A PowerShell script to list all installed Microsoft Windows Updates

PowerShell Version 2 or Greater required.

Why use this script?

The PowerShell cmdlet ‘get-hotfix’ sometimes does not draw-out ‘installedon’ information. win32-Quickfixengineering class does not have that information either. <SIGH>

What does this script offer?

The above void can be filled by using the good old ‘wmic qfe list’ command. But, the output of the legacy command is mere text and cannot be easily interrogated like objects in PowerShell.

The attached script converts the output string of ‘wmic qfe list’ command into versatile PowerShell objects, which can be used within other scripts.

Note: Do not forget to include the attached powershell script.

The below POSH oneliner lists all updates installed in the last 2 days and tabulates properties: Computername, KBArticle,InstalledOn, HotFixID and InstalledBy.

Get-MSHotfix|Where-Object {$_.Installedon -gt ((Get-Date).Adddays(-2))}|Select-Object -Property Computername, KBArticle,InstalledOn, HotFixID, InstalledBy|Format-Table

The below powershell command-line will output details about the hotfix with ID ‘2953522’.

Get-MSHotfix|Where-Object {$_.HotfixID -match "KB2953522"}

The below POSH gem opens the Knowledge Base webpage for the hotfix with ID ‘2953522’.

Get-MSHotfix|Where-Object {$_.HotfixID -match "KB2953522"}|ForEach-Object {[System.Diagnostics.Process]::Start($_.KBArticle)}

Script Content:

Function Get-MSHotfix  
    $outputs = Invoke-Expression "wmic qfe list"  
    $outputs = $outputs[1..($outputs.length)]  
    foreach ($output in $Outputs) {  
        if ($output) {  
            $output = $output -replace 'Security Update','Security-Update'  
            $output = $output -replace 'NT AUTHORITY','NT-AUTHORITY'  
            $output = $output -replace '\s+',' '  
            $parts = $output -split ' ' 
            if ($parts[5] -like "*/*/*") {  
                $Dateis = [datetime]::ParseExact($parts[5], '%M/%d/yyyy',[Globalization.cultureinfo]::GetCultureInfo("en-US").DateTimeFormat)  
            } else {  
                $Dateis = get-date([DateTime][Convert]::ToInt64("$parts[5]", 16)) -Format '%M/%d/yyyy'  
            New-Object -Type PSObject -Property @{  
                KBArticle = [string]$parts[0]  
                Computername = [string]$parts[1]  
                Description = [string]$parts[2]  
                FixComments = [string]$parts[6]  
                HotFixID = [string]$parts[3]  
                InstalledOn = Get-Date($Dateis)-format "dddd d MMMM yyyy"  
                InstalledBy = [string]$parts[4]  
                InstallDate = [string]$parts[7]  
                Name = [string]$parts[8]  
                ServicePackInEffect = [string]$parts[9]  
                Status = [string]$parts[10]  

The following script can be used as a template to run this function against multiple machines. For this to work you have to enable PSRemoting on all the machines.

$scriptDirectory = Split-Path -Parent $MyInvocation.MyCommand.Definition 
$allUpdates = '' 
$array = @("host1", "host2", "host3") 
for ($i=0; $i -lt $array.length; $i++) { 
$Updates = Invoke-Command -ComputerName $array[$i] ${function:Get-MSHotfix}|ft -HideTableHeaders 
$allUpdates += $Updates 

Further notes:

As mentioned above the get-hotfix cmdlet and get-wmiobject -class win32_quickfixengineering command does not output the ‘installedon’ date for some updates. The reason for which I’m yet to find out. 

Output of the ‘get-wmiobject -class win32_quickfixengineering‘ command: InstalledOn property NOT available for all updates.

Output of the ‘wmic qfe list’ command: Installedon property available for all updates.

Output of Get-MSHotfix:

Related Articles

SCCM task sequence UI – Set computer name and more during an SCCM task sequence deployment

It is always a unique challenge of having to build an OSD experience that includes providing a great user experience during the deployment of a new operating system.

The attached application would allow you to present a front-end to an active end-user who is executing the SCCM task sequence……

Keywords: SCCM tasksequence UI, SCCM Task Sequence User interface, SCCM task sequence Set computer name.


DCOM hardening issue.

This application fails to authenticate with WMI on the SCCM server because Microsoft has not yet hardened DCOM on their Windows Preinstallation Environment. We are working on a different approach, but it will only be released during the first quarter of 2024. But until that time, the only workaround will be to uninstall the update corresponding to KB5004442.