Find unpatched servers.

Hi Admins,

I would like to have a powershell script that scans my servers for patches and give me a list which I can work from.
Im having trouble to understand how I can get the servername next to my patch info.
This is what I have so far.
Advice ?

$servers = Get-adcomputer -filter {((name -like “t-web*”) -or (name -like “crs*”)) } | select name -ExpandProperty name

$session = New-PSSession -ComputerName $servers
Invoke-Command -ScriptBlock {
$hotfixes = “KB4012212”, “KB4012212”, “KB4012213”, “KB4012213”, “KB4012214”, “KB4012215”, “KB4012215”, “KB4012216”, “KB4012216”, “KB4012217”, “KB4012219”, “KB4012220”, “KB4012598”, “KB4012598”, “KB4012598”, “KB4012598”, “KB4012598”, “KB4012606”, “KB4013198”, “KB4013429”, “KB4013429”, “KB4015217”, “KB4015438”, “KB4015549”, “KB4015550”, “KB4015550”, “KB4015551”, “KB4015553”, “KB4015554”, “KB4016635”, “KB4019215”, “KB4019215”, “KB4019216”, “KB4019264”, “KB4019264”, “KB4019472”

$hotfix = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property “HotFixID”

if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID}) { "Found HotFix: " + $hotfix.HotFixID }
else { “Did not Find HotFix” }

           } -Session $session
           #Disconnect all sessions
           Remove-PSSession $session

one of dozen possible variants

Invoke-Command -ScriptBlock {
 $hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216", "KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554", "KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472" 

$idlist = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -expandproperty "HotFixID"
foreach ($fixid in $hotfixes) {
  if ($idlist -contains $fixid) { "$ENV:ComputerName connains $fixid " }
  else { "$ENV:ComputerName not connains $fixid " }
} -Session $session

Hi Max,

Thanks for the swift reply.
One step forward, but with your script I get information if a server is missing any of the patches.
If any of the patches in $hotfix is installed the server is ok.

You understand what mean? Something you could help me with?

Output from “your” script

WEB03-01 connains KB4019215
WEB03-01 connains KB4019215
WEB03-01 not connains KB4019216
WEB03-01 not connains KB4019264
WEB03-01 not connains KB4019264
WEB03-01 not connains KB4019472



Invoke-Command -ScriptBlock {
$hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216",
"KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198",
"KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554",
"KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472"

 $idlist = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -expandproperty "HotFixID"
 $foundfix = ''
 foreach ($fixid in $hotfixes) {
   if ($idlist -contains $fixid) { $foundfix = $fixid; break }
 if ($foundfix -eq '') { "$ENV:ComputerName contains no fixes"  } else { "$ENV:ComputerName contains $foundfix " }
} -Session $session

Works like a charm!
Many thanks!


Arrrrggg! your script works great but now I ran into another problem.
According to script many of my servers don’t have any of the patches installed.

When I log into the servers and run get-hotfix I don’t see the latest hotfixes…
But if I use the gui I can see that they are in fact installed.

Must be some kind of bug.
Time to google.

may be superceded ?
and may be you need a WSUS ?
there is a excelent module for wsus

Not superseded
Wish I could upload an image but I don’t find any option to do so?
Seems to be many others who have the same problem, on random servers the installdate property is blank and therefor you dont see the patches when you run get-hotfix (if I understand it correctly)
Have no idea why.

Anyway , with your script I’ve saved many hours :slight_smile: