Patch Tuesday is upon us. Our pilot group of server was patched via SCCM but there were reports that 2012R2 servers were not picking up one of the patches. I wanted to quickly identify the servers that were missing patches.
Our pilot servers are in two groups. So I did the following:
1 2 3 4 5 |
"SCCM_Pilot_ManualReboot","SCCM_Pilot_AutoReboot" | %{ Get-ADGroupMember $_ } | ?{ Test-Connection $_.name -Quiet -Count 1 } | ?{ (Get-WmiObject Win32_OperatingSystem -CN $_.name).Version -eq "6.3.9600" } | ft @{Label="Name"; Expr={$_.name}; Width=20}, @{Label="KB4012204"; Expr={(Get-WmiObject Win32_QuickFixEngineering -cn $_.name -Filter "HotFixID='KB4012204'").InstalledOn}} |
The first two lines basically enumerate the two groups. If it was just one group I could have replaced it with Get-ADGroupMember "GroupName"
.
The remaining code checks whether the server is online, filters out 2012 R2 servers (version number 6.3.9600), and makes a list of the servers along with the installed date of the hotfix I am interested in. If the hotfix is not installed, the date will be blank. Simple.
Oh, and I wanted to get the output as and when it comes so I went with a Width=20
in the name field. I could have avoided that and gone for an -AutoSize
but that would mean I’ll have to patiently wait for PowerShell to generate the entire output and then Format-Table
to do an autosize.
Update: While on the Win32_QuickFixEngineering
WMI class I wanted to point out to these posts: [1], [2]
Worth keeping in mind that Win32_QuickFixEngineering
(or QFE for short) only returns patches installed via the CBS (Component Based Servicing) – which is what Windows Updates do anyway. What this means, however, is that it does not return patches installed via an MSI/ MSP/ MSU.