- Verify the success of update installations.
- Maintain compliance with internal and external policies or regulations.
This is particularly relevant for Education organizations, corporations, and state and local government agencies that rely on FileWave for their Unified Endpoint Management needs.
How
Using the below PowerShell code you can get the UBR from the Registry:
$ubr_version =(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
echo "$ubr_version"
exit 0
Using the below PowerShell code you can see how you can get both the OS version together with the UBR if that is desired:
$os_version = (Get-WmiObject -Class win32_OperatingSystem).Version
$sub_build_version = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
echo "$os_version.$sub_build_version"
exit 0
To implement this very easily simply:
- Download the below Custom Field file: Windows UBR.customfields.zip
- Extract the zip archive
- In FileWave Central go to Assistants → Custom Fields → Edit Custom Fields
- Click Import and pick the file you extracted
- Now make sure for one or both fields that you make sure to check the box to assign it to all devices so that they can report in their values. Then you can use the Custom Fields in any Query/Report/Smart Group