How to Build a Basic Report of Recently Installed Windows Updates

Photo by rawpixel on Unsplash

“Distrust and caution are the parents of security.” -Benjamin Franklin

If you’ve ever deployed Windows Updates to clients on your network, you have probably been asked by your manager(s) what KB’s were deployed, and when if an issue comes up on a workstation or server. Unfortunately, sometimes the built-in WSUS reporting tool can leave you frustrated and doesn’t have great functionality for generating them outside of the WSUS management GUI. A problem I regularly encounter is a crashing MMC, which then crashes the WSUS services, causing me to have to reset the node and start over. It’s very annoying.

Distrust & Caution

I was recently asked by a group of managers that were working on validating a security vulnerability scan for some assistance. This vulnerability scan was claiming that a set of systems were missing particular Microsoft KB’s, KB’s that were recently approved, deadlined, and showing as installed in the WSUS management console. I sent some screenshots of the console status along with my sysadmin reply. I didn’t give it much thought at the time because I was busy with other projects and this was a routine request.

A day or so went by, and another vulnerability scan was run, producing the same results. Management was not convinced that the updates were installed. Having issues with WSUS from time to time, I started to distrust the built in reports and the management console. To be cautious, and a little more diligent, I decided to bypass the WSUS management console and go straight to the workstations and servers that were showing up in the security vulnerability scan.


Are you an IT pro ready to take your career to the next level? If so, join our contributor program! You don't have to be an expert presenter, a Microsoft MVP or even have a blog. We want your knowledge! You will be coached on presentation skills, become a member of our awesome community and get paid some nice side hustle income every, single month! Sign up today!.

Some Explicit Remoting Here, A Couple of Cmdlets There….

Luckily, the security vulnerability scan only found about 4 workstations and 12 servers with these supposedly missing KB’s. So I created a simple list in a text file using the Fully Qualified Domain Name (FQDN) of each host.  I also knew for a fact, that the missing KB’s would have been installed in the past 30 days as I just completed a maintenance cycle.

With this knowledge in hand, I jotted down some pseudo code to help me begin. Here’s what I outlined:

  • Store my text file that contains the list of hosts.
  • For each of the hosts in that file, run a command.
    • The command must gather installed KB’s installed in the last 30 days.
    • The output only needs to contain the hostname, KB/HotFix ID, and the install date.
    • The output needs to be readable, and just needs to be a simple file.
  • No fancy coding needed, just comparing visually to what WSUS reporting was displaying.

Based on my notes, I had a good idea of what I was looking for and what cmdlets I might need. The primary focus was on the Get-HotFix cmdlet. What this cmdlet does is query all the hotfixes (more commonly referred to as security updates) that have been applied to a Windows host. You can read more about this cmdlet and how to use it here.

Get-HotFix does not support implicit remoting so I needed to come up with method to run this cmdlet on the systems I needed to report on. Invoke-Command does and you can pass multiple values to the -ComputerName parameter. I already have saved a list of hosts I am targeting, so I’ll save myself some typing and store those hosts as a variable. To do so, I’ll have to assign a variable name and make the value the list of hosts.  Get-Content  will read the content of the text file line by line creating an array of sorts. Let’s call this array $Hosts . Now I have a command, some data to feed to the next set of commands, but I need to make the resulting data readable and concise.

I want to take a moment here to emphasize “Filter First, Format Last.” . Remembering this will help you when working with these types of scripts. Now, running the Get-Hotfix cmdlet by itself will typically result in a long list of updates that have been applied to a host. Filtering helps gather just the information you need. Without filtered data, formatting is useless at this point. Think of filtering as your data type requirements, and formatting as how you want that data displayed. For my purposes, I already had the requirements thought out. I needed to get updates installed in the past 30 days.

To filter, I will need to use the Where-Object cmdlet and then pass along some member properties and comparison operators with a dash of math. To do this, my pseudo code will take every object returned ( $_.) from Get-HotFix , Where-Object -Property installed on data is greater than ( -gt)today’s date (or whenever I run the script) minus (-30) days ago. That will get the initial data I’m looking for but I want to filter the returned objects and their properties a little more. This is where Select-Object will help, allowing me to further trim the amount of data to be displayed to just a couple of crucial properties.

Now that I have the data properly filtered, now I can move on to formatting the results into a usable format. To do so I’ll pipe ( | ) the results from my previous filtering to Format-Table -Autosize and output as a file type of my choosing. I’ll need to use -Append and -ErrorAction SilentlyContinue parameters to ensure that each result is written to the next line in the output file and if an error occurs, it won’t cause the rest of the hosts to not be contacted.

I chose to go with a text file because I didn’t require anything fancy. You can change the output to meet your needs. My output looked something similar to this:

Example Output text file

Here’s the final script came up with and used:

For me, this was simple, concise, and offered proof that the KB’s were indeed installed. The report was well received by the management team and in a format easily read.

One Reply to “How to Build a Basic Report of Recently Installed Windows Updates”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.