Skip to main content

Windows Server/Workstation Inspector | Clarification on Mandatory & Non-Mandatory updates

Updates, Windows Server, Windows Workstation, Mandatory Updates, Non-Mandatory updates, Available updates, Updates Metric, Security

Updated over 2 weeks ago

Summary 🔖

Liongard’s Windows Server and Workstation inspector reports available Windows updates from the host OS APIs. The IsMandatory flag in the collected AvailableUpdates array is not a Liongard decision rather it is metadata provided by the Windows Update subsystem (WUA / WSUS / Intune / Windows Update for Business). Whether an update is considered “mandatory” depends on how it was published, approved or targeted (e.g., WSUS approvals, Intune update rings, Windows Update for Business deadlines), and how the Windows Update Agent exposes that information to user-land tools.

If IsMandatory appears false for an update you expected to be mandatory, the usual causes are: the update was not published/approved as mandatory at your patch-management layer, it has not been targeted to that device yet, or the underlying Windows API did not mark it as mandatory (so Liongard displays what the OS reported).

Reference Images (From Liongard Platform)

  1. From System Details page :

  2. Within Data Print :

Quick check: what IsMandatory means 🤔

IsMandatory is a Boolean value in the Windows update metadata that signals whether the update was marked as required by the publishing/management system (WSUS, Intune, Microsoft Update service, or via Windows Update for Business policies). Liongard simply displays the update metadata returned by the host Windows Update APIs.

  • If the host OS / management server reports the update as mandatory → Liongard will show IsMandatory: true.

  • If not → Liongard will show IsMandatory: false.

(You can confirm how your environment publishes/approves updates in WSUS, Intune, or your update-management tooling — links below.)

Why this can be confusing (common scenarios) 😵‍💫

  1. WSUS vs. Windows Update for Business vs. Intune
    Each system sets/update metadata differently. An update that’s “required” in Intune (deadline set) may not appear “mandatory” in WSUS if WSUS approval isn’t set the same way. See Microsoft docs:

  2. Targeting vs. global approval
    An update can be approved globally in WSUS but not targeted to the device group that contains the workstation, so the workstation sees it as available but not “mandatory”.

  3. Deadline vs. optional installs
    Intune / Windows Update for Business can set a deadline for an update; the presence of a deadline typically makes the update mandatory for target devices. If there’s no deadline, IsMandatory may be false even though the update is available.

  4. Timing / replication / caching
    Update metadata changes (e.g., marking an update mandatory) may take time to propagate. The Windows Update Agent reports what it currently knows — if you change approval/targeting, the host may need to check-in or the update client may need to refresh before the change appears.

  5. Third-party updates / driver firmware
    Many vendor-supplied driver/firmware updates are distributed differently and may not be marked “mandatory” by the publisher (regardless of your management settings).

How Liongard determines IsMandatory 🦁

  • Liongard collects update information by calling the host's Windows update APIs (the same underlying data the OS and SCCM/WSUS/Intune use). We do not compute “mandatory” ourselves; we present the IsMandatory value returned by the agent’s local update query.

  • If the Windows update subsystem reports IsMandatory: true, Liongard shows it as mandatory. If the subsystem reports false, Liongard shows false.

(Reference: Windows Update Agent API summary )

How to validate the IsMandatory value yourself on the endpoint 🔎

Run these commands on the endpoint (the machine that shows the update) or on a management server (WSUS) as appropriate.

1) Quick check in Liongard

  • Go to the Server/Workstation inspector for the host in Liongard.
    Navigate to Admin > Inspectors > Select Inspector type > Select the host > On System Details page select Updates/Patches

  • Check the Available updates data (Is Mandatory Column)

Why this helps: shows exactly what Liongard received from the agent.

2) Check the local Windows Update Agent on the server/workstation

On the target machine (PowerShell elevated), query the WUA using PowerShell or the Windows Update client logs:

PowerShell (Example : query available updates with WUA COM API):

# Enumerate updates the client sees (uninstalled/pending) $session = New-Object -ComObject Microsoft.Update.Session $searcher = $session.CreateUpdateSearcher() $results = $searcher.Search("IsInstalled=0") # pending/available updates foreach ($u in $results.Updates) { [PSCustomObject]@{ Title = $u.Title IsMandatory = $u.IsMandatory Deadline = ($u.Deadline -as [string]) MsrcSeverity = $u.MsrcSeverity } }

This prints the same IsMandatory and Deadline metadata the agent uses.

Note: the Windows Update COM object exposes IUpdate properties; IsMandatory and Deadline are properties available there. If PowerShell returns no results, the system may not have any pending updates.

3) WSUS server (if you use WSUS)

On the WSUS server (server-side), you can list approvals and target groups:

# Requires the UpdateServices module on WSUS server Import-Module UpdateServices $wsus = Get-WsusServer -Name "wsus-server-name" -PortNumber 8530 Get-WsusUpdate | Where-Object { $_.UpdateClassificationTitle -in @("Security Updates","Critical Updates") } | Select Title, UpdateId, IsApproved, Classification, CreationDate

Why: WSUS approvals / target group settings can make updates required for clients. Use WSUS to verify server-side approvals and deadlines.

4) Intune / MEM (if managed by Intune)

  • Check update ring configuration in Microsoft Endpoint ManagerDevicesWindowsUpdate rings.

  • If an update ring has a deadline, that deadline will appear on clients and will be enforced.

Why: Intune-set deadlines create client-side enforcement that Liongard will display as Deadline and may effectively become mandatory.
Reference : https://learn.microsoft.com/mem/intune/protect/windows-10-update-rings

5) SCCM / ConfigMgr or other management systems

  • In ConfigMgr check the deployment status and whether the deployment is "Required" or "Available".

6) Edge cases & additional causes

  • Some vendor firmware/driver updates appear with IsMandatory:false by design. Confirm publisher intent.

  • If update metadata is malformed or the client cannot parse targeting metadata, it may appear non-mandatory.

  • If device is offline or blocked by policy, metadata may be out-of-date.

Troubleshooting checklist (If found any discrepancy in reporting) 📋

  1. Check Liongard’s raw output : open the Sever / Workstation inspector and check the status of AvailableUpdates on system details page or via data print.

  2. Run the PowerShell client check (script above) on the endpoint to validate the same properties locally.

  3. Check management system:

    • WSUS: verify approval/targeting and whether WSUS is forcing the update to clients.

    • Intune: verify update ring deadlines.

    • SCCM: verify deployments/required vs available.

  4. Check the Deadline field: even if IsMandatory=false, a non-null Deadline means the update will be enforced at the set time.

  5. If IsMandatory=true appears unexpectedly: verify whether the update is a servicing stack or agent update (those are sometimes forced by Microsoft). Also confirm there’s no third-party MDM policy setting deadlines.

Recommended Metric Examples (ready-to-use Liongard queries for different goals) 🤩

Goal A — List all available mandatory updates (by Title)

AvailableUpdates[?IsMandatory == `true`].Title

Goal B — Full details for mandatory updates (Title + Deadline if present)

AvailableUpdates[?IsMandatory == `true`].{Title: Title, Deadline: Deadline, SupportUrl: SupportUrl, Description: Description}

Goal C — Show only firmware/driver updates that are mandatory

AvailableUpdates[?IsMandatory == `true` && Type == 'Driver'].{Title: Title, IsMandatory:IsMandatory, Description: Description}

Goal D — All available updates with IsMandatory flag (good for audits)

AvailableUpdates[].{Title: Title, IsMandatory:IsMandatory, Deadline: Deadline, IsMandatorySource: Source}

(Note: Source depends on what the agent collected; not every update contains a Source field.)

Goal E — Device-level actionable alert example (trigger only if device has >= 1 mandatory update)

length(AvailableUpdates[?IsMandatory == `true`]) > `0`

Goal E — Patch-compliance report: count mandatory updates per device

{Device: DeviceName, MandatoryCount: length(AvailableUpdates[?IsMandatory == `true`])}

Helpful links 🔗

Please note: We are happy to provide our partners with vendor links as an additional resource. Liongard is not liable for the content or accuracy of any third-party resources. We simply want to assist you in navigating the process and kindly remind you to access these links at your own discretion. Thank you for your understanding!

FAQs 🙋

  1. Question : If Liongard shows IsMandatory=false, is the update optional?
    Not necessarily. It can still be critical/important. IsMandatory=false only reflects that Windows did not flag the update in the client metadata as “mandatory.” Use MsrcSeverity and Deadline too.

  2. Question : Can Liongard change IsMandatory?
    No. Liongard only reads and displays the value reported by the endpoint.

  3. Question : My environment uses WSUS/Intune. Which field matters most?
    In general Deadline and severity matter most for centrally-managed environments. Deadlines indicate management-enforced install dates.

Contact Support 🧑‍💻

If you have any questions or experience issues, please reach out to Liongard Support. We are happy to assist in anyway possible!

Did this answer your question?