Here is a PowerShell script to check a ConfigMgr agent’s compliance for all required/assigned security updates. It is another utility tool in the kit for on-demand patch management, like this script to run a ConfigMgr Task Sequence On-Demand, which I blogged about previously. Before you launch an on-demand patching session against a machine you should make sure it actually needs some updates, likewise, after patching you want to make sure the machine is compliant; this script addresses both scenarios.
The script first checks if there is a software update assignment targeted at the machine using the WMI class CCM_AssignmentCompliance from the namespace root\ccm\SoftwareUpdates\DeploymentAgent. If an assignment is found the script queries the WMI class CCM_TargetedUpdateEX1 under the root\ccm\SoftwareUpdates\DeploymentAgent namespace, which contains the mandatory updates assigned to the machine. If any missing required updates are found they will be returned as output.
Running this script on a machine before patching you would see something similar to this:
And after patching you would expect to see:
See the script comments for the exact syntax: