Windows 10 - BigFix Patching Out of Sync with Windows Update?

I haven’t really dug deep into this yet, but will be looking to collect more info. I wanted to post this to see if others may be seeing something similar. I’m using Windows 10 in my example because I don’t recall these symptoms in Windows 7.

On 6/21 I successfully deployed patches via BigFix to my Windows 10 endpoint (of category Critical and Security). Today (6/29), I ran Windows Update and was surprised to see it finding many of those updates (the same or similar I can’t say at this time). I also noticed that the BigFix patches weren’t shown in the History of Windows Updates. That’s where I am now.

My belief is that Windows Updates looks at its own database to see if a patch has been installed which may not represent what is actually installed. Would it also be bad enough to then download the same patch and only find out it was already installed after it kicks it off? I’ve exported my Application Event Log which shows installs from both of those dates and am trying to compare, but the descriptions don’t seem to be like for like, so I need to do more digging.

What I want to prevent is people running Windows Updates, seeing that Critical/Security patches are missing, and then complain to me that BigFix isn’t doing its job…

UPDATE:

Here is what I installed via BF on 6/21 (none show in Windows Update History):

• MS17-JUN: Security Update for Adobe Flash Player - Windows 10 Version 1703 - Adobe Flash Player - KB4022730 (x64)
• MS17-JUN: Security update for Office 2016 - Office 2016 - KB3178667 (x64)
• MS17-JUN: Security update for Office 2016 - Office 2016 - KB3191882 (x64)
• MS17-JUN: Security update for Outlook 2016 - Outlook 2016 - KB3191932 (x64)
• MS17-JUN: Security update for Office 2016 - Office 2016 - KB3191943 (x64)
• MS17-JUN: Security update for Office 2016 - Office 2016 - KB3191944 (x64)
• MS17-JUN: Security update for Word 2016 - Word 2016 - KB3191945 (x64)
• MS17-JUN: Security update for Office 2016 - Office 2016 - KB3203383 (x64)

Here is what Windows Update found on 6/29:

WindowsPatching.JPG552×695 52.2 KB

So there are no KB matches between the two, so I suspect I need to do more digging.

I have a “relevant” fixlet that will do a check for windows updates and save the results to a file and an analysis that will report on the results:

• https://bigfix.me/fixlet/details/23123
• https://bigfix.me/analysis/details/2998507

The windows update history should only show what was actually installed with windows update, but that doesn’t mean the patch is missing. If you do a check for updates and windows updates shows results, then that means the windows update agent thinks they are missing and applicable, which is a more significant indicator.

Thank you. I’ve run the Fixlet you provided on a few systems and have the Analysis running. I’ll see what those results show and if this will be helpful at all.

Confirmation that Windows Update History only shows history deployed via Windows Update is helpful (I’ll assume SCCM uses Windows Updates so history would show correctly in that case).

Most importantly is that fixlets deployed via BigFix do not show relevant when running Windows Updates. My initial test shown above so far show that this is true.

There is much reason for not showing patching. It is gathering issue, firewall/Proxy change when you update window. So You need to check this thing to solve your issue.