Find unpatched servers.

johan-hammarstrom · May 17, 2017, 2:20am

Hi Admins,

I would like to have a powershell script that scans my servers for patches and give me a list which I can work from.
Im having trouble to understand how I can get the servername next to my patch info.
This is what I have so far.
Advice ?

$servers = Get-adcomputer -filter {((name -like “t-web*”) -or (name -like “crs*”)) } | select name -ExpandProperty name

$session = New-PSSession -ComputerName $servers
Invoke-Command -ScriptBlock {
$hotfixes = “KB4012212”, “KB4012212”, “KB4012213”, “KB4012213”, “KB4012214”, “KB4012215”, “KB4012215”, “KB4012216”, “KB4012216”, “KB4012217”, “KB4012219”, “KB4012220”, “KB4012598”, “KB4012598”, “KB4012598”, “KB4012598”, “KB4012598”, “KB4012606”, “KB4013198”, “KB4013429”, “KB4013429”, “KB4015217”, “KB4015438”, “KB4015549”, “KB4015550”, “KB4015550”, “KB4015551”, “KB4015553”, “KB4015554”, “KB4016635”, “KB4019215”, “KB4019215”, “KB4019216”, “KB4019264”, “KB4019264”, “KB4019472”

$hotfix = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property “HotFixID”

if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID}) { "Found HotFix: " + $hotfix.HotFixID }
else { “Did not Find HotFix” }

           } -Session $session
           #Disconnect all sessions
           Remove-PSSession $session

max-kozlov · May 17, 2017, 5:20am

one of dozen possible variants

Invoke-Command -ScriptBlock {
 $hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216", "KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554", "KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472" 

$idlist = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -expandproperty "HotFixID"
foreach ($fixid in $hotfixes) {
  if ($idlist -contains $fixid) { "$ENV:ComputerName connains $fixid " }
  else { "$ENV:ComputerName not connains $fixid " }
}
} -Session $session

johan-hammarstrom · May 17, 2017, 6:02am

Hi Max,

Thanks for the swift reply.
One step forward, but with your script I get information if a server is missing any of the patches.
If any of the patches in $hotfix is installed the server is ok.

You understand what mean? Something you could help me with?

Output from “your” script

WEB03-01 connains KB4019215
WEB03-01 connains KB4019215
WEB03-01 not connains KB4019216
WEB03-01 not connains KB4019264
WEB03-01 not connains KB4019264
WEB03-01 not connains KB4019472

Regards
JOhan

max-kozlov · May 17, 2017, 6:43am

np

Invoke-Command -ScriptBlock {
$hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216",
"KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198",
"KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554",
"KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472"

 $idlist = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -expandproperty "HotFixID"
 $foundfix = ''
 foreach ($fixid in $hotfixes) {
   if ($idlist -contains $fixid) { $foundfix = $fixid; break }
 }
 if ($foundfix -eq '') { "$ENV:ComputerName contains no fixes"  } else { "$ENV:ComputerName contains $foundfix " }
} -Session $session

johan-hammarstrom · May 17, 2017, 6:52am

Works like a charm!
Many thanks!

//Johan

johan-hammarstrom · May 17, 2017, 7:00am

Arrrrggg! your script works great but now I ran into another problem.
According to script many of my servers don’t have any of the patches installed.

When I log into the servers and run get-hotfix I don’t see the latest hotfixes…
But if I use the gui I can see that they are in fact installed.

Must be some kind of bug.
Time to google.

max-kozlov · May 17, 2017, 7:13am

may be superceded ?
and may be you need a WSUS ?
there is a excelent module for wsus GitHub - proxb/PoshWSUS: PowerShell module to manage Windows Server Update Services (WSUS)

johan-hammarstrom · May 17, 2017, 7:51am

Not superseded
Wish I could upload an image but I don’t find any option to do so?
Seems to be many others who have the same problem, on random servers the installdate property is blank and therefor you dont see the patches when you run get-hotfix (if I understand it correctly)
Have no idea why.

Anyway , with your script I’ve saved many hours

Regards
JOhan

Topic		Replies	Views
Powershell script to check whether multiple KB are installed or not in servers PowerShell Help	11	1089	May 16, 2024
How to get hot-fix details on multiple computers PowerShell Help	8	667	May 16, 2024
get-hotfix does not id office patches? PowerShell Help	5	231	May 16, 2024
Get last Patched status. PowerShell Help	5	167	May 16, 2024
Get-Hotfix from throws error in the middle PowerShell Help	3	656	May 16, 2024

Find unpatched servers.

Related topics