Blog Post

Windows IT Pro Blog
5 MIN READ

Enhance update management decisions with metadata and insights

Surabhi_Calla's avatar
Surabhi_Calla
Icon for Microsoft rankMicrosoft
Aug 29, 2023

Editor’s note 2/27/2024: We have clarified the sequence of actions under step 3 by bringing the screenshot below the call details.

We’re excited to announce significant enhancements to the Windows Update for Business deployment service catalog. Easily access granular details about Windows quality and feature updates with Microsoft Graph API. The two main improvements include:

  • Greater detail about each update
  • Wider spectrum of update types

In addition to the security updates, the catalog now includes monthly non-security updates and out-of-band updates, providing a comprehensive view of what’s available to you. Furthermore, each of these updates are accompanied by additional relevant KB references, CVE information, revision history, and other metadata!

Explore new metadata

Enhance your update management decisions with insights from expanded metadata. Ever had to search multiple sites for update classification, cadence, naming, vulnerabilities, or revision details? Now you can look all of it up in seconds in the Windows Update for Business deployment service catalog via Microsoft Graph API. Let’s see what’s new!

 

Note: To utilize the catalog and view all available metadata, please ensure that your tenant meets all of the prerequisite requirements of the Windows Update for Business deployment service.

Update classification and cadence

The updated catalog introduces two new properties: qualityUpdateClassification and qualityUpdateCadence. Use these additions for a more refined understanding of each update released. The classification property helps categorize updates, distinguishing between security and non-security updates. The cadence property clarifies release frequency (i.e., monthly or out-of-band), allowing you to align your deployment strategies accordingly. To brush up on the various update types, see Windows monthly updates explained.

User-friendly naming convention

To facilitate easier association with each release, a user-friendly name has been introduced. For example, the August security release will now be labeled as "2023. 08B." Track and reference updates easily with this simplified naming convention.

CVE severity information

The catalog now includes crucial common vulnerabilities and exposures (CVE) severity information for each security release. With it, gain insights into the maximum severity rating and maximum score from CVSS (Common Vulnerability Scoring System). Additionally, you'll find details about exploited CVEs fixed under each release. To further investigate these specific CVEs, follow the provided URL to navigate to the corresponding Microsoft Security Response Center (MSRC) webpage. All other CVEs can be found here: Vulnerabilities - Security Update Guide.

Product revision details

In addition to CVE information, we have incorporated product revision details for each quality update. Access an expandable array of all OS builds with specific build revisions. This enables you to identify the update build revision and associated KB (knowledge base) article number. Furthermore, if you require additional information, you can find and follow a URL to the release notes of that KB article.

Try out sample queries

In order to view all new metadata added to the catalog, use the below Microsoft Graph API calls for monthly quality updates and for feature updates. Copy and paste them into the GET field in Microsoft Graph Explorer. If needed, refresh your memory on how to do this with Try Windows Update for Business with Microsoft Graph.

Feature updates

View all feature updates currently in support by running the below query in Microsoft Graph.

Element

Entry

Request type

GET

URI

https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.featureUpdateCatalogEntry')

Screenshot of a portion of the feature update response

Quality updates

Additional metadata has been added to the catalog for quality updates. Right now, the latest release available is the August monthly security release: “2023. 08B.”

Let’s view the new properties added to the catalog. Start by using the following request query:

Element

Entry

Request type

GET

URI

https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/qualityUpdateClassification eq 'Security'&$orderby=releaseDateTime desc&$top=1

Now, let’s walk through the response details to explore the new information about the August 2023 security update.

  1. Locate the release details, such as release name, date, and update type:

    Screenshot of a portion of the response focused on the release details for the August security update
  1. Scroll down through the response to locate the CVE information, such as severity, number, and URL to read more:

    Screenshot of a portion of the response focused on the CVE information for the August security update
  1. View new fields for all quality updates using the following query in MS Graph:

Element

Entry

Request type

GET

URI

https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&$orderby=releaseDateTime desc

Keep scrolling to find product revisions and Knowledge Base article details. For all Windows OS versions in support the response will return the below:

Screenshot of a portion of the response focused on product version and KB details for the August security update

Next, use the following sample queries to retrieve information about quality updates and to make operational decisions. Note: this information is available for updates released in or after January 2023.

  1. Show the non-security updates from the last 3 months:

Element

Entry

Request type

GET

URI

https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter= microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/qualityUpdateClassification eq ‘nonSecurity’&$orderby=releaseDateTime desc&$top=3

  1. Show the updates from the last 3 months that address exploited CVEs:

Element

Entry

Request type

GET

URI

https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter= microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves/$count gt 0&$orderby=releaseDateTime desc

  1. Show the updates from the last 3 months where the highest CVE base score is at least 9.0:

Element

Entry

Request type

GET

URI

https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter= microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/maxBaseScore gt 9.0&$orderby=releaseDateTime desc

In addition to these queries, you can use the standard OData filters and retrieve the required information about each release. Consult Query options overview - OData for additional information.

What this all means

Without Windows Update for Business deployment service, you have to look these details up in separate channels, such as:

But you don’t have to! The enriched metadata in the Windows Update for Business deployment service catalog empowers you with comprehensive insights and streamlined access to critical update details. Track and manage updates more efficiently with the new classification and cadence properties, along with user-friendly naming conventions. The inclusion of CVE severity information and product revision details ensures a more informed approach to update deployment.

Check out the following resources to learn more:


Continue the conversation. Find best practices. Bookmark the Windows Tech Community and follow us @MSWindowsITPro on Twitter. Looking for support? Visit Windows on Microsoft Q&A.

Updated Feb 27, 2024
Version 4.0
  • Thanks treestryder the feature crew is planning to lower the required permissions for the catalog API and I can share more concrete dates with you for that as soon as we finish our planning. 

  • treestryder's avatar
    treestryder
    Steel Contributor

    Thank you for the update.

     

    I will be eagerly looking forward to a day when that information is somehow made available via an API.

     

    And, as others have pointed out, it would be nice if it was available without authentication (or at least something easier to grant permission to than "ReadWrite.All".

  • treestryder thanks for the message, we currently only have client update management information and no content for servers. This is something we are investigating into but we do not have any timelines at this point. 

  • treestryder's avatar
    treestryder
    Steel Contributor

    I have had to create a custom report because Azure Update Manager does not currently highlight and give a count for devices an update behind and those multiple updates behind, like Windows Update for Business reports.

    To do this, I parse 

    https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info 

    to create a lookup table between the server's version numbers and the availability date of its last successfully applied update. Is it possible to get a list of version numbers and their release dates of server updates with this API (or will it be possible)?

     

    Using "/admin/windows/updates/catalog/entries" I can come close; however, it seems to only contain workstation entries. At least, I do not see entries for server.

     

    Thanks in advance.

  • Otherwise, this is a very welcome addition, which opens up scenarios such as "Warn me if an update appears with CVSS > X and expedite it to Rings 1-N" possible without additional 3rd party tools! Now that API is in place, waiting for Intune and Autopatch to implement it 🙂

  • What I don't understand is why this *read-only* URI is protected with a WindowsUpdates.ReadWrite.All permission that requires Admin consent.

    This violates the principle of minimal privilege and opens potential exploits in the future. Is there no WindowsUpdates.Read.All permission? (Even if there isn't one, it should be created are used - this is a standard practice for Graph API).