PowerShell script to check ConfigMgr agent software update assignment compliance

Here is a PowerShell script to check a ConfigMgr agent’s compliance for all required/assigned security updates.  It is another utility tool in the kit for on-demand patch management, like this script to run a ConfigMgr Task Sequence On-Demand, which I blogged about previously.  Before you launch an on-demand patching session against a machine you should make sure it actually needs some updates, likewise, after patching you want to make sure the machine is compliant; this script addresses both scenarios.

The script first checks if there is a software update assignment targeted at the machine using the WMI class CCM_AssignmentCompliance from the namespaceroot\ccm\SoftwareUpdates\DeploymentAgent.  If an assignment is found the script queries the WMI class CCM_TargetedUpdateEX1 under the root\ccm\SoftwareUpdates\DeploymentAgentnamespace, which contains the mandatory updates assigned to the machine.  If any missing required updates are found they will be returned as output.

Running this script on a machine before patching you would see something similar to this:


And after patching you would expect to see:


See the script comments for the exact syntax:




Written by , Posted .

One Comment

  1. Five9vs

    Thank you for sharing! I was just looking at that namespace and trying to figure out how to do exactly that.

Leave a Comment

You must be logged in to post a comment.