There are four main tags in vScope displaying patch information for Windows.
- Last System Update Date – Date when a HotFix/QuickFixEngineering (QFE) was last installed on the machine.
- Last Product Update Date – Date when a product update was last installed on the machine using the Windows Installer.
- Last Patch Date – Last date when either a System update or a Product update was last installed. In other words, the maximum value of the two tags above.
- Auto Update Last Install – Date when Windows Update Agent last installed something successfully. This includes hotfixes (QFE), updates to Microsoft products and even updates for Windows Defender.
The diagram below illustrates the different paths taken when installing updates.
Windows Update Agent (WUA)
Detects, downloads and installs updates from Windows Update, Microsoft Update and WSUS. When the WUA successfully installs an system/product update, a registry key (LastSuccessTime) is updated in the registry. This key is the source for the tag Auto Update Last Install in vScope.
Manual Install & Other Deployment
If WUA is not used for update delivery in favour of another deployment system or you download updates and apply them manually, then the following applies:
The Auto Update Last Install tag in vScope will NOT include these installations since they do not use WUA to automatically update the system.
Update Types
We separate updates into three categories:
- System Updates – Updates for OS core files
- Product Updates – Updates for other Microsoft products
Both ways can be delivered through WUA, a separate deployment system or even manually.
Third Party Software Updates
These often use custom ways of updating themselves and are not delivered through WUA.
System Updates
These are updates that update OS core files and use the CBS (Component Based Servicing) in Windows to update core components. The files are often of type .msu and the installation is performed by TrustedInstaller.exe in later versions of Windows.
The process places .cat and .mum files in a specific folder as a history of core components updates.
These files are the source for the WMI class Win32_QuickFixEngineering (QFE).
vScope uses the attribute InstalledOn which is a timestamp found on instances of this WMI class. The latest timestamp is used as source for the tags Last System Update Date and Last Patch Date.
You might sometimes experience that these tags do not show a correct value. This is most likely due to an error in WMI on the target computer.
The error can either manifest itself as no update information being returned at all or some instances of the Win32_QuickFixEngineering class missing the InstalledOn attribute. If this is the case, vScope cannot reliably find the latest date a system update was installed.
To see if your system is affected you can open an elevated PowerShell on the target machine and run:
- Get-WmiObject Win32_QuickFixEngineering
The result should be a table with installed patches:
| Source | Description | HotFixID | InstalledBy | InstalledOn |
|---|---|---|---|---|
| CompName | Update | KB3199986 | NT AUTHORITY\SYSTEM | 2016-11-05 00:00:00 |
| CompName | Update | KB3211320 | NT AUTHORITY\SYSTEM | 2017-01-25 00:00:00 |
| CompName | Security Update | KB3214628 | NT AUTHORITY\SYSTEM | |
| CompName | Security Update | KB3213986 | NT AUTHORITY\SYSTEM | 2017-01-11 00:00:00 |
If the table returned by the query is completely empty then you either have a completely fresh Windows installation or there is corruption in the servicing stack which is providing data to the Win32_QuickFixEngineering class.
Read more here about the causes and possible fix for the problem.
If the the InstalledOn field is blank (highlighted in red) for some entries then WMI cannot find a record of when the patch was installed. This can be caused by corruption. Also, slipstreamed updates are usually missing the InstalledOn attribute.
Product Updates
These are updates that do not touch core components of the OS. These include updates to other Microsoft products like Microsoft Office, .NET framework and Windows Defender.
Updates are applied through the Windows Installed and a common file format is .msi or .exe.
Windows Installer performs the installation and places a record in the Windows Registry for each installed update.
vScope reads the registry on the target computer and finds all records of product updates. The latest timestamp for these updates is the source for the tags Last Product Update Date and Last Patch Date.
If any patch is missing the timestamp then vScope cannot reliably find the latest installed product update.
Third Party Updates
Updates to other software that do not utilize the Windows Installer subsystem will not be found by vScope.
Software can choose to keep a custom record of applied updates and there is no feasible way for vScope to keep track of all the locations possible.