get-hotfix does not id office patches?

This topic contains 3 replies, has 4 voices, and was last updated by Profile photo of Jim Van Sickler Jim Van Sickler 7 months, 3 weeks ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #34145
    Profile photo of P1 WAR
    P1 WAR

    Does anyone have a script that can identify the Patches (KBs) applied to Office, Word, Excel etc. The Windowupdatelog shows definitions, Get-Hotfix shows Windows System updates but I cannot see a way of checking which KBs have applied to say Excel. I have also explore HKLM with no joy. If I look at MS and read the KB I can see the exe/dlls etc that the KB updates, I can check the machines in question and see the exe has updated but wanted a sript to run on all machines on a domain to ID if the KB has applied. (Happy to have a script for local host first and I can adapt for the domain. Many thanks in advance.

    Profile photo of Don Jones
    Don Jones

    I'm not sure that the Office hot fixes actually get installed into the system table – they're just updates to actual files for the Office application. So you'd be checking the EXEs and DLLs. Just because it's a Microsoft update doesn't mean it's a Windows update, and Get-Hotfix only queries the operating system update list, as far as I know.


    If I remember correctly Get-Hotfix uses the WMI class Win32_QuickFixEngineering under the covers. Looking at the class description "The Win32_QuickFixEngineering WMI class represents a small system-wide update, commonly referred to as a quick-fix engineering (QFE) update, applied to the current operating system"

    It only picks up OS patches so you won't see the Office patches

    Profile photo of Jim Van Sickler
    Jim Van Sickler

    Try this:

    $Comps | ForEach-Object {
        $WinKBs = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select '(Default)', DisplayName })
        $WoWKBs = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\WoW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select '(Default)', DisplayName })
        $OPP_Patches = (Invoke-Command -ComputerName $_ -ScriptBlock {
        Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00005109110000000100000000F01FEC\Patches\* | Select '(Default)', DisplayName })
        $REGKB += $WinKBs, $WoWKBs, $OPP_Patches
        $DisplayName = $REGKB.DisplayName
        $Default = $REGKB.'(Default)'
    ForEach ($Computer in $Comps) {
    ForEach ($KB in $Comps_OPPKBs) {
    if (($DisplayName -contains $KB -eq "True") -or ($Default -contains $KB -eq "True") -or ($DisplayName -match $KB) -or ($Default -match $KB)) {
        Write-Output "$Computer reports $KB is Installed"
        } else {
        Write-Warning "$Computer reports $KB is Missing"

    This is working on a Server 2012-PS4_Win7-PS2 network

    My Variables:

    $Comps = $(Get-ADComputer -Filter * -SearchBase 'OU=ComputersComps, OU=WindowsSystems, DC=testlan, DC=local').Name | Sort-Object
    $Comps = $Comps.ToUpper()
    $CompsKBs = Get-Content .\Comps_KBs_.txt
    $Comps_OPPKBs = Get-Content .\Comps_OPPKBs_.txt
    $REGKB = @()

    Note: verify the key under Patches; my work PC has this key instead of the one listed above...they're only different in one character (0 vice 1):

    Microsoft may hide other updates elsewhere. I think you can add their locations to this and add them to $RegKB. I've only seen the KBXXXXXXX listed under .(Default) and .DisplayName, to I've limited it to those two to keep it simpler. You can view the contents of $RegKB, so you can verify that it's there/not there to validate the Installed/Missing state.

    You can use regedit to load the remote registry to drill down and validate the key; click on Rename to copy the actual value and paste it into your script.

    Hope this helps.

    Another Note: something that caught me up was the difference between -contains and -match...contains requires "-eq True" and match won't work if it has "-eq "True". Both are required for success.

    It took me a LOT of trial and error to get this working right – mostly error 🙁

    This is part of my very first real script – driven by the requirement to validate about 1700 patches applied to 60 systems, including Flash, Silverlight, McAfee and Acrobat Reader...NO WAY was I going to be able to do it manually. And thanks to PowerShell and the PowerShell Community, it works!!!

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.