How to get missing software updates using PowerShell

I needed to list all the missing Windows Updates that have been deployed through Configuration manager. This means, not the ones deployed through WSUS, nor the ones that have NOT been deployed to that specific machine, just get the missing updates that the machine is suppose to have.

The information was not that straight forward to get, but I ended up finding a way to find all the missing updates using PowerShell, WMI and put all of that together into Configuration Manager Configuration Item (and Configuration Manager Baselines).

How to list missing software updates using powershell?

So how do we get the sccm 2012 software updates with powershell? This information can be found a bit anywhere on the internet, and can use thousand of different ways to achieve this goal. (Check out my other Script to retrieve a list of existing Software updates right here) While this blog post mostly explains how to create a Configuration Item that will return the missing software updates deployed on a machine using PowerShell, I though that this article would be incomplete if we didn’t added the basic of the basics: how to list the software updates using powershell and the Configuration Manager client agent.

 Function Get-CMSoftwareUpdates{ Param( $ComputerName = $env:COMPUTERNAME ) $NameSpace = “ROOTccmSoftwareUpdatesUpdatesStore” $Query = “Select * FROM CCM_UpdateStatus” $Class = “CCM_UpdateStatus” $Results = Get-WmiObject -ComputerName $ComputerName -Namespace $NameSpace -Class $class -Query $Query return $Results }

Function Get-CMSoftwareUpdates{

Param(

$ComputerName = $env:COMPUTERNAME

)

$NameSpace = “ROOTccmSoftwareUpdatesUpdatesStore”

$Query = “Select * FROM CCM_UpdateStatus”

$Class = “CCM_UpdateStatus”

$Results = Get-WmiObject -ComputerName $ComputerName -Namespace $NameSpace -Class $class -Query $Query

return $Results

}

How to get Missing software updates using Powershell?

If you have the configuration manager client deployed, you are lucky, because this method will work for you!

In order to get missing the sofware updates using powershell, we can retrieve pretty precise information on deployed updates using the CCM_UpdateStatus class. The function below illustrates that.

 Function Get-CMMissingSoftwareUpdates { Param( <div class="fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container hundred-percent-fullwidth non-hundred-percent-height-scrolling" style="--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-overflow:visible;" ><div class="fusion-builder-row fusion-row fusion-flex-align-items-flex-start" style="width:calc( 100% + 0px ) !important;max-width:calc( 100% + 0px ) !important;margin-left: calc(-0px / 2 );margin-right: calc(-0px / 2 );"><div class="fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_1_1 1_1 fusion-flex-column fusion-flex-align-self-flex-start fusion-column-no-min-height" style="--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:0px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:0px;--awb-width-medium:100%;--awb-spacing-right-medium:0px;--awb-spacing-left-medium:0px;--awb-width-small:100%;--awb-spacing-right-small:0px;--awb-spacing-left-small:0px;"><div class="fusion-column-wrapper fusion-flex-justify-content-flex-start fusion-content-layout-column">[switch]$ShowExcludeForStateReporting ) if ($ShowExcludeForStateReporting){ $Results = Get-WmiObject -Namespace ROOTccmSoftwareUpdatesUpdatesStore -Query “Select * from CCM_UpdateStatus WHERE Status = ‘Missing'” }else{ $Results = Get-WmiObject -Namespace ROOTccmSoftwareUpdatesUpdatesStore -Query “Select * from CCM_UpdateStatus WHERE Status = ‘Missing’ AND ExcludeForStateReporting = ‘false'” } return $Results }

Function Get-CMMissingSoftwareUpdates {

Param(

[fusion_builder_container hundred_percent=“yes” overflow=“visible”][fusion_builder_row][fusion_builder_column type=“1_1” background_position=“left top” background_color=“” border_size=“” border_color=“” border_style=“solid” spacing=“yes” background_image=“” background_repeat=“no-repeat” padding=“” margin_top=“0px” margin_bottom=“0px” class=“” id=“” animation_type=“” animation_speed=“0.3” animation_direction=“left” hide_on_mobile=“no” center_content=“no” min_height=“none”][switch]$ShowExcludeForStateReporting

)

if ($ShowExcludeForStateReporting){

$Results = Get-WmiObject -Namespace ROOTccmSoftwareUpdatesUpdatesStore -Query “Select * from CCM_UpdateStatus WHERE Status = ‘Missing'”

}else{

$Results = Get-WmiObject -Namespace ROOTccmSoftwareUpdatesUpdatesStore -Query “Select * from CCM_UpdateStatus WHERE Status = ‘Missing’ AND ExcludeForStateReporting = ‘false'”

}

return $Results

}

This function will get you all the updates that are currently missing. But this list might include software updates from WSUS. So we need to filter this one one more down and retrieve only the missing software updates that have been deployed.

How to get the deployed software update groups with powershell?

Now this one was the one that got me the most trouble. Again, the technical part of retrieving the information is never really the difficult part. The most difficult part is where to search for the information.

The most difficult part is not how to get the desired information, but rather more where to get find it in the first place.

To list all the software updates groups that have been deployed to a specefic machine will use the CCM_UpdateCIAssignment WMI class.

 Function Get-CMSoftwareUpdateGroupAssignement{ Param( $ComputerName = $env:COMPUTERNAME, $GroupName ) $NameSpace = “ROOTccmPolicyMachineRequestedConfig” if ($GroupName){ $Query = “Select * FROM CCM_UpdateCIAssignment WHERE AssignmentNAme = ‘$GroupName'” }else{ $Query = “Select * FROM CCM_UpdateCIAssignment” } $Results = Get-WmiObject -ComputerName $ComputerName -Namespace $NameSpace -query $Query return $Results }

Function Get-CMSoftwareUpdateGroupAssignement{

Param(

$ComputerName = $env:COMPUTERNAME,

$GroupName

)

$NameSpace = “ROOTccmPolicyMachineRequestedConfig”

if ($GroupName){

$Query = “Select * FROM CCM_UpdateCIAssignment WHERE AssignmentNAme = ‘$GroupName'”

}else{

$Query = “Select * FROM CCM_UpdateCIAssignment”

}

$Results = Get-WmiObject -ComputerName $ComputerName -Namespace $NameSpace -query $Query

return $Results

}

How to get all software updates from a software update group?

Now this was a tricky one! Now that you have all Update groups (Actually, it is the Softwate update group ‘Deployment’), you would like all the Software updates that are assigneg to your computer through that Software Update Group. For that, I have built another function, where I go this time into some XML parsing on data retrieved from the WMI repository. The final version returns an object with all the Updates that are deployed through that software update Group.

 Function Get-CMSoftwareUpdatesFromUpdateGroup{ Param( [Parameter(Mandatory=$true)]$GroupName ) $SofwareUpdateGroup = Get-CMSoftwareUpdateGroupAssignement -GroupName $GroupName $AssignedCIs = $SofwareUpdateGroup.AssignedCIs    $AllFoundUpdates = @() foreach ($Update in $AssignedCIs){ $UpdateObj=[pscustomobject]@{“Article”=””;”Id”=””;”ModelName”=””;”Version”=””;”CIVersion”=””;”ApplicabilityCondition”=””;”EnforcementEnabled”=””;”DisplayName”=””;”UpdateClassification”=””} [xml]$Ux = $Update $UpdateObj.Article = $Ux.ci.DisplayName | Select-String -Pattern ‘KBd*’ -AllMatches | % { $_.Matches } | % {$_.value} $UpdateObj.id = $ux.ci.id $UpdateObj.ModelName = $Ux.ci.ModelName $UpdateObj.Version = $ux.ci.version $UpdateObj.CIVersion = $ux.ci.civersion $UpdateObj.ApplicabilityCondition = $ux.ci.ApplicabilityCondition $UpdateObj.EnforcementEnabled = $ux.ci.EnforcementEnabled $UpdateObj.DisplayName = $Ux.ci.DisplayName $UpdateObj.UpdateClassification = $ux.ci.UpdateClassification if ($UpdateObj -ne $null){ $AllFoundUpdates += $UpdateObj } }#end foreach return $AllFoundUpdates }

Function Get-CMSoftwareUpdatesFromUpdateGroup{

Param(

[Parameter(Mandatory=$true)]$GroupName

)

$SofwareUpdateGroup = Get-CMSoftwareUpdateGroupAssignement -GroupName $GroupName

$AssignedCIs = $SofwareUpdateGroup.AssignedCIs

$AllFoundUpdates = @()

foreach ($Update in $AssignedCIs){

$UpdateObj=[pscustomobject]@{“Article”=“”;“Id”=“”;“ModelName”=“”;“Version”=“”;“CIVersion”=“”;“ApplicabilityCondition”=“”;“EnforcementEnabled”=“”;“DisplayName”=“”;“UpdateClassification”=“”}

[xml]$Ux = $Update

$UpdateObj.Article = $Ux.ci.DisplayName | Select-String -Pattern ‘KBd*’ -AllMatches | % { $_.Matches } | % {$_.value}

$UpdateObj.id = $ux.ci.id

$UpdateObj.ModelName = $Ux.ci.ModelName

$UpdateObj.Version = $ux.ci.version

$UpdateObj.CIVersion = $ux.ci.civersion

$UpdateObj.ApplicabilityCondition = $ux.ci.ApplicabilityCondition

$UpdateObj.EnforcementEnabled = $ux.ci.EnforcementEnabled

$UpdateObj.DisplayName = $Ux.ci.DisplayName

$UpdateObj.UpdateClassification = $ux.ci.UpdateClassification

if ($UpdateObj -ne $null){

$AllFoundUpdates += $UpdateObj

}

}#end foreach

return $AllFoundUpdates

}

How to get all missing software updates that have been deployed from a specific configuration manager software update group with powerShell?

Now that we have the list of missing software updates, and the list of deployed software update groups (assigned software update group), there rest is just a piece of cake!

 Function Get-MissingUpdateFromUpdateGroup { [cmdletBinding()] Param( $GroupName ) $SoftwareUpdateGroup = Get-CMSoftwareUpdatesFromUpdateGroup -GroupName $GroupName #| select ID if (!($SoftwareUpdateGroup)){ write-verbose “SoftwareUpdate group $($GroupName) is empty, or inexisting.” break } $MissingUpdates = Get-CMMissingSoftwareUpdates foreach ($MissingUpdate in $MissingUpdates){ #Write-Verbose “Comparing $($SoftwareUpdateGroup.id) with $($MissingUpdate.uniqueid)” if ($SoftwareUpdateGroup.id -contains $MissingUpdate.uniqueid){ write-verbose ” The KB $($MissingUpdate.article) is missing from $($GroupName).” $MissingUpdate break } } }

Function Get-MissingUpdateFromUpdateGroup {

[cmdletBinding()]

Param(

$GroupName

)

$SoftwareUpdateGroup = Get-CMSoftwareUpdatesFromUpdateGroup -GroupName $GroupName #| select ID

if (!($SoftwareUpdateGroup)){

write-verbose “SoftwareUpdate group $($GroupName) is empty, or inexisting.”

break

}

$MissingUpdates = Get-CMMissingSoftwareUpdates

foreach ($MissingUpdate in $MissingUpdates){

#Write-Verbose “Comparing $($SoftwareUpdateGroup.id) with $($MissingUpdate.uniqueid)”

if ($SoftwareUpdateGroup.id -contains $MissingUpdate.uniqueid){

write-verbose ” The KB $($MissingUpdate.article) is missing from $($GroupName).”

$MissingUpdate

break

}

This PowerShell function will loop through all of the assigned software update groups deployed on a particular machine, and compare the deployed updates, with the missing ones. If one missing update is present in the group, the script break’s out of the loop and output the missing update.