This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 11%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELD%3C/text%3E%3C/svg%3E)
Hi,
I'm trying to build a PowerShell script that will return the most recent installed Cumulative Update (or Security Monthly Quality Update/Security Only Update on Server 2012 R2 and earlier). Most critically I need the "friendly" name and not the build number, KB number or generic "Security Update"
So for example I need 2021-09 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5005613)
This is way more harder than it should be.
I have some examples where using the local Update History is not suitable:
Servers that missed patch schedule and then subsequently had multiple updates installed on the same day. This can result in an older patch being selected when trying to find the most recent one by Installed Date
If installing an update manually by downloading the .msu file, local Update History does not show the friendly name
Example covering both those-
you can that September's patch was seemingly installed via the .msu file. This is the latest one installed so if I look in local Update History for "Security Monthly" or "Security Only", this patch is ignored
The 2020-12 and 2021-07 updates were both installed on the same day, and checking in PowerShell the 2020-12 updates has a more recent time so is the update returned when checking for the most recent one by installed date
I have tried about 6 different examples scripts found online and none of them overcome these problems.
So now I am considering extracting the raw KB number from the local Update History, and then looking up this KB in Windows Update Catalog to return the friendly name:
Is there an already known-way to do what I am asking?
Thanks
Is there an offline XML file of the entire Windows Update Catalog or something that I can download and query in my PowerShell?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 31%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Not an XML file, but the wsusscn2.cab might help with this
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I think this one does that exactly.
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-hotfix?view=powershell-7.2
--please don't forget to upvote and Accept as answer if the reply is helpful--
Tried that one!
And in one example it's missing updates, in this case the 2021-07 one!
This is the full result of current PowerShell:
I am extracting the KB number (without the 'KB' text) with RegEx and then sorting on that going on the basis that KBs always increase in their number, so higher number is more recent.
I only want to grab the most recent and in this example doesn't give me the "friendly" name!!!!!!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
How about posting the code for your "current PowerShell"? That we can see what you're doing and from where you're getting the data. Are you using Get-Hotfix or the WMI equivalent? If so it's only going to show you updates that are categorized as "Hot-fixes".
Please post the code and not a screen-shot of the code. :-)
OK, so there's been some activity with this. I have got something using Invoke-WebRequest to scrape the Update Catalog. Not ideal but works:
The attached code as-is results in this output:
Whereas from the examples posted above, using the local Update History shows this:
Important code differences:
Using Invoke-WebRequest: $updateTitle = Get-WindowsUpdateTitle($update.Article)
Using local Update History: $updateTitle = $update.Title
Couple of points:
Is there an actual way I can interrogate the online Update Catalog without screen scraping
Is the update GUID ever stored locally as if I have to screen scrape I would rather scrape the popup dialog rather than Update Catalog search result page:
Is what you're calling the "Friendly Name" just that "2021-09" at the beginning of the description?
Windows Update can't retrieve that if it's not included in the description that's in the package that contained the update.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 82%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
That tells us what is installed, not what the latest superseding item is...
