Need help creating script for query install windows updates

Hi everyone,
I have a bit of a daunting task before me and need some help. I am brand new to powershell, but I think it could gather the information I need.

On the device I am logged into, I need to get a list of windows updates (KB article numbers) and their associated CVEs that it fixes. For each of the KBs, I need to know what severity that MS has assigned to it (Critical, High/Important, etc) and the severity of the individual CVEs (Critical/High/Medium/Low). I need the data separated by month.

The overall goal is to be able to see how many of each severity ( at a KB and CVE level) were patched on the device each month. If I can just get the data out into a CSV, I can then use some Excel magic to get the counts. The data is the part I have no idea how to get.

I am envisioning the columns to be something like:

Date | KB | KB Sev | CVE | CVE Sev

For this example data:

April 2024
KB5036609
Important
CVE-2024-21409
High

2024-04,KB5036609,Important,CVE-2024-21409,High

For this example data:

April 2024
KB5036899
Critical
CVE-2022-0001 (Medium),CVE-2024-20665 (Medium),CVE-2024-26195 (High) {There are 72 total but just for illustration only a few listed here}

2024-04,KB5036899,Critical,CVE-2022-0001,Medium
2024-04,KB5036899,Critical,CVE-2024-20665,Medium
2024-04,KB5036899,Critical,CVE-2024-26195,High
…the other 69 listed on separate rows

The script can query NIST, MS, or any reliable online source to get all the data.

This will be run on Windows 2016, 2019 and Windows 11 (for testing)

Any help would be greatly appreciated.

Howdy and welcome. While we are happy to give pointers and provide guidance/assistance to specific questions, we don’t actually write full code solutions for other people. There’s also some expectation that you do some research and try to come up with a solution on your own as well. So with that in mind, what have you tried?

While commands like Get-Hotfix exist, I don’t think they show the full history of updates.

Something you may look look into is the PSWindowsUpdate module: PowerShell Gallery | PSWindowsUpdate 2.2.0.3

and PowerShell is fun :)Using the PowerShell PSWindowsUpdate module talks about how to use it. Get-WUHistory for example will give you a full list of update history. Depending on what you want this may be useful.

Now to match them to CVEs you’re going to need to do more work. I can’t say i’ve done this before and generally if a CVE is addressed by a specific update, I’m typically sourcing that from a news article. Occasionally it’ll be in a post like this: KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 - Microsoft Support but the issue is, that KB isn’t even found in my history, it actually seems to be included in kb5040442 but in order to get that info you have to sorta follow the cookie trail. IMO to me trying to do that matching is probably more work than its worth. Your better off just making sure all the updates that can be installed, are installed, so you’re ‘fully up to date’ :wink:

1 Like

Thanks for the information. I did try quite a few things but ended up with some PS and some web searches to get all the information and manually mesh it all into Excel. I could never get the MS API nor the NVD API to work in PS so I just did it all manually.

I’ll keep tinkering with this and let you know if I have any questions.