Anyone have a script to list Security updates NOT installed on a local machine?

I see a number of questions and answers regarding listing windows updates on servers or through wmi/wsus.  What I am trying to do is replicate Belarc's security advisor's listing of Windows updates on local windows desktops.  

End product desired: I would like to have an output file for each computer I touch that lists the missing security updates and their level of importance

Powershell script, gui, vbs, etc.  I will try to make anything work.  

I am including the current script I have in powershell (downloaded since I am not a scriptor).  The main problem is that it doesn't list the missing updates, only the installed ones, and I am not even sure all the installed updates are being listed - it doesn't look like it.

# Gives a list of all Microsoft Updates sorted by KB number/HotfixID
# By Tom Arbuthnot. Lyncdup.com

# http://lyncdup.com/2013/09/list-all-microsoftwindows-updates-with-powershell-sorted-by-kbhotfixid-get-microsoftupdate/

$wu = new-object -com "Microsoft.Update.Searcher"

$totalupdates = $wu.GetTotalHistoryCount()

$all = $wu.QueryHistory(0,$totalupdates)

# Define a new array to gather output
 $OutputCollection=  @()
		
Foreach ($update in $all)
    {
    $string = $update.title

    $Regex = "KB\d*"
    $KB = $string | Select-String -Pattern $regex | Select-Object { $_.Matches }

     $output = New-Object -TypeName PSobject
     $output | add-member NoteProperty "HotFixID" -value $KB.' $_.Matches '.Value
     $output | add-member NoteProperty "Title" -value $string
     $OutputCollection += $output

    }

# Oupput the collection sorted and formatted:
$OutputCollection | Sort-Object HotFixID | Format-Table -AutoSize
Write-Host "$($OutputCollection.Count) Updates Found"

# If you want to output the collection as an object, just remove the two lines above and replace them with "$OutputCollection"

# credit/thanks:
# http://blogs.technet.com/b/tmintner/archive/2006/07/07/440729.aspx
# http://www.gfi.com/blog/windows-powershell-extracting-strings-using-regular-expressions/

Open in new window

LVL 31
Thomas Zucker-ScharffSolution GuideAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Chirag NagrekarSystem AnalystCommented:
I m not sure if powershell script can find missing updates on servers but surely script can helpful to find available online updates and installed updates. To find critical alerts for your system you need utility like WSUS server , SCCM or third party security software like nexsus.
0
 
Thomas Zucker-ScharffSolution GuideAuthor Commented:
Than how does belarc do it?  I just ran it on one machine and got this read out in the section about missing updates.


Missing Security Updates – for Adobe, Apple, Java, Microsoft and more [Back to Top]
Hotfixes from Microsoft Update (agent version 10.0.16299.98) are turned off.


These security updates apply to this computer but are not currently installed (using Advisor definitions version 2018.4.18.3), according to the 04/10/2018 Microsoft Security Bulletin Summary and bulletins from other vendors. Note: Security benchmarks require that Critical and Important severity security updates must be installed.

Hotfix Id       Severity       Description (click to see security bulletin)
APSB18-08      Important             Adobe Flash Player security update for Flash Player 28.0.0.137 ActiveX 64-bit
APSB18-08      Important             Adobe Flash Player security update for Flash Player 28.0.0.137 ActiveX 32-bit
HT206091      Critical             Apple Software Update security update for Software Update 2.1.3
Q2920680      Important             Microsoft security update (KB2920680)
Q2920723      Unrated             Microsoft security advisory (KB2920723)
Q2920727      Important             Microsoft security update (KB2920727)
Q3085538      Critical             Microsoft security update (KB3085538)
Q3114690      Important             Microsoft security update (KB3114690)
Q3115041      Important             Microsoft security update (KB3115041)
Q3115103      Important             Microsoft security update (KB3115103)
Q3115135      Important             Microsoft security update (KB3115135)
Q3115419      Important             Microsoft security update (KB3115419)
Q3178667      Important             Microsoft security update (KB3178667)
Q3213551      Important             Microsoft security update (KB3213551)
Q4011041      Important             Microsoft security update (KB4011041)
Q4011126      Important             Microsoft security update (KB4011126)
Q4011143      Important             Microsoft security update (KB4011143)
Q4011159      Important             Microsoft security update (KB4011159)
Q4011185      Unrated             Microsoft security advisory (KB4011185)
Q4011574      Important             Microsoft security update (KB4011574)
Q4011622      Unrated             Microsoft security advisory (KB4011622)
Q4011628      Important             Microsoft security update (KB4011628)
Q4011665      Important             Microsoft security update (KB4011665)
Q4011682      Critical             Microsoft security update (KB4011682)
Q4018319      Important             Microsoft security update (KB4018319)
Q4018328      Important             Microsoft security update (KB4018328)
Q4018337      Important             Microsoft security update (KB4018337)
Q4018339      Important             Microsoft security update (KB4018339)
Q4093110      Critical             Microsoft security update (KB4093110)
Q4093112      Critical             Microsoft security update (KB4093112)
0
 
Thomas Zucker-ScharffSolution GuideAuthor Commented:
I believe I found an answer  - although maybe not the best one.  I am trying this app out.

https://www.sekchek.com/sekchek-local-software.htm
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
btanExec ConsultantCommented:
Looks like this has similar powershell script (also based on ""HotFixID"") but needed a list of KB, an d the latter is generated using Belarc
http://eddiejackson.net/wp/?p=13544
Another approach is using MBSA command line with PS (e.g. Get-MissingUpdates -Computername YOURCOMPUTER)
https://gallery.technet.microsoft.com/scriptcenter/Get-Missing-Updates-with-ab80bf4e
0
 
McKnifeCommented:
MBSA can do the same, yes, but it will not work against remote machines that run win10. For those, you'd need to run it locally using a startup script.

You could also simply use wuinstall: https://web.archive.org/web/20151227002916/http://www.hs2n.at/component/docman/doc_download/11-wuinstall-11-32-bit which lists them very comfortably.

About the assessment (important/not important): usually not done since all updates can be important based on what you are securing against.
1
 
Thomas Zucker-ScharffSolution GuideAuthor Commented:
I found this software after submitting the question - it is the best answer, that I know of, at this time.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.