Monitor if server deployed their security patches

George Christianis 21 Reputation points

We would like to know which servers have not gotten patched in the last 60 days,

Can we do this with:

1) The SCCM MP?
2) Monitoring a specific Event ID
3) Monitoring a log file such as or
4) Having access to the Software Updates - Compliance report in SCCM


Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,273 questions
0 comments No comments
{count} votes

Accepted answer
  1. AlexZhu-MSFT 3,706 Reputation points Microsoft Vendor


    We can use powershell script based monitor, to achieve our goal.

     $api = New-Object -comObject "MOM.ScriptAPI"   
     $PropertyBag = $api.CreatePropertyBag()  
     $LastPatchDate = Get-HotFix | Sort-Object InstalledOn | Select-Object -Last 1 | Select -Expandproperty InstalledOn  
     $rv = ((Get-Date) - $LastPatchDate).TotalDays  

    Here's some screenshots from my lab test.


    criteria (we may set it to 60 in our situation)

    alert generated due to servers not patched more than 400 days

    and I've confirmed that value "" and "" did not generate the alert since the criteria is set to 400 or higher (in our situation, we can set the criteria to 60).

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Jai Verma 451 Reputation points

    I know Compliance report in SCCM should provide you this information.

    1 person found this answer helpful.
    0 comments No comments

  2. George Christianis 21 Reputation points

    Hi JaiVerma-7010 thanks for your reply.

    But can I generate an alert from the Compliance report? Event better send it to SCOM?


    0 comments No comments

  3. AllenLiu-MSFT 27,581 Reputation points Microsoft Vendor

    Hi, @George Christianis
    Thank you for posting in Microsoft Q&A forum.

    Here is an article that you can enable SCCM email notification on reports:
    (Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. George Christianis 21 Reputation points

    Thank you AllenLiu-MSFT for your response.

    Ideally I would like to find a way to get these alerts into our SCOM console.
    Since we would like to have all alerts in one central place.
    People don't always look at their emails.


    0 comments No comments