Creating Windows Cumulative Update Groups

When leveraging PDQ Connect to deploy Windows monthly cumulative updates, you may wish to have increased visibility on the installation status of those patches. This guide will cover how to create groups in PDQ Connect that display if a machine is current or out of date with cumulative updates. 

Using Variables in Filters

PDQ Connect supports many of the same pre-built variables as PDQ Inventory. These are maintained by PDQ and updated each month to reflect the latest hotfix name and OS versions. Using variables will ensure that you do not have to update the filters each time a new cumulative update is released. 

To add a variable, click "Create group" from the Devices tab to begin adding filters. You will notice an (x) in the far-right value field.

Clicking the (x) will open a list of prebuilt variables that can be used in place of manually entering a static value. 

Note: You can see the value of a variable by hovering over the variable in the list. We recommend always checking the value to ensure you are using the correct variable. 

You can see by scrolling through the list that there are hundreds of existing variables. For the purpose of this guide, we will be looking at variables that display the following information:

  1. The latest Hotfix name for a specified Windows release (The KB number)
  2. The latest OS Version for a specified Windows release (The version number)

In order to support the different versions of Windows that you may be creating groups for, there is a need to maintain multiple variables. To make it easier to identify which variables belong to which OS, we have standardized the naming conventions. Variables that represent the KB number of a cumulative update are prefixed with HFName, followed by the OS version (Windows 10, Windows 11, etc.) then the build release (22H1, 22H2, etc.). For example:

  • $(HFName1022H2MonthlyLatest) = Windows 10 build 22H2 latest cumulative update (E.g. KB5027215)
  • $(HFName1122H2MonthlyLatest) = Windows 11 build 22H2 latest cumulative update
  • $(HFName2022MonthlyLatest) = Windows Server 2022 latest cumulative update

Likewise, OS Version variables follow a similar naming scheme, except they will be prefixed with OSVerWin instead of HFName. 

  • $(OSVerWin1022H2Latest) = Windows 10 build 22H2 latest version number (E.g. 10.0.19045.3086)
  • $(OSVerWin1122H2Latest) = Windows 11 build 22H2 latest version number 
  • $(OSVerWin2022Latest) = Windows Server 2022 latest version number

Creating Cumulative Update (Old) Groups

Now that we understand how variables work, we can begin building our cumulative update groups. Let's begin by creating a group that displays machines running Windows 10 build 22H2 that do not have the most recent cumulative update installed. The following screenshot illustrates how this would be configured. 

In our example above, the first two filters specify which version of Windows the group will contain. The third and fourth filters will determine if the OS is missing the latest cumulative update. We are using both the OS version and the Update title variables because occasionally the latest KB may not be visible, but the OS version will be up to date and vice versa. 

The same structure can be used to show outdated machines on other versions of Windows. If we wanted to build the same group for Windows 11 machines on build 21H2, the group would be modified as shown below. 

Creating Cumulative Update (Latest) Groups

Groups that display machines that are current with cumulative updates will use the same variables but with a slightly different arrangement. We already touched the reason that we use two different variables to determine if the OS is outdated. To expand on that further, the following circumstances will warrant the need to look at both:

  1. The OS version is accurate, but the latest KB is not visible - This can occur when a machine has just been updated to the latest build of Windows. In this case, there will be no cumulative updates listed under the Windows update history because it is pre-installed into the build instead of applied as a patch. 
  2. The OS version outdated but the latest KB is visible - This can happen when a machine has recently had the latest cumulative update installed but is pending a reboot. 

That being said, a group that would display machines with the most recent cumulative updates installed would be constructed as follows. 

This layout uses filter groups to separate the OSVer and the HFName variables using an OR condition. This makes sure that if either one of those conditions are true, the machine will be properly identified as up to date. Filter groups may be created using the Add filter group button on the group creation page.

Structuring Your Groups

Arranging groups is a matter of personal preference. We recommend creating a folder for each major version of Windows such as Windows 10 and Windows 11. Inside each major version folder, create subfolders for the minor versions like 21H2 and 22H2. From there, you can then create a "latest" and "old" group to display current and outdated machines respectively. Below is a screenshot of how this structure would look in PDQ Connect. 

Again, this is only one example and you can arrange the groups however you see fit. You may wish to use "Cumulative updates (old)" and "Cumulative updates (latest)" as your top-level folders, and then break out the subfolders by the different versions of Windows.

In any case, you now have the knowledge to build your own groups for immediate visibility on the installation status of Windows cumulative updates!


Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.