Scan without patching for a baseline report

Hi lsanders,

If you deactivate or unassign the existing policies, and create a new ‘By Severity’ policy with no schedule, you can then run a pre-patch report on that group to get a view of all updates with a severity score on a per-machine basis.

@lsanders Here is what I’ve been doing. I have a report that I custom built comparing my internal assets to desired # of day thresholds for patches to install. When it exceeds a certain threshold of # days when I’d expect systems to be patched, I’m calling it out in a report. I’ve built on further to send the agents through a wave of automated “interventions” that can sometimes fix the overall health. It’s been a journey, but really happy with being able to confidently say, yes all these systems are patching to a desired state. Less that pesky 01-2024 CU Microsoft released and has yet to fix.

1. Build a patch everything policy, but don’t schedule it. Make it available to the group you desire. 
2. You can then use the API to extract the report for all devices like this:

$apiKey = '123456789'
$headers = @{ "Authorization" = "Bearer $apiKey" }
$orgID = '12345'

$url = "https://console.automox.com/api/reports/prepatch?o=$orgID&"
$now = Get-Date
Write-Log "Collecting Automox Pre-Patch Reports"
$response = (Invoke-WebRequest -Method Get -Uri $url -Headers $headers).Content | ConvertFrom-Json
$prepatch = foreach ($device in $response.prepatch.devices){
    $device.patches | %{
        [datetime]$patchCreated = $_.createTime.split("T")[0]
        $age = (New-TimeSpan $patchCreated $now).Days
        [pscustomobject]@{
            name = $device.name
            needsReboot = $device.needsReboot
            patch = $_.name
            patchAgeDays = $age
            patchCreated = $patchCreated
            group = $device.group
            compliant = $device.compliant
            os_family = $device.os_family
        }
    }
}
$prepatch | Sort-Object name | Export-Csv "C:\automox-prepatch-report.csv" -NoTypeInformation