Retrieve Windows version of computers in a domain

Intro

Initially, it was possible from the WSUS console to see the Windows version of all associated computers, but since Windows 10 this does not work that well anymore.

So I worked on a PowerShell script to get the exact version of the computers in a domain.

The purpose of this article is to see how to obtain a list of computers with their versions in a csv file.

With the Get-ADComputer command (New)

• Retrieve the Windows version of all computers and export the information in a csv file C:\OS_Version_List.csv :

PS C:\ > Get-ADComputer -Filter '*' -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion | Export-Csv -Path C:\OS_Version_List.csv

• Display the version of windows for all enabled computers :

PS C:\ > Get-ADComputer -Filter {(Enabled -eq $True)} -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion -Wrap -Autosize

• Show the version of windows for all enabled computers, whose name starts with PC0 and whose operating system name starts with Windows 7 :

PS C:\ > Get-ADComputer -Filter 'Name -Like "PC0*" -and Enabled -eq $True' -Property * | Where-Object { $_.OperatingSystem -like "Windows 7*" } | Select-Object Name,OperatingSystem,OperatingSystemVersion -Wrap -Autosize

• Show the version of windows for all enabled computers which has been connected for up to 120 days and whose name begins with PC0 :

PS C:\ > Get-ADComputer -Filter {(Enabled -eq $True) -and (Name -Like "PC0*")} -Properties * | where { ($(Get-Date)-[DateTime]::FromFileTime($_.LastLogonTimeStamp)).Days -lt 120 } | Select-object Name,OperatingSystem,OperatingSystemVersion

WinRM method (Old)

I will use Windows Remote Management so we need to enable it on each computer we want to retrieve OS version, to do so we can do it via GPO.

Enable WinRM with GPO

• Inside your GPO, go to Computer Configuration > Preferences > Control Panel Settings > Services and create a new service :

• Choose Windows Remote Management (WS-Management) and click Select :

• Set parameters and click OK :

• Go to Computer configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service and edit Allow remote server management through WinRM rule :

• Enable and set the rule then click OK :

Allow WinRM on firewall

WinRM use TCP ports 5985 (HTTP) or 5986 (HTTPS), so it needs to be openned on the target firewall.

Normally in an Active Directory environment unencrypted (5985 (HTTP)) connections are disabled. You can check this with the following command :

PS C:\ > winrm get winrm/config/service

Check WinRM connectivity

• Check WinRM service status (on source and destination hosts) :

PS C:\ > (Get-Service WinRM).Status

• From a Domain Controller run this command to see if we are able to retrieve OS Version, example here with PC01 :

PS C:\ > Invoke-Command -ScriptBlock { [System.Environment]::OSVersion.Version } -ComputerName PC01 | Select-Object PSComputerName,Build

Script to csv

I wrote a small script which test that computers (from PC0001 to PC0400) are reachable, if so it tries to retrieve OS Version via WinRM and wrote informations inside a C:\OS_Version_List.csv file.

#Test for PC0001 to PC0400
	1..400 | foreach {
		$i="{0:D4}" -f $_
		$ping = ping -n 1 "PC$i"| findstr "TTL"
		if ($LASTEXITCODE -eq "0")
		{
			$ip = $PING -replace ".* ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*",'$1'
			Write-Host "PC$i is up"
			Try { Invoke-Command -ScriptBlock { [System.Environment]::OSVersion.Version } -ComputerName "PC$i" -ErrorAction Stop | Select-Object PSComputerName,Build,@{Name="IP";Expression={"$ip"}} | Export-Csv -Path C:\OS_Version_List.csv -Append }
			Catch { '' | Select-Object @{Name="PSComputerName"; Expression={"PC$i"}},@{Name="Build"; Expression={"UNKNOWN"}},@{Name="IP";Expression={"$ip"}} | Export-Csv -Path C:\OS_Version_List.csv -Append }
		} else {
			Write-Host "PC$i is not available"
		}
	}