Incomplete Updates check

Applies To: Forefront Client Security

The Incomplete Updates SSA check determines whether the scanned computer has a software update installed that requires a system restart that has not taken place. The update may not be providing the intended protection until the restart occurs.

This check takes advantage of an improvement found in Update.exe version 6.1.22.0. The installer uses the following registry key to indicate when a restart is required after installation or removal of a software update such as a security update, critical update, or hotfix:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile

This SSA check uses the UpdateExeVolatile registry key to identify when an update is in an incomplete state. However, updates using an older version of the installer do not use this registry key. For more information about Update.exe and the improvement used by this check, see Description of the new features in the package installer for Windows software updates (https://go.microsoft.com/fwlink/?linkid=45291).

This SSA check also does not evaluate updates packaged using Windows Installer, but the check can sometimes use the following registry key to determine whether a restart is required. If this key exists and has files listed within it, a restart is pending:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Resolutions for potentially unacceptable scores

In general, it is recommended that a computer be restarted immediately following the installation of security updates, both for protection and stability of the system.

Review the results message associated with the score. If the message indicates that a restart is required to complete an update, restart the scanned computer.

Scoring and results

The following table shows how Client Security determines the score resulting from performing this check. You can use the results message for each score to determine the recommended resolution.