get-hotfix does not id office patches?

This topic contains 3 replies, has 4 voices, and was last updated by Profile photo of Jim Van Sickler Jim Van Sickler 10 months ago.

  • Author
    Posts
  • #34145
    Profile photo of P1 WAR
    P1 WAR
    Participant

    Does anyone have a script that can identify the Patches (KBs) applied to Office, Word, Excel etc. The Windowupdatelog shows definitions, Get-Hotfix shows Windows System updates but I cannot see a way of checking which KBs have applied to say Excel. I have also explore HKLM with no joy. If I look at MS and read the KB I can see the exe/dlls etc that the KB updates, I can check the machines in question and see the exe has updated but wanted a sript to run on all machines on a domain to ID if the KB has applied. (Happy to have a script for local host first and I can adapt for the domain. Many thanks in advance.

  • #34148
    Profile photo of Don Jones
    Don Jones
    Keymaster

    I'm not sure that the Office hot fixes actually get installed into the system table – they're just updates to actual files for the Office application. So you'd be checking the EXEs and DLLs. Just because it's a Microsoft update doesn't mean it's a Windows update, and Get-Hotfix only queries the operating system update list, as far as I know.

  • #34173
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    If I remember correctly Get-Hotfix uses the WMI class Win32_QuickFixEngineering under the covers. Looking at the class description "The Win32_QuickFixEngineering WMI class represents a small system-wide update, commonly referred to as a quick-fix engineering (QFE) update, applied to the current operating system"

    It only picks up OS patches so you won't see the Office patches

  • #34954
    Profile photo of Jim Van Sickler
    Jim Van Sickler
    Participant

    Try this:

    $Comps | ForEach-Object {
        $WinKBs = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select '(Default)', DisplayName })
        $WoWKBs = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\WoW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select '(Default)', DisplayName })
        $OPP_Patches = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00005109110000000100000000F01FEC\Patches\* | Select '(Default)', DisplayName })
        $REGKB += $WinKBs, $WoWKBs, $OPP_Patches
        $DisplayName = $REGKB.DisplayName
        $Default = $REGKB.'(Default)'
        } 
    ForEach ($Computer in $Comps) {
    ForEach ($KB in $Comps_OPPKBs) {
    if (($DisplayName -contains $KB -eq "True") -or ($Default -contains $KB -eq "True") -or ($DisplayName -match $KB) -or ($Default -match $KB)) {
        Write-Output "$Computer reports $KB is Installed"
        } else {
        Write-Warning "$Computer reports $KB is Missing"
    }
    }
    }
    

    This is working on a Server 2012-PS4_Win7-PS2 network

    My Variables:

    $Comps = $(Get-ADComputer -Filter * -SearchBase 'OU=ComputersComps, OU=WindowsSystems, DC=testlan, DC=local').Name | Sort-Object
    $Comps = $Comps.ToUpper()
    $CompsKBs = Get-Content .\Comps_KBs_.txt
    $Comps_OPPKBs = Get-Content .\Comps_OPPKBs_.txt
    $REGKB = @()
    

    Note: verify the key under Patches; my work PC has this key instead of the one listed above...they're only different in one character (0 vice 1):
    00005109110000000000000000F01FEC

    Microsoft may hide other updates elsewhere. I think you can add their locations to this and add them to $RegKB. I've only seen the KBXXXXXXX listed under .(Default) and .DisplayName, to I've limited it to those two to keep it simpler. You can view the contents of $RegKB, so you can verify that it's there/not there to validate the Installed/Missing state.

    You can use regedit to load the remote registry to drill down and validate the key; click on Rename to copy the actual value and paste it into your script.

    Hope this helps.

    Another Note: something that caught me up was the difference between -contains and -match...contains requires "-eq True" and match won't work if it has "-eq "True". Both are required for success.

    It took me a LOT of trial and error to get this working right – mostly error 🙁

    This is part of my very first real script – driven by the requirement to validate about 1700 patches applied to 60 systems, including Flash, Silverlight, McAfee and Acrobat Reader...NO WAY was I going to be able to do it manually. And thanks to PowerShell and the PowerShell Community, it works!!!

You must be logged in to reply to this topic.