Okay first of all if you read my last post and then looked at this script you will see that i lied about which method I would use to call the COMMAND ( I still used Invoke-Expression).
Anyway I wanted to post this script and anyone who doesn’t use WSUS or another patch management tool, may want to use this script. Also if you do use WSUS you can alter this script to check directly on WSUS server if you need to report on the required/outstanding patches.
So in summary you run this script against a list of servers and it provides a single file report for each server with a summarised list of the outstanding patches.
You must download and install MBSA v2.1 first.
The script is below and the full version is available for download with Help included on the TechNet Script Center Repository.
#Requires -Version 2.0 [CmdletBinding()] Param ( [Parameter(Mandatory=$true, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias("computers")] [String] $Hosts, [Alias("r")] [String] $ReportDir = "C:\PS\MBSA\Reports\NewReports", [Alias("d")] [Switch]$DetailedReport, [Alias("s")] [Switch]$SummaryInfo )#End Param Begin { Write-Host "Retrieving Computer Security Info . . ." } Process { # Check that the prerequisite MBSA v2 is installed. if ((Test-Path "C:\Program Files\Microsoft Baseline Security Analyzer 2") ` -or (test-path "C:\Program Files(x86)\Microsoft Baseline Security Analyzer 2")) { # Get the List of Hosts to scan $Report = $Null # Run the report with options. $cmd = "cmd /c mbsacli /listfile ""$Hosts"" /n OS+SQL+IIS+Password" $ReportDetails = Invoke-Expression $cmd # Extract the name of the report from the text output from mbsacli if ($ReportDetails[4] -ne $Null) { for ($i = 4;$i -lt $ReportDetails.length; $i++) { write-host $i $Report = ($ReportDetails[$i].Split(",")[3]).Substring(1) write-host "report name is" $Report if ($SummaryInfo) { # Extract detailed report to Object $cmd2 = "cmd /c mbsacli /lr ""$Report""" $FullReport = Invoke-Expression $cmd2 } else { # Extract overview report to Object $cmd2 = "cmd /c mbsacli /ld ""$Report""" $FullReport = Invoke-Expression $cmd2 } # Scan the results for missing updates $SummaryReport = $FullReport | Where-Object {($_ –match "Missing") ` -or ($_ -match "Computer name:") -or ($_ -match "Issue:") ` -or ($_ -match "Not Approved")} if ($DetailedReport) { # Report the full results $FullReportName = get-date ` -uformat "MBSA_Full_%Y%m%d_%I-%M_$ServerName.txt" $FullReportName = (Join-Path -path $ReportDir -childpath ` $FullReportName) $FullReport | Out-File $FullReportName Write-Host "Report (full) written to"$FullReportName } else { # Report the summary results $ServerName = ($FullReport | Where-Object {$_ -match "Computer name:"}).Split("\")[1] $SummaryReportName = get-date ` -uformat "MBSA_Summary_%Y%m%d_%I-%M_$ServerName.txt" $SummaryReportName = (Join-Path -path $ReportDir -childpath ` $SummaryReportName) $SummaryReport | Tee-Object $SummaryReportName # To open the reports uncomment the line below #Invoke-Item $SummaryReportName Write-Host "" Write-Host "Report (summary) written to"$SummaryReportName } } } else { Write-Host "There are no valid hosts, now exiting" } } else { Write-Host "Please install the MBSA prior to running this script" } } End { }
Okay so there is not too much to say, you can easily get a nice list of outstanding patches, the script provides a full or summary report, its just another way PowerShell can come in handy to automate a task that normally requires some GUI or user interface. A lot of the time using PowerShell to parse the report file output from other tools is a real benefit.