Windows Updates Status by Computer - PowerShell or ..... ?

We have a number of peer-to-peer networks - mostly Windows 10 Pro.
We are using WMI for monitoring events/logs, etc.
We can see Windows update *events* but this doesn't give us Windows update *status* in any direct or easily readable/understandable way.

I suppose the ideal would be a readout of the Settings/Update & Security/Update Status where it says:
- Your device is up to date
- Updates are available
- [are there others?]

And then somehow to report that updates had failed.  Perhaps this can be parsed from the Update history?

And then, as an option, show update history.

How can this be done?  PowerShell is fine with me / preferable I think....
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?
Hector2016Connect With a Mentor Systems Administrator and Solutions ArchitectCommented:
:) ok, try this.

With this PowerShell script you will be more comfortable:

$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$Searcher.Search("IsInstalled=1").Updates | ft -a Date,Title

Open in new window

This piece of code will use the Windows Update API through Powershell to start a search for updates available, then it will list all the updates on the catalog that are already installed on your computer. It doesn't matter if you use WSUS or the Microsoft Windows Update internet site, the result will be the same. Remember to run it As Administrator.

If you change the search criteria "IsInstalled=1" to "IsInstalled=0" then you will retrieve the list of pending updates.
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
Ideally you should be using something like WSUS, there are other products out there like GFI Languard. that get a list of available windows updates and then check each computer to see if they have those updates.
Check out the Windows Update PowerShell Module at

You can use the results from the commands to get the data you want for your report.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Fred MarshallPrincipalAuthor Commented:
footech:  Perhaps I'm a bit dense.  What "results" were you imagining would be helpful in reaching the objective?
It can get which updates are already installed, updates which need to be installed, whether the computer needs to be rebooted.
For example, if no updates need to be installed, then it's up to date.
Hector2016Connect With a Mentor Systems Administrator and Solutions ArchitectCommented:

If you use WSUS server to update your computers you may find helpful my article about make a report of computer status on WSUS server:

Otherwise, if you don't have WSUS, you can use the WSUSOffline tool to verify if there is any missing update on each computer. But this is not what you want, it will be probably better to install a WSUS server to manage updates for all computers and get a report of their status.
Fred MarshallPrincipalAuthor Commented:
Hector2016:  I read the script and it looks like it could do what we need.  But, it would help me get some context if you might give a "30,000 foot" i.e. high altitude perspective on it just getting started.

I should emphasize once more that all of this is being done on a peer-to-peer network.

Here we will sort the list of computers by name
So, the implication of this is that the script is running on the "server" computer.  That would be good.  So I'm trying to figure out how the interaction takes place between the server computer / script and the individual computers.  Is there are list of them initially or....?
Hector2016Connect With a Mentor Systems Administrator and Solutions ArchitectCommented:
Ok, I will talk you more about my proposal:

1. You have a set of computers, sharing the same routed network (they can see each other) and the most of them have Windows 10.
2. You are requesting help to keep those computers updated with latest published patches and to get acknowledged for their status, especially when there are updates failing.

The solution for you is to use WSUS, this is why:
1. You will get a central repository for all updates needed.
2. You will get a central repository for all the update-related information about each computer on your peer-to-peer network.
3. You will have control on what updates are being deployed on clients computers.
4. You will be saving Internet bandwidth, because the updates will be downloaded only once. Otherwise, each computer will have to download the same updates (not efficiently).

And this is how-to:
1. Select a computer with good hardware (2GHz CPU 64bits / 8GB RAM / 3TB HDD) and install WIndows 2012R2.
2. Deploy WSUS (Follow the Seth guide)
3. Configure your client computers to connect to your WSUS server. (Follow Microsoft indications)
4. Select Windows 10 in Options-Products and Classifications.
5. Select Security Updates, Critical Updates, Update Rollups and Updates, then Sync the WSUS server with Microsoft Catalog.
6. Aprove only those updates needed and not superseeded.

Note: To make WSUS work well with Windows 10 computers you have to make some post-installation steps: Follow this guide.  

If any doubt, please tell me.

If after all this you still dont want or cannot use WSUS you still have the WMI alternative:

With this command, you will get a list of all installed updates on a computer:

wmic qfe

Open in new window

This will return a TAB separated file type data with the following fields:

Caption: URL to the KB article associated to the hotfix.
CSName: The name of the computer.
Description: This is actually the category of the hotfix(ex. Update, Security Update, ect).
FixComments: This is always blank.
HotFixID: This is the KB id for the hotfix.
InstallDate: This is always blank.
InstalledBy: This is the account ID which installed the hotfix.
InstalledOn: This is the date of the hotfix installation.
Name: This is always blank.
ServicePackInEffect: This is always blank.
Status: This is always blank.

You can get rid of the junk data by getting only the needed fields, for example:
wmic qfe get Caption, Description, HotFixID, InstalledBy, InstalledOn 

Open in new window

You can use PSEXEC or Remote Powershell to run the previous command on each computer providing authorized credentials.

You will need to re-direct the output of the command to a text file somewhere.

This method will provide you a per-computer list of installed updates, but it will be much less accurate than the WSUS method.
Fred MarshallPrincipalAuthor Commented:
Hector2016Systems Administrator and Solutions ArchitectCommented:
If you feel this question is solved, please close it and assign the points.
Fred MarshallPrincipalAuthor Commented:
As soon as you said: "Install Windows Server 2012R2" it took me out of the peer-to-peer context.  But perhaps you had another idea?
footechConnect With a Mentor Commented:
The Windows Update PowerShell Module I linked to earlier makes use of that functionality and does more.  Each of the .PS1 files included is a function.  If you just put the contents under C:\Users\username\Documents\WindowsPowerShell\Modules\PSWindowsUpdate, then you can run
Import-Module PSWindowsUpdate
which will load all the functions for your use.
Fred MarshallPrincipalAuthor Commented:
Thanks all.  I'm doing this piece by piece and not as a full-time job.  So it's taking a little time to try things, etc.  It looks like we're making progress!
Why would a comment that the author said wouldn't work for his environment be proposed as the answer?
If anything, using the COM objects to search Windows (or Microsoft) Update is the best course for a workgroup environment, but a lot would have to be written to do all the comparisons and reporting desired.  If the author can't report back, there's no reasonable expectation that any of the (partial) proposed solutions could be confirmed as the answer.

As such this question should be deleted.  Shame when even the long-standing active members can't close their questions.
Fred MarshallPrincipalAuthor Commented:
Thanks all!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.