get-hotfix does not id office patches?

This topic contains 4 replies, has 5 voices, and was last updated by  edhcah 2 months, 4 weeks ago.

  • Author
  • #34145

    P1 WAR

    Does anyone have a script that can identify the Patches (KBs) applied to Office, Word, Excel etc. The Windowupdatelog shows definitions, Get-Hotfix shows Windows System updates but I cannot see a way of checking which KBs have applied to say Excel. I have also explore HKLM with no joy. If I look at MS and read the KB I can see the exe/dlls etc that the KB updates, I can check the machines in question and see the exe has updated but wanted a sript to run on all machines on a domain to ID if the KB has applied. (Happy to have a script for local host first and I can adapt for the domain. Many thanks in advance.

  • #34148

    Don Jones

    I'm not sure that the Office hot fixes actually get installed into the system table – they're just updates to actual files for the Office application. So you'd be checking the EXEs and DLLs. Just because it's a Microsoft update doesn't mean it's a Windows update, and Get-Hotfix only queries the operating system update list, as far as I know.

  • #34173

    Richard Siddaway

    If I remember correctly Get-Hotfix uses the WMI class Win32_QuickFixEngineering under the covers. Looking at the class description "The Win32_QuickFixEngineering WMI class represents a small system-wide update, commonly referred to as a quick-fix engineering (QFE) update, applied to the current operating system"

    It only picks up OS patches so you won't see the Office patches

  • #34954

    Jim Van Sickler

    Try this:

    $Comps | ForEach-Object {
        $WinKBs = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select '(Default)', DisplayName })
        $WoWKBs = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\WoW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select '(Default)', DisplayName })
        $OPP_Patches = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00005109110000000100000000F01FEC\Patches\* | Select '(Default)', DisplayName })
        $REGKB += $WinKBs, $WoWKBs, $OPP_Patches
        $DisplayName = $REGKB.DisplayName
        $Default = $REGKB.'(Default)'
    ForEach ($Computer in $Comps) {
    ForEach ($KB in $Comps_OPPKBs) {
    if (($DisplayName -contains $KB -eq "True") -or ($Default -contains $KB -eq "True") -or ($DisplayName -match $KB) -or ($Default -match $KB)) {
        Write-Output "$Computer reports $KB is Installed"
        } else {
        Write-Warning "$Computer reports $KB is Missing"

    This is working on a Server 2012-PS4_Win7-PS2 network

    My Variables:

    $Comps = $(Get-ADComputer -Filter * -SearchBase 'OU=ComputersComps, OU=WindowsSystems, DC=testlan, DC=local').Name | Sort-Object
    $Comps = $Comps.ToUpper()
    $CompsKBs = Get-Content .\Comps_KBs_.txt
    $Comps_OPPKBs = Get-Content .\Comps_OPPKBs_.txt
    $REGKB = @()

    Note: verify the key under Patches; my work PC has this key instead of the one listed above...they're only different in one character (0 vice 1):

    Microsoft may hide other updates elsewhere. I think you can add their locations to this and add them to $RegKB. I've only seen the KBXXXXXXX listed under .(Default) and .DisplayName, to I've limited it to those two to keep it simpler. You can view the contents of $RegKB, so you can verify that it's there/not there to validate the Installed/Missing state.

    You can use regedit to load the remote registry to drill down and validate the key; click on Rename to copy the actual value and paste it into your script.

    Hope this helps.

    Another Note: something that caught me up was the difference between -contains and -match...contains requires "-eq True" and match won't work if it has "-eq "True". Both are required for success.

    It took me a LOT of trial and error to get this working right – mostly error 🙁

    This is part of my very first real script – driven by the requirement to validate about 1700 patches applied to 60 systems, including Flash, Silverlight, McAfee and Acrobat Reader...NO WAY was I going to be able to do it manually. And thanks to PowerShell and the PowerShell Community, it works!!!

  • #92105


    I know this is an older post, but I needed to grab Office patches via PS and found this post today. We're locked down here where we can't invoke PS remotely, so unfortunately, we have to either run this locally or run using SCCM wrapped in something else. And I've been asked to save to csv... But, anyways, this was my solution based off Jim's reply – this one grabs anything that ends in F01FEC so I don't need to worry about Office version and it will grab updates for other Office-related apps like Visio.

    $patches=foreach ($key in (Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products | where {$_.Name -match "F01FEC"})){
        $subkey = $key.PSChildName
        Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\$subkey\Patches -ErrorAction SilentlyContinue | 
        Get-ItemProperty | Select-Object displayname,@{Name='KB#';Expression={$_.moreinfourl.substring($_.moreinfourl.length-11).ToUpper() -replace '[\W]'}} | where {$_.displayname -ne ""} 
    $patches | Sort-Object -Property "KB#" | Export-Csv c:\admin\office_patches.csv -NoTypeInformation -Force

You must be logged in to reply to this topic.