KB – Why Workspace ONE doesn’t list all installed updates

• By -Grischa Ernst

KB – Why Workspace ONE doesn’t list all installed updates

• Posted on 2021-12-22
• Posted in Windows 11, Windows Desktop
• 2 Comments

We are getting a lot of questions why Workspace ONE is not able to list all installed updates.
The answer is easy – because Windows can’t. But let’s dig into this issue.

Customer often reports that the installed update count and the installed updates on the device are not matching.

As example you run get-hotfix on a device and get 9 installed Updates listed.

While in the Workspace ONE console the count is 12.

The reason why Windows and Workspace ONE showing different numbers – even the other way round (meaning Workspace ONE shows a lower number then the device itself) – is, that Windows Updates uses different methods to install updates.

Actually there are four different ways to install an update:

• Windows Update Agent (WUA)
• Hotfix installation
• CBS (Component-Based Servicing)
• DISM

If you are using Workspace ONE profiles to install Windows Updates, you are only getting WUA installed updates reported back to the console.

For a full and consolidated update list you can use the following PowerShell function:

function Get-InstalledWindowsUpdates {
    #Exported from Get-WUUpdate from the PSWindowsUpdate module
    $UpdateCollection = @()

    $objSession = [activator]::CreateInstance([type]::GetTypeFromProgID("Microsoft.Update.Session"))#,$Computer))
    $objSearcher = $objSession.CreateUpdateSearcher()
    $TotalHistoryCount = $objSearcher.GetTotalHistoryCount()
   
    If ($TotalHistoryCount -gt 0) {
        $objHistory = $objSearcher.QueryHistory(0, $TotalHistoryCount)
       
        Foreach ($obj in $objHistory) {
            $matches = $null
            $obj.Title -match "KB(\d+)" | Out-Null
                               
            If ($matches -eq $null) {
                Add-Member -InputObject $obj -MemberType NoteProperty -Name KB -Value ""
            } #End If $matches -eq $null
            Else {							
                Add-Member -InputObject $obj -MemberType NoteProperty -Name KB -Value ($matches[0])
            } #End Else $matches -eq $null
                               
            Add-Member -InputObject $obj -MemberType NoteProperty -Name ComputerName -value ""
                               
            $obj.PSTypeNames.Clear()
            $obj.PSTypeNames.Add('PSWindowsUpdate.WUHistory')
           
            If ($obj.kb) {				
                $UpdateCollection += $obj
            }
           
        } #End Foreach $obj in $objHistory
        Write-Progress -Activity "Get update histry for $Computer" -Status "Completed" -Completed
    } #End If $TotalHistoryCount -gt 0
   
    #Get Windows Updates from WMI
    $WMIKBs = Get-WmiObject win32_quickfixengineering |  Select-Object HotFixID -ExpandProperty HotFixID
   
    #Get Windows Updates from DISM
    $DISMKBList = dism /online /get-packages | findstr KB 
   
    $pattern = '(?<=KB).+?(?=~)'
    $DISMKBNumbers = [regex]::Matches($DISMKBList, $pattern).Value
   
    $DISMKBNumbers = @()  
    ForEach ($Number in $DISMKBNumbers) {
        $DISMKBNumbers += "KB$($Number)"
       
    }
   
    $InstalledKBs = ($UpdateCollection.kb + $WMIKBs + $DISMKBNumbers) | Sort-Object -Unique
    return $InstalledKBs
}

This function is used by the Windows Update for Business improvement script that is hosted here:

https://github.com/GrischaE1/Windows/tree/main/WUfB

This will provide you more reporting possibilities that you can query via sensors.

Written by

Grischa Ernst

+ posts

Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.

• Using Azure Automation for Event Notifications
• Import Workspace ONE Freestyle Orchestrator Workflows
• Windows Application update workflow with deferral function
• Configure registry with CSP