How to check installed patches on VMware VM w/PowerCLi


In light of recent events related to WannaCry ransomware, it becomes very relevant to check if a particular Windows Update (Patch / Hotfix / KB) is installed within VM Guest OS.

Test-VMHotfix from my PowerCLi Vi-Module module will quickly and efficiently check all your VMs.

The function is very simple to use. Just pipeline VM(s) for the testing and the patch name wildcard in the -KB parameter. The KB parameter is positional, so it can be omitted.

Get-VM | Test-VMHotfix -KB ‘kb4012???’
Get-VM | Test-VMHotfix ‘kb4012*’


Of course, the function will only check, a) powered on b) Windows machines, the rest will be skipped.

The most interesting property returned by the function is a Hotfix.
The Hotfix property’s value can be one of the three:

  • The KB number (Hotfix ID) that matches to the wildcard you specified, if one was found.

  • Empty field (blank) if the patch is not found, i.e. not installed.

  • Unknown if the function failed to query this VM. There are two main reasons: a) Firewall (both Local VM guest and Network) and the b) OS inside the VM does not respond.


Try not to set too general KB wildcards like kb1* and especially not *, otherwise you will get a huge number of objects per VM.


To diagnose and solve the VM problem for which you get Unknown, I wrote another Test-VMPing function.

Get-VM | Test-VMPing
Get-VM | Test-VMPing | Format-Table –AutoSize


The key property here is Responding.


Using the -Verbose parameter, in addition to the results, you get the function statistics. By the way, Test-VMHotfix also supports this parameter.

Get-VM | Test-VMPing -Verbose
Get-VM | Test-VMHotfix –Verbose


Well, most importantly, using the -Restart parameter, you can restart non-responding VMs.

What do I mean to “restart”? If VMTools are installed in VM Guest, the machine OS will be restarted by Restart-VMGuest – if VMTools are not installed or not currently running, a Restart-VM will be invoked.

Get-Help Restart-VMGuest -Online
Get-Help Restart-VM -Online


I recommend that you always use -Confirm:$true with the -Restart parameter.

Get-VM | Test-VMPing –Restart –Confirm:$true

The fact is that the default value of this parameter is different for Restart-VM and Restart-VMGuest and depending on whether VMTools are available or not, there will or will not be a confirmation to restart the VM.
If you are sure of what you are doing, then safely cancel the confirmation -Confirm:$false.

Get-VM | Test-VMPing –Restart –Confirm:$false

Like the rest of the module’s functions, Test-VMHotfix and Test-VMPing have aliases with ViM suffix. For the old school fans, there are very short aliases tvmp for Test-VMPing and tvmkb for Test-VMHotfix.

Get-Command –Verb test –Module Vi-Module
Get-Help tvmkb –Full
Get-Help tvmp –Examples


Note that Test-VMHotfix requires PowerShell 4 or above.



You may also like:

VMware VSAN PowerCLi module
VMware VAMI PowerCLi module
Set-MaxSnapshotNumber – Control maximum number of VMware snapshots
Move-Template2Datastore – Migrate VMware VM Templates to another Datastore
Get-RDM – How to get RDM (Raw Device Mappings) disks
Convert-VmdkThin2EZThick – Convert Thin Provision VMDK disks to Thick

5 thoughts on “How to check installed patches on VMware VM w/PowerCLi

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s