Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
jie
Staff
Staff

Created on ‎07-21-2025 10:01 PM

Article Id 398053

Technical Tip: How does EMS tag client for Windows OS versions check

Description This article describes how EMS checks the client's Windows OS version when it tags the client.
Scope FortiClient EMS, FortiClient.
Solution

Once configured, EMS ZTNA tags to check Windows OS version and update status. FortiClient retrieves the information from Windows Event log, looking for the most recent event ID 19 or 216 with the keyword 'KB(number)' from Event Viewer, and gets the time of it, as shown below:

 

aa.PNG

 

aaa.JPG

 

This can always be verified under Event Viewer -> Windows Logs -> System log

 

If there is no Windows KB installed recently in the configured 'x' days (in the below example, it is 7 days), then it will not match the rule set.

 

bbb.JPG

 

  • Event ID 19: This event means a Windows Update has been successfully installed.
  • Event ID 216: This is also related to Windows Update installation activity, sometimes used for servicing events.

 

 

 

 

174
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.