SCOM Agent–OS Recommended Hotfix (KB)

Hi Readers,

To ensure that the SCOM agent is performing well on all supported Windows OS, some time ago Microsoft released the following article:

System Center 2012 Operations Manager: recommended agent operating system fixes and updates https://support.microsoft.com/en-us/kb/2843219

Kevin Holman, a well known Microsoft SCOM Guru, is also maintaining his own list of OS Recommended Hotfix for the SCOM Agent. http://blogs.technet.com/b/kevinholman/archive/2009/01/27/which-hotfixes-should-i-apply.aspx

A few days ago, I saw a tweet from Reidar Johansen who just wrote a PowerShell script to check if all the OS Recommended Hotfix were installed on a given server. https://github.com/reijoh/scomscripts/blob/master/Check-RecommendedHotfixes.ps1

When I see that, I decided to re-use and add a few updates to his script :

  • Add all the KB from Microsoft Page
  • Add all the KB from Kevin Holman
  • Use Arrays to specify the required KBs per OS
  • Few minors optimization

My updated version of Johansen’s script is available below:

<#
Original Script: https://github.com/reijoh/scomscripts/blob/master/Check-RecommendedHotfixes.ps1

Modified by Christopher Keyaert (christopher@vnext.be)
Date: December 11th, 2015

Based on the KB list available https://support.microsoft.com/en-us/kb/2843219
Based on the KB list available http://blogs.technet.com/b/kevinholman/archive/2009/01/27/which-hotfixes-should-i-apply.aspx
#>

Function Check-HotfixInstalled
{
    param
    (
        [string]$HotfixID,
        [string]$ComputerName
    )
    $HF = $null
    $HF = Get-HotFix -ComputerName $ComputerName -ErrorAction SilentlyContinue -id $HotfixID
    If(!($HF))
    {
        $global:Description += "$ComputerName needs hotfix $HotfixID `r`n"
        $global:UpToDate = $False
    }
}


Function Check-ServicePackInstalled
{
    param
    (
        [string]$BuildNumber,
        [string]$Version,
        [string]$ComputerName
    )
    $CSDBuildNumber = Invoke-Command -ComputerName $ComputerName -ErrorAction SilentlyContinue -ScriptBlock {(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -ErrorAction SilentlyContinue | select @{N='CSDBuildNumber'; E={$_.CSDBuildNumber}}).CSDBuildNumber}
    $CSDVersion = Invoke-Command -ComputerName $ComputerName -ErrorAction SilentlyContinue -ScriptBlock {(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -ErrorAction SilentlyContinue | select @{N='CSDVersion'; E={$_.CSDVersion}}).CSDVersion}
    If($CSDBuildNumber -lt $BuildNumber -or $CSDVersion -lt $Version)
    {
        $global:Description += "$ComputerName needs $Version `r`n"
        $global:UpToDate = $False
    }
}


#Global Variables
$global:UpToDate = $True
$global:Description = $null

$ComputerName=$env:COMPUTERNAME

#KB Per OS and Role
$KB2003 = "KB955360", "KB981263", "KB933061", "KB968760", "KB982168", "KB980773" , "KB982167", "KB960718", "KB932370", "KB2484832" 
$KB2008 = "KB2553708", "KB2495300","KB2458331","KB968967","KB968936","KB973275","KB2812950","KB2484832","KB2163398","KB2622802","KB979458","KB2506143", "KB981263"
$KB2008R2 = "KB2470949","KB2618982","KB2775511","KB2878378","KB2617858","KB2494158","KB2734909","KB2618982","KB2622802", "KB2547244", "KB2692929"
$KB2008R2IIS = "KB2618982"
$KB2012 = "KB2790831", "KB2911101"
$KB2012R2 = "KB2911106"
$KB2012R2DC = "KB2955164", "KB2923126"
$KB2012R2DNS = "KB2954185", "KB2919394"

#Script
foreach($Computer in $ComputerName)
{
    $OSVersion = Invoke-Command -ComputerName $Computer -ErrorAction SilentlyContinue -ScriptBlock {[Environment]::OSVersion.Version.ToString(3)}
    $OSName = Invoke-Command -ComputerName $Computer -ErrorAction SilentlyContinue -ScriptBlock {(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -ErrorAction SilentlyContinue | select @{N='OSName'; E={$_.ProductName}}).OSName}
    If($OSVersion.Length -ge 8)
    {
        If($OSName -match 'Server')
        {
            $OS = switch($OSVersion.Substring(0,3))
            {
                '5.0' {'2000'}
                '5.2' {'2003'}
                '6.0' {'2008'}
                '6.1' {'2008R2'}
                '6.2' {'2012'}
                '6.3' {'2012R2'}
                default
                {
                    If($OSVersion.Substring(0,4) -eq '10.0')
                    {
                        '2016TP'
                    }
                    else
                    {
                        $OSName
                    }
                }
            }
        }
    }
    switch($OS)
    {
        '2003'
        {
            Check-ServicePackInstalled -BuildNumber '5583' -Version 'Service Pack 2' -ComputerName $Computer
            foreach($kb in $KB2003)
                {Check-HotfixInstalled -HotfixID $KB -ComputerName $Computer}            
        }

        '2008'
        {
            Check-ServicePackInstalled -BuildNumber '1621' -Version 'Service Pack 2' -ComputerName $Computer
            foreach($kb in $KB2008)
                {Check-HotfixInstalled -HotfixID $KB -ComputerName $Computer}
        }

        '2008R2'
        {
            Check-ServicePackInstalled -BuildNumber '1130' -Version 'Service Pack 1' -ComputerName $Computer
            foreach($kb in $KB2008R2)
                {Check-HotfixInstalled -HotfixID $KB -ComputerName $Computer}

            # Only check if IIS is installed
            If(Get-Service W3SVC -ComputerName $Computer -ErrorAction SilentlyContinue)
                {
                foreach($kb in $KB2008R2IIS)
                    {Check-HotfixInstalled -HotfixID $KB -ComputerName $Computer}
                }
        }

        '2012'
        {
            foreach($kb in $KB2012)
                {Check-HotfixInstalled -HotfixID $KB -ComputerName $Computer}           
        }

        '2012R2'
        {
            foreach($kb in $KB2012R2)
                {Check-HotfixInstalled -HotfixID $KB -ComputerName $Computer}

            # Only check if DNS role is installed
            $DNSStartNumber = Invoke-Command -ComputerName $Computer -ErrorAction SilentlyContinue -ScriptBlock {(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\DNS' -ErrorAction SilentlyContinue | select @{N='Start'; E={$_.Start}}).Start}
            If($DNSStartNumber -and $DNSStartNumber -ne 4)
                {
                 foreach($kb in $KB2012R2DNS)
                    {Check-HotfixInstalled -HotfixID $KB -ComputerName $Computer}
                }

            # Only check if Domain Controller role
            If((Get-WMIObject -Class Win32_ComputerSystem -ComputerName $Computer -Namespace 'root\cimv2' -ErrorAction SilentlyContinue).DomainRole -ge 4)
                {
                 foreach($kb in $KB2012R2DC)
                    {Check-HotfixInstalled -HotfixID $KB -ComputerName $Computer}
                }
        }
    }
}


$global:UpToDate 
$global:Description

A PowerShell script, it’s already nice but a Management Pack is even better Smile So I quickly used MPAuthor from Silect to transform this PowerShell script to a SCOM Monitor.

Every 12 hours, this monitor checks all the Windows server where a SCOM Agent is installed to ensure that all the OS recommended hotfixes are installed. If this is not the case, the following alert is created:

  image

You could see the monitor state in the Health Explorer:
image

On a server where all the OS recommended Hotfixes are installed:
image

You could download the management pack from here: https://www.vnext.be/wp-content/uploads/2015/12/SCOMAgent.OSRecommendedKB.zip

Gentle Reminder, Use this Script/MP at your own risks Smile

Christopher

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Email this to someoneShare on TumblrPin on PinterestDigg thisShare on RedditFlattr the authorBuffer this pageShare on StumbleUpon

About Christopher Keyaert

Christopher Keyaert is a Consultant, focused on helping partners to leverage the System Center and Microsoft Azure cloud platform. He is also a Microsoft Most Valuable Professional (MVP) for Cloud and Data Center Management and a Microsoft Certified Trainer (MCT).
This entry was posted in Operations Manager. Bookmark the permalink.

One Response to SCOM Agent–OS Recommended Hotfix (KB)

  1. Nice addition to my original script. I have updated my script to include some of your logic:
    https://github.com/reijoh/scomscripts/blob/master/Check-RecommendedHotfixes.ps1
    I checked each recommended update and I changed some because not all hotfixes need to be checked on all agents and some have been replaced with other hotfix etc.
    Nice Management Pack too. I would prefer that the “SCOMAgent – OS Recommended KB” monitor was disabled by default and to enable it for computers that I want to check with overrides targeting groups.

Leave a Reply

Your email address will not be published. Required fields are marked *