Deploying Windows Defender updates with WSUS


I’ve been recently alerted by a Nessus report that Windows Defender wasn’t up-to-date. Nessus actually raised the following two alerts about the Malware Protection Engine in various products:

The Nessus database references the issues on these pages:

And both Nessus reports link to, which says:

Note Windows Defender may be disabled when Microsoft Security Essentials (MSE) or Forefront Endpoint Protection (FEP) is being installed. This is by design, as MSE and FEP are functional supersets of Windows Defender. The currently active product will receive engine and definition updates accordingly.

In other words, just deploying the latest Definition Update for whatever installed Malware Protection Engine would fix these two Nessus alerts :-D

Hands-on! Update the WSUS server configuration

Note that the following will run on a WSUS server built-in Windows 2012 R2.

# View what are the currently selected products
(Get-WsusServer).GetSubscription().GetUpdateCategories() | 
Format-Table Title,Id -AutoSize

NB: One cannot just add new products or classifications because there’s no method for this purpose :-(

# Select the products I want and update the WSUS config
$subscription = (Get-WsusServer).GetSubscription()
$products = (Get-WsusServer).GetUpdateCategories() | Where {
    $_.Id -in @(
        'bfe5b177-a086-47a0-b102-097e4fa1f807', # Windows 7
        '6407468e-edc7-4ecd-8c32-521f64cee65e', # Windows 8.1
        '8c3fcc84-7410-4a95-8b89-a166a0190486'  # Windows Defender
$coll = New-Object -TypeName Microsoft.UpdateServices.Administration.UpdateCategoryCollection
$products | foreach { $coll.Add($_) }
# View what are the currently selected classifications
(Get-WsusServer).GetSubscription().GetUpdateCategories() |
Format-Table Title,Id -AutoSize
# Select the classifications I want and update the WSUS config
$subscription = (Get-WsusServer).GetSubscription()
$classifications = (Get-WsusServer).GetUpdateClassifications() | Where {
    $_.Id -in @(
        'e6cf1350-c01b-414d-a61f-263d14d133b4', # Critical Updates
        '0fa1201d-4330-4fa8-8ae9-b877473b6441', # Security Updates
        '68c5b0a3-d1a6-4553-ae49-01d3a7827828', # Service Packs
        'e0789628-ce08-4437-be74-2495b842f43b'  # Definition Updates 
$coll = New-Object -TypeName Microsoft.UpdateServices.Administration.UpdateClassificationCollection
$classifications  | foreach { $coll.Add($_) }

Deploy the Definition updates

First the WSUS needs to be re-synced from its upstream source (Microsoft Update, in my case)


Whatever the speed of your ISP link, go and get a coffee or your favorite beverage.
When you’re back, check the progress of the sync.


…or if it finished, check it’s status


There are two methods to deploy definition updates either by using an ADR (Automatic Deployment Rule) or manually. The ADR method is documented on this page KB919772

But let’s do it manually as I don’t like ADR :-P

Let’s figure out what needs to be deployed:

(Get-WsusServer).SearchUpdates("Defender") | 
Where { 
    $_.PublicationState -ne 'Expired' -and
    -not($_.isSuperseded) } | 
Sort-Object CreationDate | 
Select -Last 2 | 
Format-Table Title,is* -AutoSize

Humm.. there are two different KB. KB915597 is for Windows 7/2008R2 and KB2267602 (that leads to a Oops!! page currently) for Windows 8.1/2012R2

# Select my target group: Windows 7 computers
$targetgroup = (Get-WsusServer).GetComputerTargetGroups() | 
Where Name -eq "Windows 7 x64"

# Make sure nothing is approved
# or mark as 'notapproved' any previously approved Defender updates
# from last month
(Get-WsusServer).SearchUpdates("Defender") | 
Where isApproved | ForEach-Object -Process {            

# Approve the latest definition update for Windows 7
(Get-WsusServer).SearchUpdates("Defender") | 
Where { 
    $_.PublicationState -ne 'Expired' -and  
    -not($_.isSuperseded)  -and
    ($_.Title -match "915597")
} |
Sort-Object CreationDate | 
Select -Last 1 | foreach {

PowerShell and WSUS rocks! No doubt 8-)

Troubleshooting the client’s current Active Directory site

I’ve seen a nice tweet a few weeks ago about how to get the client’s current Active Directory Site.

I cannot remember who tweeted it. Kudos to him/her, it’s very handy.


Of course, there are other (ugly) ways to get it, using gpresult.exe

gpresult /R /scope computer| 
Select-String -Pattern "Site\sName" |
Out-String | 
ConvertFrom-Csv -Delimiter ":" -Header "Property","Value"

… or using nltest.exe

((nltest /DSGETSITE) -split "`n")[0]

The .Net way is now definetly my favorite :-D

I wondered how far this System.DirectoryServices.ActiveDirectory.ActiveDirectorySite .Net class is available?

I could have find the answer using the following MSDN page:

…but my first attempt was the hard way :\
I remembered that I could easily get the Dll a cmdlet is loaded from with the Get-Command cmdlet:

Get-Command -Name Get-Command | fl Dll

How can I get the same info for a .Net class?

 ) | fl Location

So, the answer is that the System.DirectoryServices.ActiveDirectory.ActiveDirectorySite .Net class is available as of .Net version 2.0 on any (domain joined) client. Cool, isn’t it? 8-)

Quick tip: subnet and ConfigMgr boundary for Direct Access clients

I’ve seen this morning the following blog post about boundaries in Configuration Manager for Direct Access clients.

I’d like to add more info on this topic because I’ve done the same in my environment a few days ago.

Gerry Hampson shows that he gets the ipv6 prefix directly in the properties of a Configuration Managment client in the ConfigMgr Admin console.
He made here an assumption. Having IPv6 addresses reported in Configuration Manager assumes that you have an IPv6 based DNS server where AAAA records are created for your Direct Access clients.
When you don’t have an IPv6 DNS server, you don’t have this info in the ConfigMgr client properties:

Where do I get the client ipv6 prefix ?

You can get it on your Direct Access server(s) with the following cmdlet

Get-RemoteAccess | select  ClientIPv6Prefix

Easy, isn’t it? 8-)

Don’t forget! It may seem pretty obvious but…
Before adding the IPv6 prefix as a ConfigMgr boundary, add it first to your Active Directory Sites and Services subnets.
This way your Direct Access clients will immediately know with what Global Catalog and Domain controllers they should talk to.

Fix the infamous 0x800f0906 or ‘the source files could not be downloaded’ error

In September 2014, Microsoft released MS14-046 that would prevent you from enabling the .Net Framework 3.5 on Windows Server 2012 R2, 2012, Windows 8 and 8.1.

It was reported by this blog post:

…and was recently updated to tell us that there’s a hotfix available now on

What’s the problem?

You cannot enable the .Net Framework either from Windows Update source or any other local sources (WSUS, the Sources\SXS folder of your Windows ISO image).
And you get the infamous 0x800f0906 or ‘the source files could not be downloaded’ error :-(

What caused it

How to fix the problem (official guidance)

At the end of the blog post, there’s an extra recommendation you could follow. (Remember, it’s not the first time that we get the 0x800f0906 error when enabling .Net Framework3.5)

Let’s see some PowerShell based tips to see how to troubleshoot and fix this :-)

Is .Net 3.5 installed on Windows Server 2012 R2 ?

Get-WindowsFeature | Where Name -match "Net-Frame"

Is .Net 3.5 installed on Windows 8.1 ?

Get-WindowsOptionalFeature -Online | 
Where FeatureName -match "^NetFx(3|4-)"

Is the offending MS14-046 update installed on my system ?

# For Windows 2012R2 and Windows 8.1
Get-HotFix | Where HotfixID -match  "2966828"
# For Windows 2012 and Windows 8
Get-HotFix | Where HotfixID -match  "2966827"

If there’s no result, it means that it’s not installed (good news).

How can I reproduce the issue on my Windows Server 2012 R2 ?

# Either install from local sources\sxs folder
Mount-DiskImage -ImagePath .\en_windows_server_2012_r2_vl_with_update_x64_dvd_4065221.iso
dir D:\
Install-WindowsFeature -Name NET-Framework-Core -Source D:\sources\sxs -Restart:$false -Verbose
# or from Windows Update
Install-WindowsFeature -Name NET-Framework-Core -Source "Windows Update" -Restart:$false -Verbose

What can I see in the logs

"dism","cbs" | foreach {
 sls -Pattern "0x800f090(e|6)" -Path "$($env:systemroot)\logs\$($_)\$($_).log"

NB: sls is the alias of the select-string cmdlet (grep for Windows :-D )

Uninstall the offending update using wusa.exe

 wusa /uninstall /kb:2966828 /quiet /norestart
Get-WinEvent -MaxEvents 3 -LogName Setup |
Select -Expand Message

NB: no reboot is required :-)

Uninstall the offending update using DISM cmdlets

Get-WindowsPackage -Online |
Where 'PackageName' -match "2966828" |
Remove-WindowsPackage -Online -Verbose -NoRestart

Next steps?

  • Enable the .Net Framework 3.5 feature
  • # Install from local sources\sxs folder
    Install-WindowsFeature -Name NET-Framework-Core -Source D:\sources\sxs -Restart:$false -Verbose

  • Install all security updates required for .Net Framework 3.5 including the offending update previously uninstalled
  • $UpdatesFromMU = Get-WindowsUpdate -FromMU:$true
    $UpdatesFromMU | Select Title,@{
        l='Category';e={$_.Categories | Where { -not($_.Parent) } | Select -Expand Name}
    } | Where Category -match "Security" | Out-GridView

    NB: I’ve used the Get-WindowsUpdate function from this post

Follow-up on downloading Windows Assessment and Deployment Kit (Windows ADK) 8.1 (September 2014)

There’s a new release of the Windows Assessment and Deployment Kit (Windows ADK) 8.1 this month.
I’ve seen a blog post from Johan Arwidmark about this new release:

I just came back from holidays and have prepared the updated code before my holidays but hadn’t time to blog about it :-|

What did I change in the code? Not many things.
I’ve removed duplicate entries in the here-strings and I’m now using a $PatchLevel variable to keep track of the current version.

#Requires -Version 4
#Requires -RunAsAdministrator 
Function Get-ADKFiles {
Begin {
    $HT = @{}
    $HT += @{ ErrorAction = 'Stop'}
    # Validate target folder
    try {
        Get-Item $TargetFolder @HT | Out-Null
    } catch {
        Write-Warning -Message "The target folder specified as parameter does not exist"

    # April 2014: 8.100.26629
    $PatchLevel = "8.100.26866"

Process {
    $adkGenericURL = (Invoke-WebRequest -Uri -MaximumRedirection 0 -ErrorAction SilentlyContinue)
    # 302 = redirect as moved temporarily
    if ($adkGenericURL.StatusCode -eq 302) {
        # Currently set to
        $MainURL = $adkGenericURL.Headers.Location
        $InstallerURLs = DATA {
            ConvertFrom-StringData @'
                86=Application Compatibility Toolkit-x64_en-us.msi
                87=Application Compatibility Toolkit-x86_en-us.msi
                88=Assessments on Client-x86_en-us.msi
                89=Assessments on Server-x86_en-us.msi
                125=Kits Configuration Installer-x86_en-us.msi
                126=Microsoft Compatibility Monitor-x86_en-us.msi
                128=Toolkit Documentation-x86_en-us.msi
                129=User State Migration Tool-x86_en-us.msi
                130=Volume Activation Management Tool-x86_en-us.msi
                135=Windows Assessment Services - Client (AMD64 Architecture Specific, Client SKU)-x86_en-us.msi
                136=Windows Assessment Services - Client (AMD64 Architecture Specific, Server SKU)-x86_en-us.msi
                137=Windows Assessment Services - Client (Client SKU)-x86_en-us.msi
                138=Windows Assessment Services - Client (Server SKU)-x86_en-us.msi
                139=Windows Assessment Services - Client (X86 Architecture Specific, Client SKU)-x86_en-us.msi
                140=Windows Assessment Services-x86_en-us.msi
                141=Windows Assessment Toolkit (AMD64 Architecture Specific)-x86_en-us.msi
                142=Windows Assessment Toolkit (X86 Architecture Specific)-x86_en-us.msi
                143=Windows Assessment Toolkit-x86_en-us.msi
                144=Windows Deployment Customizations-x86_en-us.msi
                145=Windows Deployment Tools-x86_en-us.msi
                146=Windows PE x86 x64 wims-x86_en-us.msi
                147=Windows PE x86 x64-x86_en-us.msi
                148=Windows System Image Manager on amd64-x86_en-us.msi
                149=Windows System Image Manager on x86-x86_en-us.msi
                150=WPT Redistributables-x86_en-us.msi
        $PatchesURLs = DATA {
            ConvertFrom-StringData @'
                0=Toolkit Documentation-x86_en-us.msp
                1=Application Compatibility Toolkit-x86_en-us.msp
                2=Application Compatibility Toolkit-x64_en-us.msp
                3=Windows Deployment Tools-x86_en-us.msp
                4=Windows System Image Manager on amd64-x86_en-us.msp
                5=Windows System Image Manager on x86-x86_en-us.msp
                6=Windows PE x86 x64-x86_en-us.msp
                7=User State Migration Tool-x86_en-us.msp
                8=Volume Activation Management Tool-x86_en-us.msp
                11=WPT Redistributables-x86_en-us.msp
                12=Windows Assessment Toolkit-x86_en-us.msp
                13=Assessments on Client-x86_en-us.msp
                14=Windows Assessment Services-x86_en-us.msp
                15=Windows Assessment Services - Client (Server SKU)-x86_en-us.msp
                16=Assessments on Server-x86_en-us.msp
                17=Windows Assessment Services - Client (Client SKU)-x86_en-us.msp
        "Installers","Patches\$PatchLevel" | ForEach-Object -Process {
            # Create target folders if required as BIT doesn't accept missing folders
            If (-not(Test-Path (Join-Path -Path $TargetFolder -ChildPath $_))) {
                try {
                    New-Item -Path (Join-Path -Path $TargetFolder -ChildPath $_) -ItemType Directory -Force @HT
                } catch {
                    Write-Warning -Message "Failed to create folder $($TargetFolder)/$_"
        # Get adksetup.exe
        Invoke-WebRequest -Uri "$($MainURL)adksetup.exe" -OutFile  "$($TargetFolder)\adksetup.exe"
        # Create a job that will downlad our first file
        $job = Start-BitsTransfer -Suspended -Source "$($MainURL)Installers/$($InstallerURLs['0'])" -Asynchronous -Destination (Join-Path -Path $TargetFolder -ChildPath ("Installers/$($InstallerURLs['0'])")) 
        # Downlod installers
        For ($i = 1 ; $i -lt $InstallerURLs.Count ; $i++) {
            $URL = $Destination = $null
            $URL = "$($MainURL)Installers/$($InstallerURLs[$i.ToString()])"
            $Destination = Join-Path -Path (Join-Path -Path $TargetFolder -ChildPath Installers) -ChildPath (([URI]$URL).Segments[-1] -replace '%20'," ")
            # Add-BitsFile
            $newjob = Add-BitsFile -BitsJob $job -Source  $URL -Destination $Destination
            Write-Progress -Activity "Adding file $($newjob.FilesTotal)" -Status "Percent completed: " -PercentComplete (($newjob.FilesTotal)*100/($InstallerURLs.Count))
        # Donwload Patches
        For ($i = 0 ; $i -lt $PatchesURLs.Count ; $i++) {
            $URL = $Destination = $null
            $URL = "$($MainURL)Patches/$PatchLevel/$($PatchesURLs[$i.ToString()])"
            $Destination = Join-Path -Path (Join-Path -Path $TargetFolder -ChildPath "Patches/$PatchLevel") -ChildPath (([URI]$URL).Segments[-1] -replace '%20'," ")
            # Add-BitsFile
            $newjob = Add-BitsFile -BitsJob $job -Source  $URL -Destination $Destination
        # Begin the download and show us the job
        Resume-BitsTransfer  -BitsJob $job -Asynchronous
        while ($job.JobState -in @('Connecting','Transferring','Queued')) {
            Write-Progress -activity "Downloading ADK files" -Status "Percent completed: " -PercentComplete ($job.BytesTransferred*100/$job.BytesTotal)
        Switch($job.JobState) {
         "Transferred" {
            Complete-BitsTransfer -BitsJob $job
         "Error" {
            # List the errors.
            $job | Format-List
        default {
            # Perform corrective action.
End {}

PoC: Tatoo the background of your virtual machines

You may know the popular Bginfo from Sysinternals and that even Azure uses this utility to tatoo the background of virtual machines.

I wondered if PowerShell (alone) would make it and avoid the dependency on an external binary.

I started to use Google and finally decided to fork the following code available on github:

I also needed to find the way to set a wallpaper under Windows 7 and later…
I decided to extend this PowerTip: because the rundll32 tricks doesn’t work.

I created two functions, one to create a new background image either from scratch and based on a colored theme (blue, grey and black) or from the existing wallpaper and the second one to set this image as a wallpaper.

Function New-BGinfo {
    Param(  [Parameter(Mandatory)]
            [string] $Text,

            [string] $OutFile= "$($env:temp)\BGInfo.bmp",




            [int32]$FontSize = 12,

Begin {

    Switch ($Theme) {
        Blue {
            $BG = @(58,110,165)
            $FC1 = @(254,253,254)
            $FC2 = @(185,190,188)
            $FS1 = $FontSize+1
            $FS2 = $FontSize-2
        Grey {
            $BG = @(77,77,77)
            $FC1 = $FC2 = @(255,255,255)
        Black {
            $BG = @(0,0,0)
            $FC1 = $FC2 = @(255,255,255)
    Try {
        [system.reflection.assembly]::loadWithPartialName('system.drawing.imaging') | out-null
        [system.reflection.assembly]::loadWithPartialName('') | out-null

        # Draw string > alignement
        $sFormat = new-object system.drawing.stringformat

        Switch ($Align) {
            Center {
                $sFormat.Alignment = [system.drawing.StringAlignment]::Center
                $sFormat.LineAlignment = [system.drawing.StringAlignment]::Center
            Left {
                $sFormat.Alignment = [system.drawing.StringAlignment]::Center
                $sFormat.LineAlignment = [system.drawing.StringAlignment]::Near

        if ($UseCurrentWallpaperAsSource) {
            $wpath = (Get-ItemProperty 'HKCU:\Control Panel\Desktop' -Name WallPaper -ErrorAction Stop).WallPaper
            if (Test-Path -Path $wpath -PathType Leaf) {
                $bmp = new-object system.drawing.bitmap -ArgumentList $wpath
                $image = [System.Drawing.Graphics]::FromImage($bmp)
                $SR = $bmp | Select Width,Height
            } else {
                Write-Warning -Message "Failed cannot find the current wallpaper $($wpath)"
        } else {
            $SR = [System.Windows.Forms.Screen]::AllScreens | Where Primary | 
            Select -ExpandProperty Bounds | Select Width,Height

            Write-Verbose -Message "Screen resolution is set to $($SR.Width)x$($SR.Height)" -Verbose

            # Create Bitmap
            $bmp = new-object system.drawing.bitmap($SR.Width,$SR.Height)
            $image = [System.Drawing.Graphics]::FromImage($bmp)
                (New-Object Drawing.SolidBrush (
                (new-object system.drawing.rectanglef(0,0,($SR.Width),($SR.Height)))

    } Catch {
        Write-Warning -Message "Failed to $($_.Exception.Message)"
Process {

    # Split our string as it can be multiline
    $artext = ($text -split "\r\n")
    $i = 1
    Try {
        for ($i ; $i -le $artext.Count ; $i++) {
            if ($i -eq 1) {
                $font1 = New-Object System.Drawing.Font($FontName,$FS1,[System.Drawing.FontStyle]::Bold)
                $Brush1 = New-Object Drawing.SolidBrush (
                $sz1 = []::MeasureText($artext[$i-1], $font1)
                $rect1 = New-Object System.Drawing.RectangleF (0,($sz1.Height),$SR.Width,$SR.Height)
                $image.DrawString($artext[$i-1], $font1, $brush1, $rect1, $sFormat) 
            } else {
                $font2 = New-Object System.Drawing.Font($FontName,$FS2,[System.Drawing.FontStyle]::Bold)
                $Brush2 = New-Object Drawing.SolidBrush (
                $sz2 = []::MeasureText($artext[$i-1], $font2)
                $rect2 = New-Object System.Drawing.RectangleF (0,($i*$FontSize*2 + $sz2.Height),$SR.Width,$SR.Height)
                $image.DrawString($artext[$i-1], $font2, $brush2, $rect2, $sFormat)
    } Catch {
        Write-Warning -Message "Failed to $($_.Exception.Message)"
End {   
    Try { 
        # Close Graphics

        # Save and close Bitmap
        $bmp.Save($OutFile, [system.drawing.imaging.imageformat]::Bmp);

        # Output our file
        Get-Item -Path $OutFile
    } Catch {
        Write-Warning -Message "Failed to $($_.Exception.Message)"

} # endof function

Function Set-Wallpaper {
        $Style = 'Stretch'
    Try {
        if (-not ([System.Management.Automation.PSTypeName]'Wallpaper.Setter').Type) {
            Add-Type -TypeDefinition @"
            using System;
            using System.Runtime.InteropServices;
            using Microsoft.Win32;
            namespace Wallpaper {
                public enum Style : int {
                Center, Stretch, Fill, Fit, Tile
                public class Setter {
                    public const int SetDesktopWallpaper = 20;
                    public const int UpdateIniFile = 0x01;
                    public const int SendWinIniChange = 0x02;
                    [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
                    private static extern int SystemParametersInfo (int uAction, int uParam, string lpvParam, int fuWinIni);
                    public static void SetWallpaper ( string path, Wallpaper.Style style ) {
                        SystemParametersInfo( SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange );
                        RegistryKey key = Registry.CurrentUser.OpenSubKey("Control Panel\\Desktop", true);
                        switch( style ) {
                            case Style.Tile :
                                key.SetValue(@"WallpaperStyle", "0") ; 
                                key.SetValue(@"TileWallpaper", "1") ; 
                            case Style.Center :
                                key.SetValue(@"WallpaperStyle", "0") ; 
                                key.SetValue(@"TileWallpaper", "0") ; 
                            case Style.Stretch :
                                key.SetValue(@"WallpaperStyle", "2") ; 
                                key.SetValue(@"TileWallpaper", "0") ;
                            case Style.Fill :
                                key.SetValue(@"WallpaperStyle", "10") ; 
                                key.SetValue(@"TileWallpaper", "0") ; 
                            case Style.Fit :
                                key.SetValue(@"WallpaperStyle", "6") ; 
                                key.SetValue(@"TileWallpaper", "0") ; 
"@ -ErrorAction Stop 
            } else {
                Write-Verbose -Message "Type already loaded" -Verbose
        # } Catch TYPE_ALREADY_EXISTS
        } Catch {
            Write-Warning -Message "Failed because $($_.Exception.Message)"
    [Wallpaper.Setter]::SetWallpaper( $Path, $Style )

Let’s see these two functions in action.

First define some multiline text to be written in the image.

$os = Get-CimInstance Win32_OperatingSystem
($o = [pscustomobject]@{
    HostName =  $env:COMPUTERNAME
    UserName = '{0}\{1}' -f  $env:USERDOMAIN,$env:USERNAME
    'Operating System' = '{0} Service Pack {1} (build {2})' -f  $os.Caption,
}) | ft -AutoSize
$BootTime = (New-TimeSpan -Start $os.LastBootUpTime -End (Get-Date)).ToString()

# $t is the multiline text defined as here-string
$t = @"
Logged on user: $($o.UserName)
$($o.'Operating System')
Uptime: $BootTime
  • Exemple 1: ala Backinfo
  • $WallPaper = New-BGinfo -text $t
    Set-Wallpaper -Path $WallPaper.FullName -Style Center

  • Exemple 2: ala Bginfo using the current wallpaper
  • $BGHT = @{
     Text  = $t ;
     Theme = "Black" ;
     FontName = "Verdana" ;
     UseCurrentWallpaperAsSource = $true ;
    $WallPaper = New-BGinfo @BGHT
    Set-Wallpaper -Path $WallPaper.FullName -Style Fill
    # Restore the default VM wallpaper
    Set-Wallpaper -Path "C:\Windows\Web\Wallpaper\Windows\img0.jpg" -Style Fill

This proof of concept based on just a few hundred lines of PowerShell proves that the dependency on Bginfo could be avoided…

Quick tips about dism

Whenever I’m working on Windows 7 and Windows 2008 R2 server, I cannot leverage the new DISM PowerShell module built-in Windows 8.x and 2012 server.

The built-in command dism.exe can display packages as a list or a table.

When I’m looking for the state of a particular package, I use the Select-String cmdlet to parse the default dism output formatted as a list.
The -Context parameter allows to display the next 4 lines after it finds the matching pattern:

dism /online /get-packages | 
Select-String -Pattern "2965788" -Context 0,4

NB: sls is the alias of Select-String as of PowerShell 3.0

Yesterday, I wanted to get the list of packages sorted by their installation time.
The default format of dism.exe by list doesn’t help.
The first step was to skip the first lines of the dism output formatted in a table.
The second step consists in transforming the dism table output into objects with the ConvertFrom-Csv cmdlet.
These two steps don’t allow to sort by “Install Time” as the ‘Install Time’ is a string and not a datetime object.
The last step kills two birds with one stone. It removes the last line “The operation completed successfully” of dism.exe and converts the ‘Install Time’ values into datetime objects.

dism /online /get-packages /format:table | 
Select-Object -Skip 12 | 
ConvertFrom-Csv -Header "PackageName","State","Release Type","Install Time" -Delimiter "|" | 
foreach {
 if ($_.PackageName -notmatch "The operation completed successfully.") {
   PackageName = $_.PackageName ;
   State = $_.State ;
   Type = $_.'Release Type' ;
   'Install Time' = (Get-Date -Date $_.'Install Time') ;
} | 
Sort 'Install Time'