using powershell to pull monthly microsoft patches

A few months ago, Microsoft changed their patching release format, for better or worse. I imagine in 4 years, we’ll consider this for the better. But for now, moving the cheese kinda sucks. Getting monthly patch details is also a bit annoying as it’s more self-serve these days. But it can at least be done, and reports can be quickly pulled for what got released in a current month. For instance, check out PowerShell scripts here and here for some ideas. These do depend on having PowerShell 5 installed which requires an extra step in Windows 7 to get Win7AndW2K8R2-KB3191566-x64.msu (aka Windows Management Framework 5.0) loaded. This will open up the ability to grab things off the PowerShell gallery, aka central repository of cmdlets and scripts. Also needed is an API key, which is free and individually issued. Instructions should be in the first link.

Is this perfect? No. The report is a bit unwieldy and is a reminder of all the various product types you have to track just to answer, “What Windows 7 patches are there?” or “What non OS products are covered?” But getting the data can be very easy, and from there mangling of the information can happen with some custom scripting on the auditor’s end. We also now have to start remembering and talking about CVE or KB numbers rather than the slightly more memorable MSYY- format. At least we got MS17-010 in before the cutover! In addition, rather than just 1 MSYY- number covering 14 IE updates, all 14 updates are now treated separately. This means we now have months where there are 100 updates issued, where before this could be chunked and only called 12 updates. Not a huge deal, mostly just semantics.

Probably the most frustrating part of the update is the rolling Security Update cumulative quality roll-up that happens every month. Every month a packaged OS security roll-up will supersede the previous month’s roll-up. In poorly tested patching implementations, this may mean that a particular system that is not patched might never be over 30 days out of compliance, since every 30 days the old patch is no longer applicable and the new one starts a new clock. It’s a weird setup, but makes sense in a way and I’m sure we’ll get used to it.

Leave a Reply

Your email address will not be published. Required fields are marked *