Find unpatched servers.

This topic contains 7 replies, has 2 voices, and was last updated by Profile photo of Johan Hammarstrom Johan Hammarstrom 2 months ago.

  • Author
    Posts
  • #70865
    Profile photo of Johan Hammarstrom
    Johan Hammarstrom
    Participant

    Hi Admins,

    I would like to have a powershell script that scans my servers for patches and give me a list which I can work from.
    Im having trouble to understand how I can get the servername next to my patch info.
    This is what I have so far.
    Advice ?

    $servers = Get-adcomputer -filter {((name -like "t-web*") -or (name -like "crs*")) } | select name -ExpandProperty name

    $session = New-PSSession -ComputerName $servers
    Invoke-Command -ScriptBlock {
    $hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216", "KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554", "KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472"

    $hotfix = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"

    if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID}) { "Found HotFix: " + $hotfix.HotFixID }
    else { "Did not Find HotFix" }

    } -Session $session
    #Disconnect all sessions
    Remove-PSSession $session

  • #70876
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    one of dozen possible variants

    Invoke-Command -ScriptBlock {
     $hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216", "KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554", "KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472" 
    
    $idlist = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -expandproperty "HotFixID"
    foreach ($fixid in $hotfixes) {
      if ($idlist -contains $fixid) { "$ENV:ComputerName connains $fixid " }
      else { "$ENV:ComputerName not connains $fixid " }
    }
    } -Session $session
    
    • #70882
      Profile photo of Johan Hammarstrom
      Johan Hammarstrom
      Participant

      Hi Max,

      Thanks for the swift reply.
      One step forward, but with your script I get information if a server is missing any of the patches.
      If any of the patches in $hotfix is installed the server is ok.

      You understand what mean? Something you could help me with?

      Output from "your" script

      WEB03-01 connains KB4019215
      WEB03-01 connains KB4019215
      WEB03-01 not connains KB4019216
      WEB03-01 not connains KB4019264
      WEB03-01 not connains KB4019264
      WEB03-01 not connains KB4019472

      Regards
      JOhan

  • #70888
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    np

    Invoke-Command -ScriptBlock {
    $hotfixes = "KB4012212", "KB4012212", "KB4012213", "KB4012213", "KB4012214", "KB4012215", "KB4012215", "KB4012216", "KB4012216",
    "KB4012217", "KB4012219", "KB4012220", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012598", "KB4012606", "KB4013198",
    "KB4013429", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015550", "KB4015551", "KB4015553", "KB4015554",
    "KB4016635", "KB4019215", "KB4019215", "KB4019216", "KB4019264", "KB4019264", "KB4019472"
    
     $idlist = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -expandproperty "HotFixID"
     $foundfix = ''
     foreach ($fixid in $hotfixes) {
       if ($idlist -contains $fixid) { $foundfix = $fixid; break }
     }
     if ($foundfix -eq '') { "$ENV:ComputerName contains no fixes"  } else { "$ENV:ComputerName contains $foundfix " }
    } -Session $session
    
    • #70891
      Profile photo of Johan Hammarstrom
      Johan Hammarstrom
      Participant

      Works like a charm!
      Many thanks!

      //Johan

    • #70892
      Profile photo of Johan Hammarstrom
      Johan Hammarstrom
      Participant

      Arrrrggg! your script works great but now I ran into another problem.
      According to script many of my servers don't have any of the patches installed.

      When I log into the servers and run get-hotfix I don't see the latest hotfixes..
      But if I use the gui I can see that they are in fact installed.

      Must be some kind of bug.
      Time to google.

  • #70895
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    may be superceded ?
    and may be you need a WSUS ?
    there is a excelent module for wsus https://github.com/proxb/PoshWSUS

  • #70897
    Profile photo of Johan Hammarstrom
    Johan Hammarstrom
    Participant

    Not superseded
    Wish I could upload an image but I don't find any option to do so?
    Seems to be many others who have the same problem, on random servers the installdate property is blank and therefor you dont see the patches when you run get-hotfix (if I understand it correctly)
    Have no idea why.

    Anyway , with your script I've saved many hours 🙂

    Regards
    JOhan

You must be logged in to reply to this topic.