Let us learn about PowerShell Script to Find Out Patch Installation Status on Remote Computers.
Microsoft patch Tuesday for the month of May 2019 brought us some critical updates one of which highly discussed is CVE-2019-0708 vulnerability.
More details on this post about the Patch Installation Status on remote computers.
OSes Effected by Vulnerability
More details about Patch Installation Status can be found in the following sections of this post. The patch mentioned above was an emergency.
NOTE! – Some of SCCM features like Run a Script might not work on Windows 7 or Windows 2008.
KB4499180 (for Windows Server 2008 SP2)
KB4499175 (for Windows Server 2008 R2 x64 SP1)
KB4499175 (for Windows 7 SP1)
KB4500705/KB4500331 (for Windows XP SP3)
KB4500705/KB4500331 (for Windows Server 2003 SP2)
Requirement of PowerShell Script
This particular vulnerability is rated as emergency in many organisations and patching\SCCM teams are busy in deploying the fix for this vulnerability.
It is easy to deploy the fix for this vulnerability as it is a direct security-only update from Microsoft from the list of May month patches.
But, it is little challenging to get the accurate details after patch installation if any system\server is still missing this patch or not.
NOTE! We can do the patch reporting with SCCM reports, but we might not get exact details with SCCM reports in some cases.
Post patch deployment, I also needed to get the report to see if all the servers got the required patch installed or if any of the servers are still missing this patch.
Fetching Patch Details via PowerShell Script
In this case,e PowerShell can help us with more accurate details, I wrote a PowerShell script and it worked perfectly to get the details of KB number (KB4499175 or KB4499180) and installed date with computer name from remote server.
I have exported these details to excel file to review the results at later point.
In this script, I have used win32_quickfixengineering rather than Get-hotfix, get-hotfix will also give us the same results, but it has its pros and cons. I have read and tested that Get-hotfix is not working after finding any not online computer.
NOTE! – Read more about the cons of using QuickFixEngineering in the following post. SCCM How to find the list of Software Updates and patches installed Via Quick Fix Engineering
Patch Installation Status PowerShell Script
As part of this PowerShell script, I have created a PowerShell function get-installed patch with error handling. This script will check if the computer is pingable and if pingable connects to the remote computer to get the patch details. Results are exported to CSV files, not online, and exception computers are recorded in different text files.
The input is the computer name or the file which contains the list of computer names.
Download PowerShell Script
Please find the actual code of this script from Github below link https://raw.githubusercontent.com/jampaniharish/OnlineScripts/master/Get-installedPatch.ps1
<# .Synopsis This script will get details of perticular patch installed on remote computer. .DESCRIPTION This script will get details of perticular patch installed on remote computer, in this case I am trying to get recent emergency patch installed on remote computer. .EXAMPLE get-content "C:\temp\Hareesh\Script\Computers.txt" | get-installedpatch .EXAMPLE get-installedpatch -computers computer1,computer2 .INPUTS computername .FUNCTIONALITY This cmdlet is useful to check the recent emergency patch (KB4499175 or KB4499180) is installed on remote computer or not. #>
I have found that this script is a bit slow to get these detail,s but I could not find any other better way than this to get these details. I would welcome any suggestions on this.
- SCCM CMPivot Fast Channel Making SCCM Fast
- SCCM Run Script Deployment Step by Step Guide
- PowerShell Script to Import Multiple CSV Files to Pivot Table SCCM Patch Report