How to check installed patches on VMware VM w/PowerCLi

Cover

In light of recent events related to WannaCry ransomware, it becomes very relevant to check if a particular Windows Update (Patch / Hotfix / KB) is installed within VM Guest OS.

Test-VMHotfix from my PowerCLi Vi-Module module will quickly and efficiently check all your VMs.

The function is very simple to use. Just pipeline VM(s) for the testing and the patch name wildcard in the -KB parameter. The KB parameter is positional, so it can be omitted.

Get-VM | Test-VMHotfix -KB ‘kb4012???’
Get-VM | Test-VMHotfix ‘kb4012*’

01.Test-VMHotfix_Write-Progress

Of course, the function will only check, a) powered on b) Windows machines, the rest will be skipped.

The most interesting property returned by the function is a Hotfix.
The Hotfix property’s value can be one of the three:

  • The KB number (Hotfix ID) that matches to the wildcard you specified, if one was found.

  • Empty field (blank) if the patch is not found, i.e. not installed.

  • Unknown if the function failed to query this VM. There are two main reasons: a) Firewall (both Local VM guest and Network) and the b) OS inside the VM does not respond.

02.Test-VMHotfix_HotfixProperty

Try not to set too general KB wildcards like kb1* and especially not *, otherwise you will get a huge number of objects per VM.

03.Test-VMHotfix_MultipleKB

To diagnose and solve the VM problem for which you get Unknown, I wrote another Test-VMPing function.

Get-VM | Test-VMPing
Get-VM | Test-VMPing | Format-Table –AutoSize

04.Test-VMPing_Write-Progress

The key property here is Responding.

05.Test-VMPing_RespondingProperty

Using the -Verbose parameter, in addition to the results, you get the function statistics. By the way, Test-VMHotfix also supports this parameter.

Get-VM | Test-VMPing -Verbose
Get-VM | Test-VMHotfix –Verbose

06.Test-VMPing_Verbose

Well, most importantly, using the -Restart parameter, you can restart non-responding VMs.

What do I mean to “restart”? If VMTools are installed in VM Guest, the machine OS will be restarted by Restart-VMGuest – if VMTools are not installed or not currently running, a Restart-VM will be invoked.

Get-Help Restart-VMGuest -Online
Get-Help Restart-VM -Online

07.Test-VMPing_RestartConfirm

I recommend that you always use -Confirm:$true with the -Restart parameter.

Get-VM | Test-VMPing –Restart –Confirm:$true

The fact is that the default value of this parameter is different for Restart-VM and Restart-VMGuest and depending on whether VMTools are available or not, there will or will not be a confirmation to restart the VM.
If you are sure of what you are doing, then safely cancel the confirmation -Confirm:$false.

Get-VM | Test-VMPing –Restart –Confirm:$false

Like the rest of the module’s functions, Test-VMHotfix and Test-VMPing have aliases with ViM suffix. For the old school fans, there are very short aliases tvmp for Test-VMPing and tvmkb for Test-VMHotfix.

Get-Command –Verb test –Module Vi-Module
Get-Help tvmkb –Full
Get-Help tvmp –Examples

08.Test-VM_Aliases

Note that Test-VMHotfix requires PowerShell 4 or above.

$PSVersionTable.PSVersion.Major

09.PowerShell_Version

You may also like:

VMware VSAN PowerCLi module
VMware VAMI PowerCLi module
Set-MaxSnapshotNumber – Control maximum number of VMware snapshots
Move-Template2Datastore – Migrate VMware VM Templates to another Datastore
Get-RDM – How to get RDM (Raw Device Mappings) disks
Convert-VmdkThin2EZThick – Convert Thin Provision VMDK disks to Thick

4 thoughts on “How to check installed patches on VMware VM w/PowerCLi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s