Editor’s note 2/27/2024: We have clarified the sequence of actions under step 3 by bringing the screenshot below the call details.
We’re excited to announce significant enhancements to the Windows Update for Business deployment service catalog. Easily access granular details about Windows quality and feature updates with Microsoft Graph API. The two main improvements include:
- Greater detail about each update
- Wider spectrum of update types
In addition to the security updates, the catalog now includes monthly non-security updates and out-of-band updates, providing a comprehensive view of what’s available to you. Furthermore, each of these updates are accompanied by additional relevant KB references, CVE information, revision history, and other metadata!
Explore new metadata
Enhance your update management decisions with insights from expanded metadata. Ever had to search multiple sites for update classification, cadence, naming, vulnerabilities, or revision details? Now you can look all of it up in seconds in the Windows Update for Business deployment service catalog via Microsoft Graph API. Let’s see what’s new!
|
Note: To utilize the catalog and view all available metadata, please ensure that your tenant meets all of the prerequisite requirements of the Windows Update for Business deployment service. |
Update classification and cadence
The updated catalog introduces two new properties: qualityUpdateClassification and qualityUpdateCadence. Use these additions for a more refined understanding of each update released. The classification property helps categorize updates, distinguishing between security and non-security updates. The cadence property clarifies release frequency (i.e., monthly or out-of-band), allowing you to align your deployment strategies accordingly. To brush up on the various update types, see Windows monthly updates explained.
User-friendly naming convention
To facilitate easier association with each release, a user-friendly name has been introduced. For example, the August security release will now be labeled as "2023. 08B." Track and reference updates easily with this simplified naming convention.
CVE severity information
The catalog now includes crucial common vulnerabilities and exposures (CVE) severity information for each security release. With it, gain insights into the maximum severity rating and maximum score from CVSS (Common Vulnerability Scoring System). Additionally, you'll find details about exploited CVEs fixed under each release. To further investigate these specific CVEs, follow the provided URL to navigate to the corresponding Microsoft Security Response Center (MSRC) webpage. All other CVEs can be found here: Vulnerabilities - Security Update Guide.
Product revision details
In addition to CVE information, we have incorporated product revision details for each quality update. Access an expandable array of all OS builds with specific build revisions. This enables you to identify the update build revision and associated KB (knowledge base) article number. Furthermore, if you require additional information, you can find and follow a URL to the release notes of that KB article.
Try out sample queries
In order to view all new metadata added to the catalog, use the below Microsoft Graph API calls for monthly quality updates and for feature updates. Copy and paste them into the GET field in Microsoft Graph Explorer. If needed, refresh your memory on how to do this with Try Windows Update for Business with Microsoft Graph.
Feature updates
View all feature updates currently in support by running the below query in Microsoft Graph.
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.featureUpdateCatalogEntry') |
Quality updates
Additional metadata has been added to the catalog for quality updates. Right now, the latest release available is the August monthly security release: “2023. 08B.”
Let’s view the new properties added to the catalog. Start by using the following request query:
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/qualityUpdateClassification eq 'Security'&$orderby=releaseDateTime desc&$top=1 |
Now, let’s walk through the response details to explore the new information about the August 2023 security update.
- Locate the release details, such as release name, date, and update type:
Screenshot of a portion of the response focused on the release details for the August security update
- Scroll down through the response to locate the CVE information, such as severity, number, and URL to read more:
Screenshot of a portion of the response focused on the CVE information for the August security update
- View new fields for all quality updates using the following query in MS Graph:
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&$orderby=releaseDateTime desc |
Keep scrolling to find product revisions and Knowledge Base article details. For all Windows OS versions in support the response will return the below:
Next, use the following sample queries to retrieve information about quality updates and to make operational decisions. Note: this information is available for updates released in or after January 2023.
- Show the non-security updates from the last 3 months:
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter= microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/qualityUpdateClassification eq ‘nonSecurity’&$orderby=releaseDateTime desc&$top=3 |
- Show the updates from the last 3 months that address exploited CVEs:
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter= microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves/$count gt 0&$orderby=releaseDateTime desc |
- Show the updates from the last 3 months where the highest CVE base score is at least 9.0:
|
Element |
Entry |
|
Request type |
GET |
|
URI |
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter= microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/maxBaseScore gt 9.0&$orderby=releaseDateTime desc |
In addition to these queries, you can use the standard OData filters and retrieve the required information about each release. Consult Query options overview - OData for additional information.
What this all means
Without Windows Update for Business deployment service, you have to look these details up in separate channels, such as:
- Windows release health
- MSRC - Microsoft Security Response Center
- Resolved issues in Windows 11, version 22H2
But you don’t have to! The enriched metadata in the Windows Update for Business deployment service catalog empowers you with comprehensive insights and streamlined access to critical update details. Track and manage updates more efficiently with the new classification and cadence properties, along with user-friendly naming conventions. The inclusion of CVE severity information and product revision details ensures a more informed approach to update deployment.
Check out the following resources to learn more:
Continue the conversation. Find best practices. Bookmark the Windows Tech Community and follow us @MSWindowsITPro on Twitter. Looking for support? Visit Windows on Microsoft Q&A.
