Which is the most comprehensive way to check applied KBs to a Windows machine?

Question

I am using Powershell to run a status of a list of KBs and see if they are applied or not.

I have found a few ways and I have seen inconsistencies with the numbers they are reporting. Which is right?

You can check SYSTEMINFO and get a list of hotfixes. You can also use the Get-Hotfix cmdlet, which is an alias for gwmi Win32_QuickFixEngineering or you can use wmic qfe list (WMI-CLI QuickFixEngineering List).

So, why am I getting different numbers when I do a quick count?

i.e. (Get-HotFix).Count and (wmic qfe list).Count

Using those two returns 153 and 310, respectively.

What gives? Why does it return different values? Are all of the applied KBs not listed in the Get-Hotfix cmdlet?

Before anyone asks, yes, I have restarted the machine and I haven't applied any since it was restarted and updated. That is Day 1 stuff...

Answer 1

WMIC has obscure blank lines which might be muddying the waters a bit. Here's simple, not very good, parser for wmic qfe (Windows 10 so who knows if it'll transpose).

The hope is that you can compare the lists.

$qfe = wmic qfe list brief | Select-Object -Skip 1 | Where-Object { $_.Trim().Length -gt 0 } | ForEach-Object {
    [PSCustomObject]@{
        Description = $_.Substring(0, 17).Trim()
        HotFixId    = $_.Substring(30, 10).Trim()
    }
}
Compare-Object (Get-HotFix) $qfe -Property HotFixID -IncludeEqual

So is that enough? No, not really. QFE is great but indicative only. I'm trying to remember the circumstance that invalidates it. I'll come back to this.