How do I prove that all available windows security updates are installed on a Windows 10 workstation?

Question

If I have a Windows 10 workstation, I can use something like wmic qfe list or Get-Hotfix to show all the installed updates on that system. How can I prove, that the list of updates installed, are really all that is a available to be installed? I'm running into questions from compliance about how do I know Windows hasn't screwed up when it says there are no other available updates and how can I match a master list of available updates against a list of what's installed. Thanks for the help.

Answer 1

The Microsoft Security Update Guide can be used to acquire a list of security KB articles indicating security updates for a specific windows build.

Almost all security updates installed on the system are part of a Latest Cumulative Update (LCU).

By searching the KB articles found in the Security Update Guide, against the Microsoft Update Catalog a list of all cumulative update patches, that have been replaced by other cumulative update patches can be found. In this way, a specific KB article mentioned in the Microsoft Security Update Guide can be traced back to a current cumulative update.

When querying Windows 10 for hotfixes using wmic qfe list or Get-Hotfix the behavior appears to be to only list the latest cumulative update package installed.

Answer 2

You can refer to the offical product documentation: https://docs.microsoft.com/en-us/windows/release-information.

Unfortunately, it seems to be quite difficult to find a list of all minor updates apart from major product releases; however, there are several unofficial pages which track them, such as this one: https://pureinfotech.com/windows-10-version-release-history.

There is also the Microsof Update Catalog (https://catalog.update.microsoft.com), where you can look up all available updates for a given Windows version; but you need to pinpoint a specific Windows 10 release. F.e. if you search for "Windows 10 1903" (current version), this is what you get: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=windows%2010%201903.

Generally speaking, the latest cumulative update for a given Windows 10 release should include all previous updates; but some updates are released outside the CU line and need to be applied separately.