fleet
fleet copied to clipboard
fleetdm
Windows VM enrolled in Fleet not getting any data from windows_update_history or windows_updates tables
Fleet version:
Fleet 0.0.0-SNAPSHOT-825e785 • Go go1.21.7
Web browser and operating system:
Google Chrome Version 125.0.6422.61 (Official Build) (arm64)
macOS 14.4.1 (23E224)
Parallels Desktop 19 for Mac Version 19.3.1 (54941)
Windows VM in Parallels:
Windows 11 Pro 23H2 22631.3447
💥 Actual behavior
-
WIndows VM is enrolled: https://dogfood.fleetdm.com/hosts/987 name: BROCK-WIN
-
Refetched host details
-
Restarted
-
Checked Settings > Windows Updates
- Verified computer has pending updates & update history
🧑💻 Steps to reproduce
- Run the following queries on this Host:
select * from windows_update_history;select * from windows_updates;
Neither query returns any results.
🕯️ More info (optional)
If these queries have special requirements (like a mandatory WHERE cluase, etc.) they aren't documented.
Do other Windows hosts behave the same way?
Windows updates unseen, In the cloud's glass city shines, Fleet's hand guides unseen.
Tried again this morning. Windows update completed even though I paused. windows_update_history now shows results. windows_updates shows nothing because it updated. [sigh...] Perhaps this is Windows problem where the way we are collecting data will not return history if there are pending updates?
@nonpunctual Reminder to include the Fleet version in all bug tickets, as it impacts how they are triaged. If it's unreleased, it's a release blocker.
Updated with dogfood version. The data started coming through via windows_update_history but not until hours after the updates were complete. Now that my Windows VM is updated I can't really test windows_updates table but neither table was returning data with updates pending.
context around the purpose of windows_update_history https://github.com/osquery/osquery/issues/7405
So @mostlikelee are you saying what I am seeing is expected behavior unless we implement what's in the other issue you linked? Thanks.
That was just to add some context for the assignee. Based on the table description, it sounds like a bug in osquery or possibly in Windows. That table is calling a Windows API as opposed to the patches table which queries updates from WMI.
@nonpunctual
In my testing, the windows_updates table did not return results while updates were downloaded/installed. It is using the IUpdateSearcher::Search API, which wasn't returning anything. It did return entries after critical updates were installed. So, that's how the table works. We did not design or thoroughly test this table. Perhaps this table and others like it should be documented as BETA?
windows_update_history seems to be working for me. I don't think there is anything we have to fix here.
Do you agree?
-
Yes, obviously I think we should test them more before they are added but there is also value in getting tables in as fast as possible (e.g., the parse_json, parse_ini tables languished WITHOUT being added because no one thought they would be useful to customers. It wasn't until I asked about them that they were "unhidden".)
-
Since I am looking at the table docs I am happy to help with this but it also seems like it should be a normal QA function or something that could be added to automated tests (ie, QAWolf runs the example query for all newly-added tables or something.)
-
My specific issue I am not sure lines up with what you experienced:
windows_updates is supposed to show pending updates
windows_update_history is supposed to show installed updates
When I made this issue my Win VM had both: updates that I had installed (so they should have shown in history) & updates that were pending. Neither table returned anything. After the pending updates were installed, many hours later I then had data returned in windows_update_history.
This could be a Windows problem. I don't know if it's an osquery problem nor do I know how to test if it is.
Thanks.
Windows updates unseen, Fleet now bridges the gap, Clarity, pristine.