PowerShell Script to Find Out Patch Installation Status on Remote Computers

Let us learn about PowerShell Script to Find Out Patch Installation Status on Remote Computers.

Several options are available to check the patch installation status on remote computers, including PowerShell scripts, a CMPivot query in SCCM, and the Get-HotFix Cmdlet. In this post, I will show you how to use a PowerShell script to determine the Patch Installation Status on Remote Computers.

You can use a PowerShell script to find out which patches are installed on remote computers. The script uses a specific class to retrieve accurate details such as the KB number, installation date, and computer name from remote servers.

May 2019’s Microsoft patch Tuesday contained critical updates, including an emergency patch for the widely discussed CVE-2019-0708 vulnerability.

Patch My PC

Older Windows versions lack security updates to protect against CVE-2019-0708, a critical remote code execution vulnerability. This post provides more details about the Patch Installation Status on remote computers.

Index
OSes Effected by Vulnerability
Requirement of PowerShell Script
Fetching Patch Details via PowerShell Script
Patch Installation Status PowerShell Script
Download PowerShell Script
PowerShell Script to Find Out Patch Installation Status on Remote Computers – Table.1

CVE-2019-0708 | Remote Desktop Services  Remote Code Execution Vulnerability (KB4499175)

OSes Effected by Vulnerability

The following sections of this post provide more details about the patch installation status. The patch mentioned above was an emergency.

Some of SCCM features like Run a Script might not work on Windows 7 or Windows 2008.

KB4499180 (for Windows Server 2008 SP2)
KB4499175 (for Windows Server 2008 R2 x64 SP1)
KB4499175 (for Windows 7 SP1)
KB4500705/KB4500331 (for Windows XP SP3)
KB4500705/KB4500331 (for Windows Server 2003 SP2)

Requirement of PowerShell Script

Many organisations rate this particular vulnerability as an emergency, and patching SCCM teams are busy deploying the fix.

It is easy to deploy the fix for this vulnerability as it is a direct security-only update from Microsoft from the list of May month patches.

However, it can be challenging to get accurate details after patch installation about whether any system server is still missing this patch.

NOTE! We can do the patch reporting with SCCM reports, but in some cases, we might not get exact details with them.

Post-patch deployment, I also needed to get the report to see if all the servers installed the required patch or if any of them were still missing it.

Fetching Patch Details via PowerShell Script

In this case, PowerShell can help us with more accurate details. I wrote a PowerShell script that worked perfectly to get the details of the KB number (KB4499175 or KB4499180) and install date with the computer name from a remote server.

I have exported these details to an Excel file to review the results later.

In this script, I have used win32_quickfixengineering rather than Get-hotfix. Get-hotfix will also give us the same results, but it has its pros and cons. After finding an offline computer, I have read and tested that Get-hotfix does not work.

NOTE! – Read more about the cons of using QuickFixEngineering in the following post. SCCM How to find the list of Software Updates and patches installed Via Quick Fix Engineering

Patch Installation Status PowerShell Script

As part of this PowerShell script, I have created a PowerShell function to get-installed patch with error handling. This script will check if the computer is pingable and if pingable connects to the remote computer to get the patch details. Results are exported to CSV files, not online, and exception computers are recorded in different text files.

NOTE! – There are other methods that you can use to run the PowerShell script using the SCCM Run Script method. Or you can use SCCM CMPivot to get the details of Patch Installation Status.

The input is the computer name or the file which contains the list of computer names.

PowerShell Script to Find Out Patch Installation Status on Remote Computers - Fig.1
PowerShell Script to Find Out Patch Installation Status on Remote Computers – Fig.1

Download PowerShell Script

Please find the actual code of this script from Github below link https://raw.githubusercontent.com/jampaniharish/OnlineScripts/master/Get-installedPatch.ps1

<#
.Synopsis
   This script will get details of perticular patch installed on remote computer.
.DESCRIPTION
   This script will get details of perticular patch installed on remote computer, in this case I am trying to get recent emergency patch installed on remote computer.
.EXAMPLE
   get-content "C:\temp\Hareesh\Script\Computers.txt" | get-installedpatch
.EXAMPLE
   get-installedpatch -computers computer1,computer2
.INPUTS
   computername
.FUNCTIONALITY
   This cmdlet is useful to check the recent emergency patch (KB4499175 or KB4499180) is installed on remote computer or not.
#>

I have found that this script is a bit slow to get these details, but I could not find any other better way than this to get these details. I would welcome any suggestions on this.

Resources

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here ā€“HTMD WhatsApp.

Author

Hareesh Jampani has 11 years of experience (calculation is done on the year 2019) in IT domain, during his carrier he’s worked with Desktop support, Active directory, VMware, SCCM and PowerShell.

3 thoughts on “PowerShell Script to Find Out Patch Installation Status on Remote Computers”

  1. Hi Haresh,

    You can try this version and see if its faster:

    list all device names with carriage returns
    tip: use cmtrace log viewer to monitor the csv/txt files

    <# Assumptions: winrm has been enabled on these devices 1. specify output network share path 2. specify failed network share path 3. in 'machines.txt' file -> list all device names with carriage returns
    tip: use cmtrace log viewer to monitor the csv/txt files
    #>

    $output = “C:\Patching\machine_updates.csv”
    $failed = “C:\Patching\machine_failed.txt”
    $machines = “C:\Patching\machines.txt”
    $machines_to_sweep = “C:\Patching\machines2sweep.txt”
    $ErrorActionPreference = ‘SilentlyContinue’
    $dev = 0
    $error.clear()

    Get-Content $machines | ForEach-Object {

    Write-Progress “Collecting update info from: $_”

    Invoke-Command -ComputerName $_ -ScriptBlock {
    Get-WmiObject -Class win32_quickfixengineering
    } | Select-Object -Property PSComputerName,Description,HotFixID,InstalledOn | Export-Csv -Path $output -Append -NoTypeInformation
    $dev++
    $error | Out-File $failed -Append
    }
    # grab the machines that have failed and save them for next run sweep
    [Regex]::Matches($Error, ‘(?<=\[)(.*?)(?=\])' ) | ? {$_ -notlike "*TInput,TOutput*" -and $_ -notlike ")(.*?)(?=\" } | Select -ExpandProperty Value | Out-File $machines_to_sweep # add stats to final csv $totalfailed = (gc $machines_to_sweep).count $totalpassed = $dev - $totalfailed "Total devices: $dev" | Out-File $output -Append "Total devices passed: $totalpassed" | Out-File $output -Append "Total devices failed: $totalfailed" | Out-File $output -Append Let me know how this works for you! šŸ™‚

    Reply
    • Thanks Matt for your updated script, your script is little faster than mine when I tested with just few machines that will help, what I liked the most in your script is the way you handled the errors and the way you added the stats to the final CSV.

      I just added the where clause to your script to match my requirement.

      Invoke-Command -ComputerName $_ -ScriptBlock {
      Get-WmiObject -Class win32_quickfixengineering | where {$_.hotfixid -eq “KB4499175” -or $_.hotfixid -eq “KB4499180”}
      }

      I did not create any projects in GitHub that could be the reason you are not able to upload it to GitHub. I am new to GitHub I will find out how can I add you as contributor.

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.