Patch Remediation With PowerShell – Part 1

There are a lot of security topics that are absolutely fascinating but patch management is not one of them.  Even more horrific is patch management remediation.  Deploying patches isn’t so bad but getting that last 10% out of your compliance efforts is just a never ending brutal slog through the mud.

PSImage

I wrote a quick script to take a list of non-compliant computers and give some basic information about their health and status so action can be taken.  Unfortunately, this script can’t make phone calls to find out why a computer is off or unplugged but it can at least get you started.

Computer List – To start, export a list of computers that need to be evaluated to ComputerList.txt and place in the same directory as the script.

Ping – The script will ping a computer and return a response.  This tells you whether or not the computer is on and responding.

DNS – Next, the script will query DNS for the computer.  This tells you if the computer is off temporarily or if it has been off long enough that the DNS record has been scavenged.  Check your local DNS aging and scavenging settings to learn what this means in your environment.  The default setting are around 2 weeks I think.

Active Directory – Finally, the script checks to see if the computer exists in Active Directory or if it has been deleted.

Output – All the results are written to a new line in ComputerTestResult.CSV file for easy use and filtering in Excel.

Here’s the script…

 

$ComputerList = Get-Content -Path .\ComputerList.txt
$Headings = "Name,Ping,DNS,AD"
$Headings > .\ComputerTestResult.csv
ForEach ($Computer in $ComputerList)
{
 Try {
 #Ping response and IP address
 $pingTest = Test-Connection -ComputerName $Computer -ErrorAction Stop -Count 1
 $IPResult = $pingTest.IPV4Address.IpAddressToString
 $TestResult = "$Computer,$IPResult"
 }
 Catch {
 #No ping response
 $TestResult = "$Computer,No Ping"
 }
 Try {
 #DNS lookup solution from Ansgar Wiechers @ stackoverflow.com
 #http://stackoverflow.com/questions/31359079/how-to-get-only-ipv4-addresses-for-a-hostname
 $DNS = [System.Net.Dns]::GetHostAddresses("$computer") | 
 ? {$_.AddressFamily -eq 'InterNetwork'} | 
 select -Expand IPAddressToString -ErrorAction Stop
 $TestResult = $TestResult + ",Yes in DNS"
 }
 Catch {
 $TestResult = $TestResult + ",Not in DNS"
 }
 #Check in AD
 $inAD = Get-ADComputer -Property name -filter {cn -eq $Computer}
 If ($inAD -ne $null)
 {
 $TestResult = $TestResult + ",Yes in AD"
 }
 elseif ($inAD -eq $null) 
 {
 $TestResult = $TestResult + ",Not in AD"
 }
 #uncomment to watch progress
 #Write-Host $TestResult
 $TestResult >> .\ComputerTestResult.csv
}

 

I hope this helps to take some of the pain out of patch remediation or any other system maintenance you are doing.

 

Ideas for future development

The addition of some of these features would make this ineffective for those who use some other patch solution so take this first version as a generic one-size-fits all solution.

  • Query list directly from SCCM collection rather than using a pre-exported list
  • Query last user logon name from SCCM
  • Make the CSV file actually use columns so Data > text-to-column isn’t required after opening in Excel
  • Add WMI diagnostics and repair
  • Add SCCM agent redeployment

 

References

http://stackoverflow.com/questions/31359079/how-to-get-only-ipv4-addresses-for-a-hostname

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s