The Patch Remedy Print report at the customer level has 5 columns, including the percentage level, which is very helpful.
What are your thoughts on including a column for "Last PR Update".
I think this would be a nice addition because if a group of systems is broken, in sleep mode/hibernation mode, or turned off during the patch schedule, it can be hard to troubleshoot and rule out something as simple as the machine not being left on during the scheduled time frame.
It would be great to have that column so someone could sort it to quickly see which systems have not applied updates within, say, the last 30 days.
I'm sure others would find adding that column to be very helpful. I know that would alleviate a lot of manual work and be extremely helpful to our team.
Possible addition to Patch Remedy Print Report
Re: Possible addition to Patch Remedy Print Report
So what we want is to query the agent for its last official update run? Add that as a column to list.
I could run something like...
Which would return something like...
Which produces the same thing but limits the return to just last 30 days.
Since there are any number of updates that could happen, maybe a list of these updates should be shown in agent status area.
As for capturing the very last date and displaying with the agent data is possible. Fitment may be a bit of a squeeze, may need to rearrange some items to get it all to fit.
I could run something like...
Code: Select all
gwmi win32_quickfixengineering |sort installedon -desc
Actually mor like this...Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
CUBESTATION Update KB5033920 NT AUTHORITY\SYSTEM 1/11/2024 12:00:00 AM
CUBESTATION Security Update KB5034123 NT AUTHORITY\SYSTEM 1/11/2024 12:00:00 AM
CUBESTATION Update KB5032393 NT AUTHORITY\SYSTEM 11/15/2023 12:00:00 AM
CUBESTATION Update KB5029517 NT AUTHORITY\SYSTEM 9/17/2023 12:00:00 AM
Code: Select all
# Get the Current date
$currentDate = Get-Date
# Get the date 30 adys ago
$thirtyDaysAgo = $currentDate.AddDays(-30)
# Get all the Updates installed since 30 days ago
Get-HotFix | Where-Object {$_.InstalledOn -gt $thirtyDaysAgo}
Which produces the same thing but limits the return to just last 30 days.
Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
CUBESTATION Update KB5033920 NT AUTHORITY\SYSTEM 1/11/2024 12:00:00 AM
CUBESTATION Security Update KB5034123 NT AUTHORITY\SYSTEM 1/11/2024 12:00:00 AM
Since there are any number of updates that could happen, maybe a list of these updates should be shown in agent status area.
As for capturing the very last date and displaying with the agent data is possible. Fitment may be a bit of a squeeze, may need to rearrange some items to get it all to fit.
Re: Possible addition to Patch Remedy Print Report
Something like that would be great. I have a some notes below as to what we have had to deal with in case that helps with any ideas for improving the reporting.
Trying to determine what is working and not working and making a report for auditing takes a bit of time-consuming effort.
Currently, I'm pulling together two spreadsheets and using vlookup in a third to gather most of the data, and then I'm doing manual entries. However, it still lacks the last piece, ensuring it's fully working, which I think you mentioned pulling via “gwmi win32_quickfixengineering“, or "wmic qfe list" or any other methods.
First, I'm using Automate to pull an inventory of the systems, providing the computer name, site, last Windows update date, last contact date, and Agent OS.
Next, I use the Patch remedy "Print Report" at the customer level. I copy the contents into another spreadsheet.
I then use a third spreadsheet with just the agent computer names. I then use Vlookup to pull the fields of those two spreadsheets into the same spreadsheet, keeping a history of the previous "available" and "installed" columns to show the month-to-month progress.
Then I have to make some manual columns and manually enter the last PR scan date if not current and the last PR update date if not current. That will tell me if the PR functions can't run for whatever reason, OS or PowerShell reasons, being offline during the windows, etc. If these dates aren't current, any info pulled from PR for the next column won't be accurate, and that needs to be differentiated.
However, even all that still doesn't completely verify everything is working, which is next.
Next, I make another column and indicate any updates still needed as reported by Patch remedy, indicating if it's a Major 22H2 update, or a monthly security update or a cumulative update versus a driver or printer update. Since customer audits and requirements don't care about printer and driver updates, we move those to the side and focus on major, security, and cumulative.
After that is all done, I sort by the site column so we can provide a site report for the customer and focus on remediation by site since some customers are in the hundreds of systems or more.
The one thing I can't get is what was installed in the last 30 days. For example, suppose the system can only install Defender and Office updates. In that case, the main report shows that updates are installed every month, but unable to tell if the major and security updates are being skipped. Even worse is when it doesn’t show the missing updates as needed, indicating that everything is working correctly until reviewing the last 30 days to determine which updates were installed and what wasn’t.
We ran into a bit of an egg-on-face situation where we stated Patch Remedy was keeping all the systems up to date. We showed that updates are installed monthly, not realizing that many systems were stuck on the 22H2 major update or the January 2024 security update. Although they were installing updates, they weren't installing the critical updates, which, per the audit, was the core function of requiring updates to be up to date. We weren't able to see that.
I know that's all a bit much and may not be possible, but it's something to think about to round off some corners, along with some areas to possibly include in future reporting capabilities.
Trying to determine what is working and not working and making a report for auditing takes a bit of time-consuming effort.
Currently, I'm pulling together two spreadsheets and using vlookup in a third to gather most of the data, and then I'm doing manual entries. However, it still lacks the last piece, ensuring it's fully working, which I think you mentioned pulling via “gwmi win32_quickfixengineering“, or "wmic qfe list" or any other methods.
First, I'm using Automate to pull an inventory of the systems, providing the computer name, site, last Windows update date, last contact date, and Agent OS.
Next, I use the Patch remedy "Print Report" at the customer level. I copy the contents into another spreadsheet.
I then use a third spreadsheet with just the agent computer names. I then use Vlookup to pull the fields of those two spreadsheets into the same spreadsheet, keeping a history of the previous "available" and "installed" columns to show the month-to-month progress.
Then I have to make some manual columns and manually enter the last PR scan date if not current and the last PR update date if not current. That will tell me if the PR functions can't run for whatever reason, OS or PowerShell reasons, being offline during the windows, etc. If these dates aren't current, any info pulled from PR for the next column won't be accurate, and that needs to be differentiated.
However, even all that still doesn't completely verify everything is working, which is next.
Next, I make another column and indicate any updates still needed as reported by Patch remedy, indicating if it's a Major 22H2 update, or a monthly security update or a cumulative update versus a driver or printer update. Since customer audits and requirements don't care about printer and driver updates, we move those to the side and focus on major, security, and cumulative.
After that is all done, I sort by the site column so we can provide a site report for the customer and focus on remediation by site since some customers are in the hundreds of systems or more.
The one thing I can't get is what was installed in the last 30 days. For example, suppose the system can only install Defender and Office updates. In that case, the main report shows that updates are installed every month, but unable to tell if the major and security updates are being skipped. Even worse is when it doesn’t show the missing updates as needed, indicating that everything is working correctly until reviewing the last 30 days to determine which updates were installed and what wasn’t.
We ran into a bit of an egg-on-face situation where we stated Patch Remedy was keeping all the systems up to date. We showed that updates are installed monthly, not realizing that many systems were stuck on the 22H2 major update or the January 2024 security update. Although they were installing updates, they weren't installing the critical updates, which, per the audit, was the core function of requiring updates to be up to date. We weren't able to see that.
I know that's all a bit much and may not be possible, but it's something to think about to round off some corners, along with some areas to possibly include in future reporting capabilities.
Re: Possible addition to Patch Remedy Print Report
Wow that seems like a lot of work on your part...
So you need a report at the client level that
Lists every agents last patch update, list of patches updated in last 30 days and a list of patch's currently still available for each agent and do this by agent for the client?
would this be all you would need for your reports? If I could turn that into a button that would expel a Excel file?
So you need a report at the client level that
Lists every agents last patch update, list of patches updated in last 30 days and a list of patch's currently still available for each agent and do this by agent for the client?
would this be all you would need for your reports? If I could turn that into a button that would expel a Excel file?
Re: Possible addition to Patch Remedy Print Report
At the customer level, it would be great to have a data export button, in addition to the print report button, that exports all this information for all agents at once, with each agent being on its own line and each line having the information you mentioned.
On the Patch remedy page, when clicking on each agent, it currently shows, the waiting patches. It would also be helpful to show the patches installed in the last 30 days in addition to the patches waiting instead of using the report when just looking for one or two agents. However, having the report to be used for auditing purposes to make sure all agents are working as expected without having to do all the manual work would be a great addition.
On the Patch remedy page, when clicking on each agent, it currently shows, the waiting patches. It would also be helpful to show the patches installed in the last 30 days in addition to the patches waiting instead of using the report when just looking for one or two agents. However, having the report to be used for auditing purposes to make sure all agents are working as expected without having to do all the manual work would be a great addition.