Contact Us
Help Center Home > Alerts KB > Troubleshoot: False Software Change Alerts

Troubleshoot: False Software Change Alerts

Problem

I am seeing false alerts in the JumpCloud Admin Portal, where software updates on Windows devices are reported as separate software_remove and software_add events instead of a single software_update event.

Cause

JumpCloud System Insights uses osquery to track software changes on Windows devices by collecting data periodically and comparing snapshots. False alerts occur because:

  • Windows apps lack a unique identifier, making it hard to track updates.
  • Application names may include version or architecture details (for example, "TestApp v1.32.0" or "TestApp v4.2.3"), causing mismatches.
  • Installation locations may change or be missing during updates.
  • Multiple apps may share similar names (such as different .NET runtime versions), leading to incorrect event logging.

Previously, updates were logged as software_remove (old version) and software_add (new version) events, which could be misinterpreted as separate actions.

Solution

JumpCloud has improved software update detection on Windows to reduce false alerts:

  1. Install Location Matching: We prioritize the install_location field (like C:\Program Files\TestApp) to identify the same app across snapshots, even if names vary due to version or architecture.
  2. Name Fallback: If install_location is unavailable or changes, we use the name field, carefully handling versioned names to avoid mismatches.
  3. Multi-Version Handling: For apps with identical names (such as .NET runtimes), we track versions to log accurate changes and avoid redundant alerts.
  4. Fallback Behavior: If neither field confirms an update, we log software_remove and software_add events to ensure changes are reported.

Benefits

  • Fewer False Alerts: Updates are more accurately logged as software_update events.
  • Reliable Tracking: Handles versioned names and multi-version apps better.

Note:

This applies to Windows only. macOS and Linux use unique package IDs and are unaffected.

Limitations

Updates may still be logged as separate events if install_location or name changes significantly.

  • Non-MSI or UWP apps may have inconsistent metadata, affecting detection.
  • Complex name variations can pose challenges.
Back to Top

Notebook IconLearn More

Get Started: Device Monitoring and Alerting

Troubleshoot: Device Monitoring and Alerting Issues

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case