Friday, May 19, 2017

WannaCry Patch Report - Follow Up Post

Crazy week huh?

The interest for Software Updates went from close to zero to a hundred over a weekend and suddenly you have managers demanding status reports on how well their're department are patched against WannaCry.

Normally when i create reports I use them myself for some time (sometimes months or years if i forget about it) to work out all most of the bugs before i release them.
Since this was a time sensitive issiue I published this report within hours after creating it. Fortunately it turned out to work fine, only some small issues with the Baseline CAB file not wanting to import on older systemens.

On Monday i started to create a report to find out if computers where patched or not.
First discovery was that "MS-17-010" was long gone and have been replaced by an bunch of new patches. (Think the list ending containing 27 patches, not including Vista, 2003 and XP)

I first tried to use the Software Update DB in Configmgr to find out if computers where patched or not, but ran into problems with supersedence and updates expiring. Basically when a update expires there is no way to tell if a computer have installed it or not, they will report "Update not Required" regardless if they had it installed or not.
The report sort of worked if you didn't expire the update immediately when they are superseded, but i decided to use Configuration Baseline and wrote a quick CI to check the if one of the patches where registered in win32_quickfixengineering or build number was higher than 15063(Creators Update)

Modifed the report to check the Baseline instead of Software Update Compliance and that seems to work perfectly.

Another good approach would have been to enable inventory of "win32_quickfixengineering" and use that.
I could also have included a CI for "SMBv1" in the Baseline to verify that the machines have it disabled.

Since May 17 is a holiday in Norway we still have a quite a few machines that haven't been checked yet.
Have made some changes to the report since i released it on Thursday(May 16), Added two gauges to indicate compliance.
have been running for a couple of days now and our compliance looks good.

We set 98% compliance as our working goal ,and set the apprentices to monitor the report as the results came in. They checked the non-compliant machines against a list with the Software Update statuses(Bottom Query in my last post) to see what the hold up was (Reboot Pending,Install Failures,++)
For machines that needed attention we created a ticket in our helpdesk.

At the time I'm writing this, not one of our machines have been infected by Wannacry.
Considering  that one of our sites contain 8000+ student and teacher laptops ,that's amazing!

WannaCry Patch Compliance Report for one of our collections.
Here's how the reports looks now. Default it's sorted with the machines in the "Non-Compliant" or "Error" state at the top. 

 Have updated the report with the new changes.(Last version have version 0.4 in the bottom left corner.)

Monday, May 15, 2017

WannaCry Patch Compliance Report

  • 15 May 13:40 ,Updated the query to show Windows 10 (Build 15063) creators Update as Patched
  • 15 May 14:10, Had made a mistake in the last version ,with the update status. fixed now. 
  • 15 May 15:00 Expanded the list of updates.
  • 16 May 10:00, This doesn't work as expected ,when a update is superseded the old one is set as "Not Requered". Got a new version almost ready that uses Baseline/CI with a WMI query against Win32_QuickFixEngineering, seems to work much better. Keep checking back, i'll post it soon. 
  • 16 May 14:30 ,New version of the report that uses baseline available for download.
  • 16 May 17:00 ,tweaked the baseline WMI query to support Builds higher than 15063
  • 24 May ,Updated the Baseline ,added 3KB's for Windows 7 and fixed the buildnumber "check" (greater than 15053 statement should now work as expected)
  • 29.June Added KB4022727  KB4022714 AND KB4022715 to the list (Windows 10 June Updates) Havent updated the CAB file ,just copy the powershell code bellow and update the CI.

I just got back from a one week vacation and the everybody is freaking out about the WannyCry ransomware.
I spend the whole morning working with people hanging over my shoulder watching me write SQL queries to get the information they where looking for.
The vulnerability that WannyCry uses was patched in Bulletin "MS17-010" ,but that update is expired and superseded by other updates that again are expired and superseded...and so on. This makes it hard to tell if computers are patched against WannaCry or not.

So! i created a report to show if machines in a collection are patched against WannaCry or not.
The way the report works is that I've created a list of Updates that contain the patch for the WannyCry vulnerability and if a machine have one of those patches installed it's shows as "Patched" if not it shows as "Not-Patched / Unknown".

The List of Updates that it checks against is easily changed. I've added the updates that i could find that fixes this issue, but this was a rush job so there may be errors in the list. If you find any errors or updates that are missing from the list ,post a comment bellow.

Created a new version of the report that uses Configuration Baselines to determine patch state ,it queries WMI on the machines(Win32_QuickFixEngineering) for one or more of the KB patches that fixes the problem.

New report is a bit more work since you have to deploy the Configuration Baseline (Included in the zip file), but the new report should give better results. Also slower since the baseline needs to be evaluated on the clients.

I've been testing it myself all morning and it seems to work as expected, let me know.
Old version is still available.

Download Report (SUP Version)
(If you still want to use this report ,check out this tip on Reddit. you can set updates not to expire immediately when superseded)

Download New Report (Baseline Version)
(New version have a version number in the footer)

Note! This is the first version of the report and it was created in a rush. If you find mistakes or errors post a comment bellow.
I'll update the report as soon as i can when we find errors or updates that should be added/removed from the the list.

List of update is based on this blog post and the "Microsoft WannaCrypt Customer Guidance Document": 

People don't seem to agree if Windows 10 versions other that Creators Update(1703) is immune or not. For now Windows 10 is part of the report.

Both versions of the report use the same logic to determine if a computer is patched or not.
The SUP version checks against the Software Update Views, but there is a issue with superseded updates if you don't increase the time between the update is superseded and the update expires.

The Baseline version checks for the updates in WMI on the clients and reports back compliance state that shown in the report. This is a better method ,but it's slower. You have deploy the Configuration Baseline and wait for the clients to report back compliance state.

To Deploy the Baseline Configuration 

This baseline only monitors ,it does not remediate anything ,should be safe to deploy.
  1. Right Click Configuration Baselines (SCCM Console > Asset and Compliance Settings) and select "Import Configuration Data"
  2. Click Add and select the CAB file included in the download (You get a warning that it's not signed ,click yes)
  3. You should now have a WannaCry_Patched Baseline in the list ,Right Click it and select Deploy.
  4. Choose a Collection and set the Schedule to 1 day or something faster. 

Can't import the baseline? Watch this video to learn how to create it manually.

Note! The Configuration Baseline should be called  "WannaCry_Patched",the rest don't matter
(You can call it something else ,but then you have to edit the report:-))

Here is the Powershell script for the baseline:

$OS = Get-WmiObject -Query "select * from Win32_OperatingSystem"

if ([convert]::ToInt32($os.BuildNumber) -cge 15063)
Return $true
$queryresult = Get-WmiObject -query "select * from Win32_QuickFixEngineering
where HotFixID = 'KB4015553' OR HotFixID = 'KB4019215' OR HotFixID = 'KB4015549'
OR HotFixID = 'KB4015552' OR HotFixID = 'KB4012598' OR HotFixID = 'KB4019264'
OR HotFixID = 'KB4012215' OR HotFixID = 'KB4012213' OR HotFixID = 'KB4012212'
OR HotFixID = 'KB4012217' OR HotFixID = 'KB4015551' OR HotFixID = 'KB4019216'
OR HotFixID = 'KB4012216' OR HotFixID = 'KB4015550' OR HotFixID = 'KB4013429'
OR HotFixID = 'KB4019472' OR HotFixID = 'KB4015217' OR HotFixID = 'KB4015438'
OR HotFixID = 'KB4016635' OR HotFixID = 'KB4019473' OR HotFixID = 'KB4015219'
OR HotFixID = 'KB4013198' OR HotFixID = 'KB4012606' OR HotFixID = 'KB4015221'
OR HotFixID = 'KB4019474' OR HotFixID = 'KB4012214' OR HotFixID = 'KB4019265'
OR HotFixID = 'KB4019263' OR HotFixID = 'KB4015546' OR HotFixID = 'KB4022727'
OR HotFixID = 'KB4022714' OR HotFixID = 'KB4022715'"

if ($queryresult)
Return $true
Return $false

Here are some SQL queries to show a Computers status for these updates:

DECLARE @computername VARCHAR(40)
SET @computername = 'Insert Computername here'

SELECT A.resourceid,
         WHEN A.status = '0' THEN 'Detection state unknown'
         WHEN A.status = '1' THEN 'Update is not required'
         WHEN A.status = '2' THEN 'Update is required'
         WHEN A.status = '3' THEN 'Update is installed'
         ELSE ''
       END AS StatusName,
FROM   v_update_compliancestatusall A
       INNER JOIN v_updateinfo D
               ON A.ci_id = D.ci_id
       INNER JOIN v_r_system E
               ON A.resourceid = E.resourceid
       LEFT JOIN v_statenames F
              ON A.lastenforcementmessageid = F.stateid
                 AND F.topictype = 402
  E.name0 = @computername
       AND D.articleid IN ( 
ORDER  BY resourceid,
          D.daterevised DESC,
          F.statename ASC 

Or this one to show all Clients in a collection that are in the process of installing one or more of these updates:

DECLARE @Collection VARCHAR(40)
SET @Collection = 'Insert CollectionID Here'

SELECT A.resourceid,
         WHEN A.status = '0' THEN 'Detection state unknown'
         WHEN A.status = '1' THEN 'Update is not required'
         WHEN A.status = '2' THEN 'Update is required'
         WHEN A.status = '3' THEN 'Update is installed'
         ELSE ''
       END AS StatusName,
FROM   v_update_compliancestatusall A
       INNER JOIN v_fullcollectionmembership B
               ON A.resourceid = B.resourceid
       INNER JOIN v_collection C
               ON B.collectionid = C.collectionid
       INNER JOIN v_updateinfo D
               ON A.ci_id = D.ci_id
       INNER JOIN v_r_system E
               ON A.resourceid = E.resourceid
       LEFT JOIN v_statenames F
              ON A.lastenforcementmessageid = F.stateid
                 AND F.topictype = 402
WHERE  C.collectionid = @Collection
       AND A.status != 3
       AND F.statename IS NOT NULL  
       AND D.articleid IN ( 
ORDER  BY resourceid,
          D.daterevised DESC,
          F.statename ASC 

Sunday, October 23, 2016

Creating Report Subscriptions

Small followup post to the report i released yesterday

The reason i released that particular report is that i saw a discussion somewhere (Reddit or the winadmins slack) on that people outside the Configmgr team never use reports or any other means of staying updated on how well the clients are managed.
I can understand that for a sysadmin/manager that don't work with Configmgr on a daily basis the wall of reports with vague names can be confusing and hard to use.

Half of the solution to this is creating custom reports that are easy to use and read, the other part of the solution is subscriptions. I don't expect that the users them self are going to find the relevant reports and setup subscriptions ,I create the subscription for them.

We have 18-19 sites that have their own local IT-staff ,they get the "Collection Summary" report for their site(Collection) by email every Monday. I also have  a few other reports that i send out on a regular basis.
Some of them are just lists of things that are broken. I call them "fix lists" that are so simple that anyone can start working on them ,they don't have to be an Configmgr expert and know where to find deployment errors in the console.
The report bellow is sent to the helpdesk team leader every Monday ,he then splits it into support cases for the team to take care of.

The picture is the actual list that will be sent out tomorrow. It used to be loooong ,but after we started doing this it has shrunk down to 8 machines.

In our experience 1603 errors needs to be fixed manually, but a lot of the other error codes sort them self out. That's why I only list 1603 errors. 
1603 Errors report.
The color squares are indicators for when the machine last was online. (start working on the green ones ,the red ones are of the network.)

Here is another example of a fix list that i send to the helpdesk. All computers that have a Windows Update that's in an error state.
 Lot if these reports are ugly ,I haven't bothered making them look good.

Windows Update Errors for a Collection. 

The reports i send to the helpdesk and other IT people tend to be error focused. This is stuff you need to fix!

I also have i few reports that i sent to managers, but they tend to emphasis on the good parts:-)
Like this one for application deployment success rate.

Application Deployment Successrate (Also does Software Update and Task sequences)

Saturday, October 22, 2016

Collection Summary Report ,3 in one Report! (Windows Update ,Endpoint Protection ,OS and Computer Model)

Finally got around to tweaking and translating my "Collection Summary" Report.

I created this report to replace several other reports that i force feed our site admins on a weekly basis:-)
The report is designed to be an e-mail report, sent out once a week that gives them a quick overview of whats going on at their site(collection).
This report have 3 sections ,Computer Details(OS,Model and Inactive Clients), Endpoint Protection and Windows Update.

I decided to focus on these 3 tings in the first version of this report. There are probably hundred of other things i could have put in the report that would have been useful ,but can't have everything in one report.
Collection Summary Report

Note! The Collection Parameter dropdown list only shows Endpoint Enabled Collections. This is because Endpoint summary data is only collected for Endpoint Collections.
(Right Click the Collection --> Properties -->Alerts Tab --View this Collection in the Endpoint Protection Dashboard)

The report is divided in 3 sections ,Computers ,Endpoint Protection and Windows Update.


The OS and Model chart should be pretty self explanatory ,but on the boxes on the right is meant to give some information on how many of the clients are inactive.

Endpoint Protection

The two graphs show Antivirus pattern age and Engine version. 
The list in the middle give a quick count of malware detected in the collection the last 14 days.
The boxes on the right shows summarized endpoint data ,how many endpoint clients in collection ,how many inactive clients and how many clients that are "at risk".

You can click the plus sign in the At Risk box to show a list of clients and whats wrong with them.

Windows Update

Windows Update shows you Compliant vs Non-Compliant pie chart and a Last scan graph. while the boxes on the right shows deployment and scan errors.

The Deployment and Scan Error Boxes can be clicked to bring up a details list ,giving some info on the problem. 
There's a tool-tip on the error codes that tries to resolve the error code.

The query for the Compliant vs Non-Compliant might not be what you expect it to be ,it's tuned to show what the site admins should worry about.
If you look at the where statement bellow I'll explain the reasoning behind this query.
  • We only look at the status "need update" ,if a client haven't evaluated an update yet and don't know if it needs it or not(unknown state) we just assume it'll be OK.
  • We only look at updates with severity of "low" or higher ,unclassified updates don't count:-)
  • We only look at deployed updates. If I haven't deployed the update they don't need to worry about it.
  • We don't care about expired and superseded updates!
  • We don't count update newer that 14 days ,giving the us a "graceperiod" where the clients can install the update before they're considered non-compliant. 
WHERE a.status = 2 AND b.severity >= 2
AND b.daterevised < dateadd(day,-14,getdate()) 
AND b.isDeployed = 1 AND b.isExpired = 0 AND b.isSuperseded = 0

This can  be tweaked to match your SLA.
If you don't have an SLA just ask yourself this ,how long after you've deployed an update before you expect that all clients have it installed. if the answer is 30 days ,set the grace-period to 30 days:-)

The Grace-period and minimum Severity is easily changed in the report. The if you need to change the other things you have to edit the query. 
If you don't like the Grace-period concept,just set it to zero:-)

Monday, September 12, 2016

Windows 10 - Editions and Versions Report (in lack of a better name)


May 02: Quick Update ,seems to be a small "bug" with how Windows 10 1703 (Creators Update) registers in Configmgr DB. For some reason the "branch" field is a empty string, not 0 as expected (or at least NULL instead of empty string).
have created a new version of the report (Download it here) as a work around for this issue.

Created this report a few months ago, but didn't release it because I  wasn't sure my reverse engineering was correct until Windows 1607 was released.
But now Windows 10 1607 is released and everything seems to line up.

This report needs Configmgr 1602 to run (maybe it'll work on 1507 ,but haven't tested it)

The report is a details report for Windows 10 ,It can shed some light on Editions,Versions ,update rings and "state". As with most of my reports you can run it against a specific collection to limit the result and contrary to the console, it gives you a detailed list of witch computer is running what.

 & '.\Upload Reports v3.ps1' -webServiceUrl http://yourreportserver.fqdn

(Read more about the script and additional parameters here)

Added some parameters to the report to enable you to show ex. only computers on "Current Branch" or only computers that have reached "End of life".

If you found it useful ,feel free to spread the word:-)

Let me know what you think in the comments below or on Twitter. 

Friday, September 2, 2016

Distribution Point Reports ,Bonus Content

Got a question under the blogpost for my distribution point reports about a "Content View". Basicly a list of packages with colums for each Distribution point.

 When i created the Distribution Point Reports i actually had this type of view in the early versions  of the reports ,but I didn't include it in the final version.

So if someone else find it usefull ,here it is. I've cleaned up the report to make it look like the other ones.

Wednesday, June 29, 2016

v_GS_OPERATING_SYSTEM not updating correctly

I'm working on my Windows 10 Report ,but i've run into a strange problem and i'm wondering if anyone else sees the same thing.
The problem seems to be that v_GS_OPERATING_SYSTEM SQl view is not updating correctly. lots of machines that have been upgraded to Windows 10 still show their old Operating system.
v_r_System seems to be correct and i have verified that the machines are running windows 10

If anyone running Configmgr 1511 or 1602 could run this query and see if they have the same problem that would be great.
Reply here or on twitter.

SELECT A.name0,
FROM   v_r_system A
       LEFT OUTER JOIN vsms_windowsservicingstates B
                    ON = A.build01
                       AND B.branch = A.osbranch01
       LEFT OUTER JOIN vsms_windowsservicinglocalizednames C
                    ON B.NAME = C.NAME
       LEFT OUTER JOIN v_gs_operating_system D
                    ON A.resourceid = D.resourceid
WHERE  A.build01 LIKE '10.%' 

Add  And D.Caption0 not like '%10%' to the end of the query to only show entries with the wrong caption

Btw! here's a sneak peak of the Windows 10 Report I'm working on