One area that I have been focusing on in Windows Server Administration lately is Powershell (PS). I could go on and on about how great PS, PowerCLI, etc are for Windows and VMware server administration and automation. But for now onto the point of this post…
I do like WSUS but I feel that is lacking. Sure I can go to the WSUS MMC snapin and look at patch status of a server, and hope that that clients have reported back to the WSUS server, or I can just ask the clients what patches they applied. Something WSUS does do well is email you when it has new patches to apply to clients so its pretty easy to compare whats going to to go out to your clients vs what applied during your PM window via a PS script.
To do this you can use the handy get-hotfix cmdlet.
Feeding the script a txt file of computers I scraped from the AD further up I encountered a few instances of the following error:
Get-HotFix : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
At line:1 char:11
+ Get-HotFix <<<< -ComputerName AServerName -Credential domain\Username + CategoryInfo : NotSpecified: (:) [Get-HotFix], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.PowerShell.Commands.GetHotFixCommand
Of the servers that had this error they were all 2008 standard. All the R2 servers returned the hotfix status just fine. Investigating the servers shows both the RPC service and dependent services to all be running and set to auto-start. So why this issue? On 2008 you actually have to go to the firewall and enable a rule to query the server.
Simply enabling the RPC rule on the inbound firewall will then allow you to query what hotfixes have been applied. For added security you can also limit what computers this will work for, your script server?, or what users can authenticate, ” – credential domain\username “. Hope this helps someone!