Build a Patch Compliance Reporting Workflow for Windows Devices Using PowerShell and Scheduled Scans
Build a Windows patch compliance reporting workflow with PowerShell, scheduled scans, CSV evidence, and rollback notes for the scheduled task and local script files.
Expected Outcome
You will have a fully automated patch compliance reporting system that generates daily reports on the patch status of Windows devices, stored in a specified directory for easy access and review.
Assumptions
- Windows operating system with PowerShell installed
- Administrative privileges on the target machines
- Access to a centralized location for storing reports
Bill of Materials
- PowerShell script for patch compliance reporting
- Windows Task Scheduler for scheduling scans
- PowerShell ISE or Visual Studio Code for script modifications
Build Steps
- Create the PowerShell Script
Develop a PowerShell script that checks for installed updates and generates a compliance report in CSV format.
Changes system state: review before running
New-Item -Path 'C:\Scripts' -ItemType Directory -Force Set-Content -Path 'C:\Scripts\PatchComplianceReport.ps1' -Value "Get-HotFix | Sort-Object InstalledOn -Descending | Export-Csv -Path 'C:\Reports\PatchComplianceReport.csv' -NoTypeInformation"
- Set Up the Report Storage Location
Create a directory to store the generated compliance reports, ensuring it exists before running the script.
Changes system state: review before running
New-Item -Path 'C:\Reports' -ItemType Directory -Force
- Schedule the PowerShell Script
Use Windows Task Scheduler to run the PowerShell script daily at a specified time, ensuring regular updates on patch compliance.
Changes system state: review before running
schtasks /create /tn 'PatchComplianceReport' /tr 'powershell.exe -ExecutionPolicy Bypass -File C:\Scripts\PatchComplianceReport.ps1' /sc daily /st 09:00
- Test the Scheduled Task
Manually run the scheduled task to verify that the script executes correctly and generates the report as expected.
Example pattern only. Adjust for your environment before running.
schtasks /run /tn 'PatchComplianceReport'
- Verify the report with native update evidence
Compare the generated CSV against native hotfix data so the report is not trusted blindly.
Safe to run: read-only
Get-HotFix | Sort-Object InstalledOn -Descending | Format-Table -AutoSize Import-Csv 'C:\Reports\PatchComplianceReport.csv' | Format-Table -AutoSize
- Capture task configuration evidence
Export the scheduled task definition and basic run status for ticket evidence.
Example pattern only. Adjust for your environment before running.
schtasks /query /tn 'PatchComplianceReport' /v /fo list schtasks /query /tn 'PatchComplianceReport' /xml > C:\Reports\PatchComplianceReportTask.xml
Validation
- Verify that the compliance report is generated in 'C:\Reports\PatchComplianceReport.csv' after the scheduled task runs.
- Open 'C:\Reports\PatchComplianceReport.csv' to ensure it contains accurate patch information, including titles, installation dates, and statuses.
Troubleshooting
- If the task does not run, check whether the account has batch logon rights and access to C:\Scripts and C:\Reports.
- If the report is empty, validate the update query on the same host before blaming Task Scheduler.
- If remote targets are added later, test WinRM, firewall policy, and credential scope separately.
Cleanup or Rollback
- Remove the scheduled task with schtasks /delete /tn 'PatchComplianceReport' /f if the workflow is not adopted.
- Remove temporary script and report files after archiving any evidence needed for the ticket.
- Do not leave ExecutionPolicy Bypass tasks in place without owner approval.
Next Improvements
- Consider integrating email notifications for compliance reports using Send-MailMessage in PowerShell.
- Explore additional PowerShell modules like PSWindowsUpdate for enhanced reporting features.