KB – Why Workspace ONE doesn’t list all installed updates
We are getting a lot of questions why Workspace ONE is not able to list all installed updates.
The answer is easy – because Windows can’t. But let’s dig into this issue.
Customer often reports that the installed update count and the installed updates on the device are not matching.
As example you run get-hotfix on a device and get 9 installed Updates listed.
While in the Workspace ONE console the count is 12.
The reason why Windows and Workspace ONE showing different numbers – even the other way round (meaning Workspace ONE shows a lower number then the device itself) – is, that Windows Updates uses different methods to install updates.
Actually there are four different ways to install an update:
- Windows Update Agent (WUA)
- Hotfix installation
- CBS (Component-Based Servicing)
- DISM
If you are using Workspace ONE profiles to install Windows Updates, you are only getting WUA installed updates reported back to the console.
For a full and consolidated update list you can use the following PowerShell function:
function Get-InstalledWindowsUpdates {
#Exported from Get-WUUpdate from the PSWindowsUpdate module
$UpdateCollection = @()
$objSession = [activator]::CreateInstance([type]::GetTypeFromProgID("Microsoft.Update.Session"))#,$Computer))
$objSearcher = $objSession.CreateUpdateSearcher()
$TotalHistoryCount = $objSearcher.GetTotalHistoryCount()
If ($TotalHistoryCount -gt 0) {
$objHistory = $objSearcher.QueryHistory(0, $TotalHistoryCount)
Foreach ($obj in $objHistory) {
$matches = $null
$obj.Title -match "KB(\d+)" | Out-Null
If ($matches -eq $null) {
Add-Member -InputObject $obj -MemberType NoteProperty -Name KB -Value ""
} #End If $matches -eq $null
Else {
Add-Member -InputObject $obj -MemberType NoteProperty -Name KB -Value ($matches[0])
} #End Else $matches -eq $null
Add-Member -InputObject $obj -MemberType NoteProperty -Name ComputerName -value ""
$obj.PSTypeNames.Clear()
$obj.PSTypeNames.Add('PSWindowsUpdate.WUHistory')
If ($obj.kb) {
$UpdateCollection += $obj
}
} #End Foreach $obj in $objHistory
Write-Progress -Activity "Get update histry for $Computer" -Status "Completed" -Completed
} #End If $TotalHistoryCount -gt 0
#Get Windows Updates from WMI
$WMIKBs = Get-WmiObject win32_quickfixengineering | Select-Object HotFixID -ExpandProperty HotFixID
#Get Windows Updates from DISM
$DISMKBList = dism /online /get-packages | findstr KB
$pattern = '(?<=KB).+?(?=~)'
$DISMKBNumbers = [regex]::Matches($DISMKBList, $pattern).Value
$DISMKBNumbers = @()
ForEach ($Number in $DISMKBNumbers) {
$DISMKBNumbers += "KB$($Number)"
}
$InstalledKBs = ($UpdateCollection.kb + $WMIKBs + $DISMKBNumbers) | Sort-Object -Unique
return $InstalledKBs
}This function is used by the Windows Update for Business improvement script that is hosted here:
https://github.com/GrischaE1/Windows/tree/main/WUfB
This will provide you more reporting possibilities that you can query via sensors.
Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.
Mona Clark
Hi Grischa,
We were just set up with WorkSpace One and I’ve had a little time to “play”. I noticed our devices don’t show the updates that were installed at all. I’m with Southwestern Illinois College – M883508798. Do you have any suggestions?
Grischa Ernst
Have you tried control my update? It’s a fling for a better and valid reporting