-
Notifications
You must be signed in to change notification settings - Fork 0
/
Get-WindowsUpdateCatalogDetails.ps1
238 lines (195 loc) · 9.99 KB
/
Get-WindowsUpdateCatalogDetails.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
<#
This PowerShell script queries the followint MS Graph API endpoint with various parameters:
https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries
The data will be returned in a variery of ways: grid view, file (JSON, CSV) or pipe it to another command.
The script runs under delegated permissions - the user will be prompted to authenticate
Graph API scope required to run: WindowsUpdates.ReadWrite.All
Filter validation will not be performed
References:
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/enhance-update-management-decisions-with-metadata-and-insights/ba-p/3903474
https://learn.microsoft.com/en-us/graph/api/resources/windowsupdates-qualityupdatecatalogentry?view=graph-rest-beta
The following parameters are available:
* Type: type of the update
Type: string
Possible Values:
- Quality (default)
- Feature
* Classification: classification of the Quality update (feature updates don't have them)
Type: string
Default: empty and not included in the query [optional parameter]
Possible Values:
- all
- security
- nonSecurity
- unknownFutureValue
microsoft.graph.windowsUpdates.qualityUpdateClassification
* Cadence: cadence of the Quality update (feature updates don't have them)
Type: string
Default: empty and not included in the query [optional parameter]
Possible Values:
- monthly
- outOfBand
- unknownFutureValue
microsoft.graph.windowsUpdates.qualityUpdateCadence
* CVSS: The minimum CVSS score to return in the format of "1.0".
Type: Float (range 0.0 - 10.0)
Default: empty and not included in the query [optional parameter]
Corresponds to ODATA property "filter= microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/maxBaseScore gt X"
Possible values: 0.0 - 10.0
* ExploitedCVEs: A comma-separated string or an array of CVEs that have been exploited.
Type: string.
Default: empty and not included in the query [optional parameter]
Corresponds to ODATA property "filter= microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/exploitedCVEs/any(cve: cve eq 'CVE-2020-1234' or cve eq 'CVE-2020-5678')"
* TenantId: The tenant ID to query.
Type: string.
Optional
* Output-type: The type of the output.
Type: string.
Default: GridView
Possible values:
- GridView (default)
- JSON
- CSV
- Pipe
* OrderBy: The property to order the results by.
Type: string.
Corresponds to ODATA "orderby=X".
Default: empty and not included in the query [optional parameter]
Possible values:
- CVE
- ReleaseDate (default)
- CVSS
- DisplayName
* Top: The maximum number of results to return.
Type: integer
Default: empty and not included in the query [optional parameter]
Corresponds to ODATA "top=X".
#>
#define the script parameters
[CmdletBinding()]
param (
[Parameter()][ValidateSet("Quality", "Feature")][string]$Type="Quality",
[Parameter()][ValidateSet("all", "security", "nonSecurity", "unknownFutureValue")][string]$Classification,
[Parameter()][ValidateSet("monthly", "outOfBand", "unknownFutureValue")][string]$Cadence,
[Parameter()][string]$ExploitedCVEs,
[Parameter()][float]$CVSS,
[Parameter()][ValidateSet("CVE", "ReleaseDate", "DisplayName", "CVSS")][string]$OrderBy,
[Parameter()][int]$Top,
[Parameter()][string]$TenantId, #= "<YOUR VALUE HERE>", #remove the first commend and add your tenant ID to make life easier
[Parameter()][string]$ClientId, #= "<YOUR VALUE HERE>", #this is only necessary if you can't work with the standard Graph PowerShell application. Likely you would not need it.
[Parameter()][ValidateSet("GridView", "JSON", "CSV", "Pipe")][string]$OutputType = "GridView"
)
#Connect to graph using user's credentials (delegate permissions)
$GraphParams = @{
Scopes = "WindowsUpdates.ReadWrite.All"
}
if ($TenantId) { $GraphParams.Add("TenantId", $TenantId) }
if ($ClientId) { $GraphParams.Add("ClientId", $ClientId) }
Connect-MgGraph @GraphParams -NoWelcome
if ($null -eq (Get-MgContext).Account) {
Write-Error "Failed to connect to Graph API. Please check your credentials and try again"
exit
}
#this will bug out if the Scopes contains more than one scope, but currently we don't care :)
if ((Get-MgContext).Scopes -notcontains $GraphParams.Scopes) {
Write-Error "Required Graph API permissions $($GraphParams.Scopes) are missing!`n Please ensure you have the right permissions and Admin Consent was provided and try again"
exit
}
#Build the query
$queryParams = @{} #will store all the parameters key-value pairs
$queryFilters = New-Object System.Collections.Generic.List[System.String] # will store all the components of $filter parameter. We will only support AND
if ($Top ) { $queryParams.Add("`$top" , $Top ) }
if ($OrderBy ) { $queryParams.Add("`$orderby" , $OrderBy ) }
if ($Type) {
switch ($Type) {
Quality {
$queryFilters.Add("isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry')")
$queryParams.Add("`$expand", "microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions,microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves")
#this controls what will be displayed in the GridView
$DisplayProperties = @( #what to display and in what order, may become a parameter one day
'displayName',
'shortName',
#let's trim the time from the releaseDateTime and only leave date
@{Name="releaseDate";Expression={$_.releaseDateTime.ToString().Split(" ")[0]}},
#'releaseDateTime',
'qualityUpdateClassification',
'qualityUpdateCadence',
# 'isExpeditable', #this is currently always true
# 'deployableUntilDateTime', # this is currently all empty
# 'cveSeverityInformation', # this needs expansion
# 'productRevisions', # this needs expansion
# 'catalogName', #this is empty for many updates
# 'id',
# '@odata.type',
# 'productRevisions@odata.context'
#join all the properties of the productRevisions[x].displayName with a newline separator into a single string
@{Name="ProductRevisions";Expression={($res[0].productRevisions | foreach-Object { $_.displayName }) -join "`n"}} #this is a calculated property
#get the CVE max score. If not available, use 0.0
@{Name="CVSSmax";Expression={if ($_.cveSeverityInformation) { $_.cveSeverityInformation.maxBaseScore } else { "0.0" }}}
#get the CVEs in the format {number} ({url}). Multiple CVEs should be joined with a newline. If not available, use empty string
@{Name="CVEs";Expression={if ($_.cveSeverityInformation) { ($_.cveSeverityInformation.exploitedCves | foreach-Object { "$($_.number) ($($_.url))" }) -join "`n" } else { "" }}}
)
}
Feature {
$queryFilters.Add("isof('microsoft.graph.windowsUpdates.featureUpdateCatalogEntry')")
#what to display for feature updates. Much less than for Quality updates
$DisplayProperties = @(
"displayName",
"version",
"buildNumber",
#let's trim the time from the releaseDateTime and only leave date
@{Name="releaseDate";Expression={$_.releaseDateTime.ToString().Split(" ")[0]}},
#let's trim the time from the releaseDateTime and only leave date
@{Name="deployableUntil";Expression={$_.deployableUntilDateTime.ToString().Split(" ")[0]}}
)
}
}
}
if ($Classification) {
if ($Type -ne "Quality") {
Write-Warning "Classification is only applicable to Quality updates. Ignoring the parameter"
} else {
$queryFilters.Add("microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/qualityUpdateClassification eq '$Classification'")
}
}
if ($Cadence) {
if ($Type -ne "Quality") {
Write-Warning "Cadence is only applicable to Quality updates. Ignoring the parameter"
} else {
$queryFilters.Add("microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/qualityUpdateCadence eq '$Cadence'")
}
}
if ($CVSS) {
$queryFilters.Add("microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/maxBaseScore gt $($CVSS.ToString('F1'))")
}
if ($ExploitedCVEs) {
$exploitedCVEsArr = $ExploitedCVEs -split ","
$exploitedCvesSubFilter = $exploitedCVEsArr.ForEach({ "cve/number eq '$_'" }) -join " or "
$exploitedCvesFilter = "microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves/any(cve: $exploitedCvesSubFilter)"
$queryFilters.Add($exploitedCvesFilter)
}
#Build the final query string
$baseURI = "https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries"
$query = $baseURI + "?" #add the question mark for parameters
if ($queryFilters.Count -gt 0) { $queryParams.Add("`$filter",$queryFilters -join " and ") }
if ($queryParams.Count -gt 0) { $query += ($queryParams.GetEnumerator() | ForEach-Object { "$($_.Name)=$($_.Value)" }) -join "&" }
Write-Verbose "Query: `n$query`n"
#Run the query
$catalog = Invoke-MgGraphRequest -Method GET -Uri $query
Write-Verbose "Query results: $($catalog.value.Count) entries"
if ($catalog.value.Count -eq 0) {
Write-Warning "No results found"
return
}
$res = $catalog.value #put the results in a variable for convenience
#based on the output type, produce the output
switch ($OutputType) {
JSON { $res | ConvertTo-Json -Depth 10 }
CSV { Write-Warning "Not yet implemented (CovertTo-CSV crashes)"} #$res | ConvertTo-Csv -NoTypeInformation }
Pipe { $res }
default { $res }
GridView {
$res | Select-Object -Property $DisplayProperties | Sort-Object -Property releaseDate -Descending | Out-GridView -Title "Update catalog information"
}
}
exit