Find unpatched servers.

This topic contains 7 replies, has 2 voices, and was last updated by  Johan Hammarstrom 5 months ago.

  • Author
    Posts
  • #70865

    Johan Hammarstrom
    Participant

    Hi Admins,

    I would like to have a powershell script that scans my servers for patches and give me a list which I can work from.
    Im having trouble to understand how I can get the servername next to my patch info.
    This is what I have so far.
    Advice ?

    $servers = Get-adcomputer -filter {((name -like "t-web*") -or (name -like "crs*")) } | select name -ExpandProperty name

    $session = New-PSSession -ComputerName $servers
    Invoke-Command -ScriptBlock {
    $hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216", "KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554", "KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472"

    $hotfix = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"

    if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID}) { "Found HotFix: " + $hotfix.HotFixID }
    else { "Did not Find HotFix" }

    } -Session $session
    #Disconnect all sessions
    Remove-PSSession $session

  • #70876

    Max Kozlov
    Participant

    one of dozen possible variants

    Invoke-Command -ScriptBlock {
     $hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216", "KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554", "KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472" 
    
    $idlist = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -expandproperty "HotFixID"
    foreach ($fixid in $hotfixes) {
      if ($idlist -contains $fixid) { "$ENV:ComputerName connains $fixid " }
      else { "$ENV:ComputerName not connains $fixid " }
    }
    } -Session $session
    
    • #70882

      Johan Hammarstrom
      Participant

      Hi Max,

      Thanks for the swift reply.
      One step forward, but with your script I get information if a server is missing any of the patches.
      If any of the patches in $hotfix is installed the server is ok.

      You understand what mean? Something you could help me with?

      Output from "your" script

      WEB03-01 connains KB4019215
      WEB03-01 connains KB4019215
      WEB03-01 not connains KB4019216
      WEB03-01 not connains KB4019264
      WEB03-01 not connains KB4019264
      WEB03-01 not connains KB4019472

      Regards
      JOhan

  • #70888

    Max Kozlov
    Participant

    np

    Invoke-Command -ScriptBlock {
    $hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216",
    "KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198",
    "KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554",
    "KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472"
    
     $idlist = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -expandproperty "HotFixID"
     $foundfix = ''
     foreach ($fixid in $hotfixes) {
       if ($idlist -contains $fixid) { $foundfix = $fixid; break }
     }
     if ($foundfix -eq '') { "$ENV:ComputerName contains no fixes"  } else { "$ENV:ComputerName contains $foundfix " }
    } -Session $session
    
    • #70891

      Johan Hammarstrom
      Participant

      Works like a charm!
      Many thanks!

      //Johan

    • #70892

      Johan Hammarstrom
      Participant

      Arrrrggg! your script works great but now I ran into another problem.
      According to script many of my servers don't have any of the patches installed.

      When I log into the servers and run get-hotfix I don't see the latest hotfixes..
      But if I use the gui I can see that they are in fact installed.

      Must be some kind of bug.
      Time to google.

  • #70895

    Max Kozlov
    Participant

    may be superceded ?
    and may be you need a WSUS ?
    there is a excelent module for wsus https://github.com/proxb/PoshWSUS

  • #70897

    Johan Hammarstrom
    Participant

    Not superseded
    Wish I could upload an image but I don't find any option to do so?
    Seems to be many others who have the same problem, on random servers the installdate property is blank and therefor you dont see the patches when you run get-hotfix (if I understand it correctly)
    Have no idea why.

    Anyway , with your script I've saved many hours 🙂

    Regards
    JOhan

You must be logged in to reply to this topic.