Here is a PowerShell script to check a ConfigMgr agent’s compliance for all required/assigned security updates. It is another utility tool in the kit for on-demand patch management, like this script to run a ConfigMgr Task Sequence On-Demand, which I blogged about previously. Before you launch an on-demand patching session against a machine you should make sure it actually needs some updates, likewise, after patching you want to make sure the machine is compliant; this script addresses both scenarios.
The script first checks if there is a software update assignment targeted at the machine using the WMI class CCM_AssignmentCompliance from the namespaceroot\ccm\SoftwareUpdates\DeploymentAgent. If an assignment is found the script queries the WMI class CCM_TargetedUpdateEX1 under the root\ccm\SoftwareUpdates\DeploymentAgentnamespace, which contains the mandatory updates assigned to the machine. If any missing required updates are found they will be returned as output.
Running this script on a machine before patching you would see something similar to this:
And after patching you would expect to see:
See the script comments for the exact syntax:
Download: Get ConfigMgr Software Update Compliance