# Software Updates (Windows) # Windows Software Update Reporting ## What Starting from FileWave version 14.7+ there is a better overview of updates that should be deployed to the Windows devices managed by FileWave so that you can easier identify possible risks and deploy needed patches. - The number of missing updates is reported for each Windows device - A list of all installed updates is reported for each Windows device - A list of all requested updates is reported for each Windows device - Regardless of the enrolment type, all devices are reporting the status ## When/Why Security is more important every day. Knowing the state of security of your endpoints is critical to protecting your environment so this enhancement will help with more detailed reporting around Microsoft patches. The data is collected every 1 hour from devices.
FileWave uses the [Offline CAB method](https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline) to scan for missing updates and then you will see them as described below. When going to Assistants -> Find Software Updates... in FileWave Central you will only see Security updates listed. In FileWave all of the. Microsoft updates are reported, but only the Security updates are available for one-click Fileset creation. Refer to this article for an easy way to deploy other non-Security updates: [Installing Windows Updates that are not able to be automatically packaged](https://kb.filewave.com/books/software-updates-windows/page/installing-windows-updates-that-are-not-able-to-be-automatically-packaged "Installing Windows Updates that are not able to be automatically packaged")
## How In the Native Admin, there is a new tab in the Client Info window, called "Software Updates" - The Software Updates section displays all installed patches - The Software Updates section displays all requested patches - The device reports the status regardless of the way how it was patched (FW, manually, other tools) - Additionally, a new property called Category is displayed to show what type of update is listed It is possible to filter at the top of the table by: - requested (default status), installed, all - category (those with at least one result will be listed) - critical (yes/no)  In the Web Admin, there are two new information items in the **Software Updates** section of **Device Info**. - The overall number of missing and the number of (missing) critical updates are displayed - Both link to the Software Updates tab with the responding filter applied - In case of no results, the value "0" is displayed, but the link does not exist - Regardless of the enrolment type, this section is available and functional for all Windows devices  In the Web Admin when going to the **Software Updates** tab of a device there is additional filtering and reporting of missing and installed software updates. - Filters can be applied to the whole table: - All / Missing / Installed - Columns can be filtered: - Critical (dropdown) - Categories (multiselection) - Status (multiselection)  In both the Native and Web Admins there are new fields that are usable for reporting on Windows patches.As shown here KBArticle, MsrcSeverity, Support URL, Category, and Description are the new fields. |  |
This is an example of Support URL, KBArticle, and MsrcSeverity used in a report. |  |
These examples show Category and then Description. |  |
You'll notice in the images and script that I shortened the name of the MSU file. That's just to make it easier to read. If you keep the long name it downloads with then just be sure to copy the entire name if you do keep it long. Notice the " marks around the filename as well in case you have spaces in the path.
**Install.bat** ```vbscript REM For all script types, returning an exit code of 0 (success) means the REM script execution completed successfully. REM Add the contents of your script below: %windir%\System32\wusa.exe /quiet /norestart "c:\programdata\FileWave\Installers\windows10.0-kb5012599.msu" exit 0 ``` You may notice that this update has /norestart, but most security updates need a restart. You could go to Properties for the Fileset and have FileWave control the reboot as shown below. It's important to note that wusa.exe is smart enough to not install an update that a device already has or an update that does not really apply to a device. You shouldn't have to worry about if someone already patched their machine. If you want to be a bit fancier you could make a Requirements script that would check if an update is installed and then exit if it is there.
Once an update is installed you would need the inventory to update for a client to see that the update is installed in the Software Updates section of the admin console. You can either wait for the verification to normally happen (once every 24 hours, or on restart) or send an explicit Verify command. That should be all you need to do. Repeat this process for any MSU file that you need to deploy via FileWave. ## Related Content - [Windows Software Update Reporting](https://kb.filewave.com/books/software-updates-windows/page/windows-software-update-reporting "Windows Software Update Reporting") - [Fileset Creation and Deployment](https://kb.filewave.com/books/evaluation-guide/page/fileset-creation-and-deployment "Fileset Creation and Deployment") ## Digging Deeper More information on wusa.exe is here: [https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19](https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19) When you are testing it may be difficult to repeat your testing once an update installs, but wusa has an /uninstall switch as well that can save you time. Below is an example that would remove a patch. Another alternative is to use a Virtual Machine for testing and use snapshots to be able to install and then roll back to before the update was installed. ```vbscript wusa /uninstall /kb: KB5000802 /quiet /promptrestart ``` For troubleshooting to view the Windows Update Standalone Installer event log on a client device, follow these steps: 1. Click Start, type event viewer in the **Start Search** box, and then click **Event Viewer** in the Programs list. 2. In Event Viewer, expand **Windows Logs**, and then click **Setup**. 3. Setup events appear in the middle pane. 4. In the **Actions** pane, click **Filter Current Log**. 5. In the **Event sources** list, click to select the **WUSA** check box, and then click **OK**. # Understanding and Utilizing the Windows Update Build Revision (UBR) Number ## What The Update Build Revision (UBR) number is a unique identifier for individual updates in Windows 10 and Windows 11 operating systems. It allows IT administrators to track, monitor, and ensure that their devices are up-to-date with the latest security patches, bug fixes, and feature improvements. The UBR number is not reported by FileWave by default; however, you can use Custom Fields in FileWave to collect and report on this information. ## When/Why Keeping devices updated is crucial for maintaining security, stability, and optimal performance. By monitoring UBR numbers, IT administrators can: 1. Identify devices that are not up-to-date with the latest updates. 2. Plan and execute update deployments effectively. 3. Verify the success of update installations. 4. Maintain compliance with internal and external policies or regulations. This is particularly relevant for Education organizations, corporations, and state and local government agencies that rely on FileWave for their Unified Endpoint Management needs. ## How Using the below PowerShell code you can get the UBR from the Registry: ```powershell $ubr_version =(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR echo "$ubr_version" exit 0 ``` Using the below PowerShell code you can see how you can get both the OS version together with the UBR if that is desired: ```powershell $os_version = (Get-WmiObject -Class win32_OperatingSystem).Version $sub_build_version = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR echo "$os_version.$sub_build_version" exit 0 ``` To implement this very easily simply: 1. Download the below Custom Field file: [Windows UBR.customfields.zip](https://kb.filewave.com/attachments/119) 2. Extract the zip archive 3. In FileWave Central go to Assistants → Custom Fields → Edit Custom Fields 4. Click Import and pick the file you extracted 5. Now make sure for one or both fields that you make sure to check the box to assign it to all devices so that they can report in their values. Then you can use the Custom Fields in any Query/Report/Smart Group ## Related Content - [Custom Fields](https://kb.filewave.com/books/custom-fields/page/custom-fields "Custom Fields") - [https://www.vcloudinfo.com/2020/12/how-to-decode-windows-version-numbers.html](https://www.vcloudinfo.com/2020/12/how-to-decode-windows-version-numbers.html) - [https://superuser.com/questions/1287950/how-to-find-the-build-ubr-kernel-version-of-windows-10-using-command-line-c](https://superuser.com/questions/1287950/how-to-find-the-build-ubr-kernel-version-of-windows-10-using-command-line-c) - [https://stackoverflow.com/questions/47859658/find-the-extended-ver-information-for-remote-windows-computer](https://stackoverflow.com/questions/47859658/find-the-extended-ver-information-for-remote-windows-computer)