Context
The “Windows Update” feature centralizes, supervises, and automates the deployment of Windows patches across your entire IT infrastructure.
It provides a comprehensive view of the update status detected on each agent via a "Update Status" list, with the option to manually launch installations or exclude specific updates using a blacklist. This exclusion list allows one or more updates to be set aside so they are not deployed automatically.
A deployment history lets you trace all performed updates, whether they originate from the RG agent or third-party tools (such as Windows or other management solutions).
Lastly, a dedicated tab for creating automation rules allows for the scheduling of recurring deployments, thus facilitating proactive maintenance of your Windows environment. This new feature aims to offer precise, secure, and automated control of the update lifecycle on your devices.
Access
To access the “Windows Update” feature:
Select the node or agent on which you wish to manage Windows updates.
In the left-hand menu, navigate to the “Action” section.
Click on “Windows Update” to open the Windows update management interface.
View Windows Updates
The "Update Status" page is the central hub for viewing available Windows updates on the agents in your network. It provides a detailed, clear, and up-to-date overview of all detected updates, whether on a specific agent or globally from a node.
Available actions include:
Targeted or Group Deployment: Select one or more updates to initiate their installation. The deployment process can be tracked in real time until completion, after which the update is automatically added to the history.
Blacklist: Exclude one or more updates to prevent their automatic deployment, while still having the option to reintegrate them later.
Multi-selection: Increase efficiency by applying actions (deployment, blacklist) to several updates in a single operation.
Direct Access to Automation Rules: View and adjust automatic deployment rules from the same interface to dynamically adapt your patch management strategy.
It may happen that some Windows updates are displayed multiple times with exactly the same name and version number.
For example :
Intel System – 3.1.0.4586 may appear twice in the list of available updates or be present both in the update history and in the list of available updates.
These may be separate update packages. The difference lies in the Windows GUID (Globally Unique Identifier), which is different for each package.
Reminder : the GUID is the reference element used to uniquely identify an update, regardless of its name or version.
The display of multiple updates with the same name and version is related to the distribution and packaging choices made by publishers (OS updates, hardware manufacturers, and driver vendors).
1. Differences in prerequisites or dependencies
Two updates may include the same core driver, but:
With or without an additional component,
With different prerequisites already present or not on the machine,
Or with alternative installation rules (full installation vs incremental installation).
In this case, Windows offers multiple functionally equivalent updates that are technically different.
2. Internal fixes without visible version changes
Vendors may republish an update in order to:
Fix a packaging issue,
Adjust Windows Update deployment rules,
Improve hardware detection,
Or modify the installation process.
These adjustments do not always result in a name change or a version increment. However, since the package itself is different, the GUID changes, which creates a visual duplicate in Windows Update.
Key takeaways :
Seeing the same update listed multiple times is not an error
The name and version are not sufficient to uniquely identify an update
The Windows GUID is the reliable indicator to confirm that these are indeed different packages
Exclude Windows Updates
The "Blacklist" page allows you to view and manage all Windows updates excluded from automatic deployment.
It plays a key role in controlling patch distribution by allowing you to temporarily or permanently pause certain updates deemed non-priority, unstable, or incompatible with your environment.
The blacklist is based on an intelligent inheritance system :
Each agent inherits the configuration defined at the root of the hierarchy by default. However, this inheritance can be disabled at any level (node or individual agent), enabling the creation of a specific blacklist for a particular context. This provides maximum flexibility in managing exclusions, taking into account the technical or organizational needs of each segment of your infrastructure.
Main available actions on this page include:
Disable inheritance to customize the blacklist locally.
Remove an update from the blacklist to make it eligible again for automatic deployment.
Multi-selection for efficiently managing multiple updates in one go.
The "Blacklist" page is designed to give you fine-grained, contextual control over your update strategies while ensuring overall consistency in your patch management.
⚠️ Important:
To ensure Windows updates are not carried out locally on your machines, please execute the following scripts on the relevant agents:
Disable Windows Update via Local GPO
Check Local Windows Update GPOs
These scripts apply GPOs (local or domain group policies). Implementing GPOs is mandatory to prevent automatic update deployments on workstations. Without this configuration, Windows will continue to launch updates autonomously.
Accessing scripts in RG :
Action > Custom Script > Create a Custom Script > Script Library > Community data-start There, you’ll find templates for the two scripts to apply.
Note :
If domain-level GPOs are already applied, they will override the local GPOs configured by these scripts.
Windows Update History
The History page allows you to view all Windows updates effectively deployed on your machines. Accessible from a node or a specific agent, it offers complete traceability of all patch deployment actions, whether performed by the RG agent or a third-party tool.
Each detected and installed update is recorded in the history, along with key data to ensure fast and relevant analysis :
Update severity (important, optional, critical, etc.)
Deployment date
Update type (security, cumulative, feature, etc.)
Unique update ID
Deployment source : via the RG System agent or a third-party source (such as Windows Update or another patch management solution)
This page serves as a reliable and centralized reference for validating deployments, verifying machine compliance, and facilitating security audits. The history is an essential tool for maintaining a precise record of all update-related actions, regardless of the source.
Automation Rules
The Automation Rules page centralizes all automatic Windows update deployment rules configured on a node or specific agent. It simplifies the viewing, editing, or creation of automation rules directly from the update management interface.
This feature allows you to implement an effective and tailored deployment strategy for your infrastructure by scheduling update installations according to precise criteria:
Update type (software or driver)
Severity (optional or critical)
Agent type (workstation or server)
Frequency : one-time or recurring, depending on your network needs
With this interface, you ensure continuous and controlled compliance while reducing the operational load of manual patch management.
This new dedicated view complements the standard access via the dashboard menu :
Configuration > Automation, offering quicker and more intuitive contextual navigation when analyzing or managing Windows updates.