Join Log in
Score:0
avatar Server

Query Windows Update via MDM Update CSP

in flag
iamacarpet

I'm trying to query accurate Windows Update information on Windows 10

Using the old "Microsoft.Update.Session" method, the data doesn't match what's in the Windows Update UI ("Settings" -> "Updates").

I get the same results with PSWindowsUpdate, i.e. it still doesn't match the UI.

As an example of this, the UI shows:

Windows Update UI

And PSWindowsUpdate shows (which matches my app):

PS C:\Windows\system32> get-wulist -IsInstalled

ComputerName Status     KB          Size Title
------------ ------     --          ---- -----
ALFRETON-... -DI----    KB925673     2MB MSXML 6.0 RTM Security Update  (925673)
ALFRETON-... -DI----    KB4052623    5MB Update for Windows Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2001.10)
ALFRETON-... -DI----                22MB Windows Subsystem for Linux Update - 5.4.72
ALFRETON-... -DI----    KB890830    34MB Windows Malicious Software Removal Tool x64 - v5.91 (KB890830)
ALFRETON-... -DI----    KB4052623    6MB Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2106.6)
ALFRETON-... -DI----    KB2267602  804MB Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.343.1110.0)
ALFRETON-... --I----    KB4023057    3MB 2021-06 Update for Windows 10 Version 21H1 for x64-based Systems (KB4023057)
ALFRETON-... -DI----    KB5004237  103GB 2021-07 Cumulative Update for Windows 10 Version 21H1 for x64-based Systems (KB5004237)

My thought was to try and use the Updates CSP in MDM, as I've had a lot of luck with MDM interfaces being better in Windows 10 than anything else.

However, when using the MDM bridge, the query endpoints return nothing:

=====================================
CLASS    : MDM_DeviceUpdateCenter_Enrollment01 
=====================================
=====================================
CLASS    : MDM_Policy_Config01_Update02 
=====================================
=====================================
CLASS    : MDM_Policy_Result01_Update02 
=====================================


ActiveHoursEnd                                         : 17
ActiveHoursMaxRange                                    : 18
ActiveHoursStart                                       : 8
AllowAutoUpdate                                        : 6
AllowAutoWindowsUpdateDownloadOverMeteredNetwork       : 0
AllowMUUpdateService                                   : 0
AllowNonMicrosoftSignedUpdate                          : 1
AllowUpdateService                                     : 1
AutomaticMaintenanceWakeUp                             : 1
AutoRestartDeadlinePeriodInDays                        : 7
AutoRestartDeadlinePeriodInDaysForFeatureUpdates       : 7
AutoRestartNotificationSchedule                        : 15
AutoRestartRequiredNotificationDismissal               : 1
BranchReadinessLevel                                   : 16
ConfigureDeadlineForFeatureUpdates                     : 7
ConfigureDeadlineForQualityUpdates                     : 7
ConfigureDeadlineGracePeriod                           : 2
ConfigureDeadlineGracePeriodForFeatureUpdates          : 2
ConfigureDeadlineNoAutoReboot                          : 0
ConfigureFeatureUpdateUninstallPeriod                  : 10
DeferFeatureUpdatesPeriodInDays                        : 0
DeferQualityUpdatesPeriodInDays                        : 0
DeferUpdatePeriod                                      : 0
DeferUpgradePeriod                                     : 0
DetectionFrequency                                     : 22
DisableDualScan                                        : 0
DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection : 0
EngagedRestartDeadline                                 : 14
EngagedRestartDeadlineForFeatureUpdates                : 14
EngagedRestartSnoozeSchedule                           : 3
EngagedRestartSnoozeScheduleForFeatureUpdates          : 3
EngagedRestartTransitionSchedule                       : 7
EngagedRestartTransitionScheduleForFeatureUpdates      : 7
ExcludeWUDriversInQualityUpdate                        : 0
FillEmptyContentUrls                                   : 0
IgnoreMOAppDownloadLimit                               : 0
IgnoreMOUpdateDownloadLimit                            : 0
InstanceID                                             : Update
ManagePreviewBuilds                                    : 3
ParentID                                               : ./Vendor/MSFT/Policy/Result
PauseDeferrals                                         : 0
PauseFeatureUpdates                                    : 0
PauseFeatureUpdatesStartTime                           : 
PauseQualityUpdates                                    : 0
PauseQualityUpdatesStartTime                           : 
PhoneUpdateRestrictions                                : 4
RequireDeferUpgrade                                    : 0
RequireUpdateApproval                                  : 0
ScheduledInstallDay                                    : 0
ScheduledInstallEveryWeek                              : 1
ScheduledInstallFirstWeek                              : 0
ScheduledInstallFourthWeek                             : 0
ScheduledInstallSecondWeek                             : 0
ScheduledInstallThirdWeek                              : 0
ScheduledInstallTime                                   : 3
ScheduleImminentRestartWarning                         : 15
ScheduleRestartWarning                                 : 4
SetAutoRestartNotificationDisable                      : 0
SetDisablePauseUXAccess                                : 0
SetDisableUXWUAccess                                   : 0
SetEDURestart                                          : 0
SetProxyBehaviorForUpdateDetection                     : 0
TargetReleaseVersion                                   : 
UpdateNotificationLevel                                : 0
UpdateServiceUrl                                       : CorpWSUS
UpdateServiceUrlAlternate                              : 



=====================================
CLASS    : MDM_Update 
=====================================
=====================================
CLASS    : MDM_Update_ApprovedUpdates01_01 
=====================================
=====================================
CLASS    : MDM_Update_FailedUpdates01_01 
=====================================
=====================================
CLASS    : MDM_Update_InstallableUpdates01_01 
=====================================
=====================================
CLASS    : MDM_Update_PendingRebootUpdates01_01 
=====================================
=====================================
CLASS    : MDM_Update_Rollback01 
=====================================

Fetched using this script:

param( [string]$OutFile = "c:\temp\winupdate_debug.txt")
[string]$computer = $env:COMPUTERNAME
[string]$namespace = "ROOT\CIMV2\mdm\dmmap"

[string[]]$classnames = @("MDM_DeviceUpdateCenter_Enrollment01", "MDM_Policy_Config01_Update02", "MDM_Policy_Result01_Update02", "MDM_Update", "MDM_Update_ApprovedUpdates01_01", "MDM_Update_FailedUpdates01_01"
,"MDM_Update_InstallableUpdates01_01", "MDM_Update_PendingRebootUpdates01_01", "MDM_Update_Rollback01")

$Error.Clear()

$ErrorActionPreference = "Stop"

    
foreach ($classname in $classnames) {

        try {

            "====================================="  | Out-file $OutFile  -Force -Append -Encoding ascii
            "CLASS    : $classname " | Out-file $OutFile  -Force -Append -Encoding ascii
            "=====================================" | Out-file $OutFile  -Force -Append -Encoding ascii
 
            Get-WmiObject -Class $classname -Namespace $namespace `
             |Select-Object * -ExcludeProperty PSComputerName, Scope, Path, Options, ClassPath, Properties, SystemProperties, Qualifiers, Site, Container `
             | Format-List -Property [a-z]* | Out-file $OutFile  -Force -Append -Encoding ascii
             }
        catch [System.Management.ManagementException] {
            # ignore - class not found because it is not populated
             
        }
        catch {
            $Error[0] 
            $Error[0].Exception.GetType().fullname | fl * | Out-file $OutFile  -Force -Append -Encoding ascii
        }
    }

Why are the MDM endpoints not returning any data?

Or, does anyone know why the Windows Update results don't match the UI?

239
1 + 0
mdm
Score:0
Doug avatar Server
in flag
Doug

These will not match up, as they are two different things.

The Windows Updates currently installed does not equal the history of all Windows Updates previously installed.

In particular you will see the history includes information for 4 cumulative updates (May, June, July, July) however as these updates are cumulative only the latest one matters so the currently installed updates only lists the current cumulative update.

Perhaps more clearly... the history will include events for updates that failed to install, while the currently installed updates by definition should never list a failed update.

I don't know off the top of my head where the history is stored, but I will give it some thought and update this answer if I find it.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.