Skip to main content

Automox provides some great insight around patch installations triggered by Automox. You can find those details in the Activity Log report, and you can see patches are Installed or Awaiting Update in the console.


Well, what do we know about patching details outside of the Automox policies? There are times we want more detail around patches that are installed manually, or through another method.



Here is a Worklet that will collect Events generated by the Windows update client. Centralizing this information into the Activity log can save a good amount of time as you will not have to connect to different devices to see the details.



Currently you can define the timeframe and eventIDs to include. I would love feedback to see what else everyone else would like to include.



Remediation Code:



######Modify values to fit your needs######


$WUeventIDs = 19,20,21,43


$DaysOfLogs = 1


###########################################





#Collect Events and write output to Activity Log


$timeSpan = (Get-Date) - (New-TimeSpan -Day $DaysOfLogs)


$UpdateEvents = Get-WinEvent -Provider Microsoft-Windows-WindowsUpdateClient | Where-Object {$_.id -iin $WUeventIDs -and ( $_.TimeCreated -ge $timeSpan )}| Format-Table TimeCreated,id,message -Wrap


Write-Output $UpdateEvents


Exit 0


The collected information is added to the Activity Log, and can be exported as a CSV. Here is what it looks like after exporting the CSV:


Screen Shot 2020-08-21 at 1.52.17 PM
Screen Shot 2020-08-21 at 1.52.17 PM1725×462 174 KB

Here is another example of how to pull Event logs into your Activity Log report (thanks @Tony for the suggestion) . In this example, we will filter from the System Event log rather than the Windows Update Client provider, allowing the addition of events from other providers that publish to the system event log. I’ve added shutdown, start up, and eventID 1074 that provides the process and user that triggered a restart or shutdown.



Remediation Code:



$systemEventIDs = 12,13,19,21,43,1074


$DaysOfLogs = 1


###########################################


#Collect System Events and write output to Activity Log


$timeSpan = (Get-Date) - (New-TimeSpan -Day $DaysOfLogs)


$systemEvents = Get-WinEvent -FilterHashtable @{logname = 'System'} | Where-Object {$_.id -iin $systemEventIDs -and ( $_.TimeCreated -ge $timeSpan )}| Format-Table TimeCreated,id,message -Wrap


Write-Output $systemEvents


Exit 0

This is a great idea for having more clarity on what was installed and when. I’ve been using the same “PowerShell remediation into activity log” approach for gathering installed services and features on our Windows servers. I can then use the Automox API to download the activity log data as JSON and store it in our on-premise reporting database.



I’ve put in an Automox feature request for ad-hoc or global policies so that we can have these running on-demand or automatically against all device groups, instead of needing to manually add them to each new group.

Here is a quick update to add a few msi installer event ids (useful for 3rd party updates):



$systemEventIDs = 12,13,19,21,43,1074,1040,1033


$DaysOfLogs = 1


###########################################


#Collect System Events and write output to Activity Log


$timeSpan = (Get-Date) - (New-TimeSpan -Day $DaysOfLogs)


$systemEvents = Get-WinEvent -FilterHashtable @{logname = 'System','Application'} | Where-Object {$_.id -iin $systemEventIDs -and ( $_.TimeCreated -ge $timeSpan )}| Format-Table TimeCreated,id,message -Wrap


Write-Output $systemEvents


Exit 0


@Tony

this is great - what are you setting for the eval code portion? also, how do you configure the scheduling to run?

I had only been running it on demand (no schedule), so I set the evaluation code to



Exit 0


I did that so it would always show compliant, as I use the compliance identifier in the devices node as a quick indicator of health.



If you want to set it to always run on a schedule, you could set the evaluation code to



Exit -1


or any non-zero exit code. This will ensure it runs each time the scheduled time is reached.

Reply


Terms & ConditionsCookie settings