- 15 May 13:40 ,Updated the query to show Windows 10 (Build 15063) creators Update as Patched
- 15 May 14:10, Had made a mistake in the last version ,with the update status. fixed now.
- 15 May 15:00 Expanded the list of updates.
- 16 May 10:00, This doesn't work as expected ,when a update is superseded the old one is set as "Not Requered". Got a new version almost ready that uses Baseline/CI with a WMI query against Win32_QuickFixEngineering, seems to work much better. Keep checking back, i'll post it soon.
- 16 May 14:30 ,New version of the report that uses baseline available for download.
- 16 May 17:00 ,tweaked the baseline WMI query to support Builds higher than 15063
- 24 May ,Updated the Baseline ,added 3KB's for Windows 7 and fixed the buildnumber "check" (greater than 15053 statement should now work as expected)
- 29.June Added KB4022727 KB4022714 AND KB4022715 to the list (Windows 10 June Updates) Havent updated the CAB file ,just copy the powershell code bellow and update the CI.
I spend the whole morning working with people hanging over my shoulder watching me write SQL queries to get the information they where looking for.
The vulnerability that WannyCry uses was patched in Bulletin "MS17-010" ,but that update is expired and superseded by other updates that again are expired and superseded...and so on. This makes it hard to tell if computers are patched against WannaCry or not.
New report is a bit more work since you have to deploy the Configuration Baseline (Included in the zip file), but the new report should give better results. Also slower since the baseline needs to be evaluated on the clients.
I've been testing it myself all morning and it seems to work as expected, let me know.
Old version is still available.
(If you still want to use this report ,check out this tip on Reddit. you can set updates not to expire immediately when superseded)
(New version have a version number in the footer)
Note! This is the first version of the report and it was created in a rush. If you find mistakes or errors post a comment bellow.
I'll update the report as soon as i can when we find errors or updates that should be added/removed from the the list.
List of update is based on this blog post and the "Microsoft WannaCrypt Customer Guidance Document":
https://www.askwoody.com/2017/how-to-make-sure-you-wont-get-hit-by-wannacrywannacrypt/
People don't seem to agree if Windows 10 versions other that Creators Update(1703) is immune or not. For now Windows 10 is part of the report.
Both versions of the report use the same logic to determine if a computer is patched or not.
The SUP version checks against the Software Update Views, but there is a issue with superseded updates if you don't increase the time between the update is superseded and the update expires.
The Baseline version checks for the updates in WMI on the clients and reports back compliance state that shown in the report. This is a better method ,but it's slower. You have deploy the Configuration Baseline and wait for the clients to report back compliance state.
To Deploy the Baseline Configuration
This baseline only monitors ,it does not remediate anything ,should be safe to deploy.
- Right Click Configuration Baselines (SCCM Console > Asset and Compliance Settings) and select "Import Configuration Data"
- Click Add and select the CAB file included in the download (You get a warning that it's not signed ,click yes)
- You should now have a WannaCry_Patched Baseline in the list ,Right Click it and select Deploy.
- Choose a Collection and set the Schedule to 1 day or something faster.
Can't import the baseline? Watch this video to learn how to create it manually.
Note! The Configuration Baseline should be called "WannaCry_Patched",the rest don't matter
(You can call it something else ,but then you have to edit the report:-))
Here is the Powershell script for the baseline:
$OS = Get-WmiObject -Query "select * from Win32_OperatingSystem"
if ([convert]::ToInt32($os.BuildNumber) -cge 15063)
{
Return $true
}
else
{
$queryresult = Get-WmiObject -query "select * from Win32_QuickFixEngineering
where HotFixID = 'KB4015553' OR HotFixID = 'KB4019215' OR HotFixID = 'KB4015549'
OR HotFixID = 'KB4015552' OR HotFixID = 'KB4012598' OR HotFixID = 'KB4019264'
OR HotFixID = 'KB4012215' OR HotFixID = 'KB4012213' OR HotFixID = 'KB4012212'
OR HotFixID = 'KB4012217' OR HotFixID = 'KB4015551' OR HotFixID = 'KB4019216'
OR HotFixID = 'KB4012216' OR HotFixID = 'KB4015550' OR HotFixID = 'KB4013429'
OR HotFixID = 'KB4019472' OR HotFixID = 'KB4015217' OR HotFixID = 'KB4015438'
OR HotFixID = 'KB4016635' OR HotFixID = 'KB4019473' OR HotFixID = 'KB4015219'
OR HotFixID = 'KB4013198' OR HotFixID = 'KB4012606' OR HotFixID = 'KB4015221'
OR HotFixID = 'KB4019474' OR HotFixID = 'KB4012214' OR HotFixID = 'KB4019265'
OR HotFixID = 'KB4019263' OR HotFixID = 'KB4015546' OR HotFixID = 'KB4022727'
OR HotFixID = 'KB4022714' OR HotFixID = 'KB4022715'"
if ($queryresult)
{
Return $true
}
else
{
Return $false
}
}
where HotFixID = 'KB4015553' OR HotFixID = 'KB4019215' OR HotFixID = 'KB4015549'
OR HotFixID = 'KB4015552' OR HotFixID = 'KB4012598' OR HotFixID = 'KB4019264'
OR HotFixID = 'KB4012215' OR HotFixID = 'KB4012213' OR HotFixID = 'KB4012212'
OR HotFixID = 'KB4012217' OR HotFixID = 'KB4015551' OR HotFixID = 'KB4019216'
OR HotFixID = 'KB4012216' OR HotFixID = 'KB4015550' OR HotFixID = 'KB4013429'
OR HotFixID = 'KB4019472' OR HotFixID = 'KB4015217' OR HotFixID = 'KB4015438'
OR HotFixID = 'KB4016635' OR HotFixID = 'KB4019473' OR HotFixID = 'KB4015219'
OR HotFixID = 'KB4013198' OR HotFixID = 'KB4012606' OR HotFixID = 'KB4015221'
OR HotFixID = 'KB4019474' OR HotFixID = 'KB4012214' OR HotFixID = 'KB4019265'
OR HotFixID = 'KB4019263' OR HotFixID = 'KB4015546' OR HotFixID = 'KB4022727'
OR HotFixID = 'KB4022714' OR HotFixID = 'KB4022715'"
Here are some SQL queries to show a Computers status for these updates:
DECLARE @computername VARCHAR(40)SET @computername = 'Insert Computername here'
SELECT A.resourceid,
E.name0,
e.user_name0,
D.title,
D.articleid,
D.daterevised,
A.status,
CASE
WHEN A.status = '0' THEN 'Detection state unknown'
WHEN A.status = '1' THEN 'Update is not required'
WHEN A.status = '2' THEN 'Update is required'
WHEN A.status = '3' THEN 'Update is installed'
ELSE ''
END AS StatusName,
F.statename
FROM v_update_compliancestatusall A
INNER JOIN v_updateinfo D
ON A.ci_id = D.ci_id
INNER JOIN v_r_system E
ON A.resourceid = E.resourceid
LEFT JOIN v_statenames F
ON A.lastenforcementmessageid = F.stateid
AND F.topictype = 402
WHERE
E.name0 = @computername
AND D.articleid IN ( '4015553','4019215','4015549','4015552','4012598','4019264','4012215','4012213','4012212','4012217','4015551','4019216','4012216',
'4015550','4013429','4019472','4015217','4015438','4016635','4019473','4015219','4013198','4012606','4015221','4019474','4012214','4019265','4019263','4015546','4022727','4022714','4022715')
ORDER BY resourceid,
D.daterevised DESC,
F.statename ASC
Or this one to show all Clients in a collection that are in the process of installing one or more of these updates:
DECLARE @Collection VARCHAR(40)
SET @Collection = 'Insert CollectionID Here'
SELECT A.resourceid,
E.name0,
e.user_name0,
D.title,
D.articleid,
D.daterevised,
A.status,
CASE
WHEN A.status = '0' THEN 'Detection state unknown'
WHEN A.status = '1' THEN 'Update is not required'
WHEN A.status = '2' THEN 'Update is required'
WHEN A.status = '3' THEN 'Update is installed'
ELSE ''
END AS StatusName,
F.statename
FROM v_update_compliancestatusall A
INNER JOIN v_fullcollectionmembership B
ON A.resourceid = B.resourceid
INNER JOIN v_collection C
ON B.collectionid = C.collectionid
INNER JOIN v_updateinfo D
ON A.ci_id = D.ci_id
INNER JOIN v_r_system E
ON A.resourceid = E.resourceid
LEFT JOIN v_statenames F
ON A.lastenforcementmessageid = F.stateid
AND F.topictype = 402
WHERE C.collectionid = @Collection
AND A.status != 3
AND F.statename IS NOT NULL
AND D.articleid IN ( '4015553','4019215','4015549','4015552','4012598','4019264','4012215','4012213','4012212','4012217','4015551','4019216','4012216',
'4015550','4013429','4019472','4015217','4015438','4016635','4019473','4015219','4013198','4012606','4015221','4019474','4012214','4019265','4019263','4015546','4022727','4022714','4022715')
ORDER BY resourceid,
D.daterevised DESC,
F.statename ASC
hello,
ReplyDeleteGread report for SCCM.
Just to add that after installing the report in the SSRS Web Site, you have to edit this report with ReportBuilder to change the datasource: edit the property of datasource then clic on "Browse" button to choose your local SCCM datasource instead of the one included.
Then Save the report and that's all, you can run it et see.
anyone else getting a QUERY EXECUTION FAILED FOR DATASETS 'Clients' INVALID COLUMN NAME 'Build01' after importing the report and changing the datasource ?
ReplyDeleteWhat version of SCCM?
DeleteThink the build01 field only is present in 1507(maybe 1603) and newer.
still on SCCM 2012 SP1 5.0.7804.1000 (unfortunately), their is no BUILD01 field in table A in your query in are database. Any workarounds?
DeleteYes, edit the "Clients" query. Find this line:
Deletewhere C.CollectionID = @CollectionID AND A.Status = 3 AND Severity >= 2 AND D.CI_ID in (@Updates)) OR A.Build01 like '%15063
and remove the "OR A.Build01 like '%15063" part.
Only issue with this is that "Windows 10 Creators Update" machines will show as "Not-Patched/Unknown".
thanks! that worked. We don't have any Windows 10 machines to manage at the moment with SCCM:) Great report.
DeleteIf a Windows 10 1607 device has KB4015217, wouldn't it be considered Patched? According to this report almost all of our Windows 10 devices are Not Patched/Unknown but they contain the April Cumulative Update. I tried to modify the code to mark those as Patched, but can't seem to get it working.
ReplyDeleteHi
DeleteI've rewritten the report to use Configuration Baseline. Using the SUP data didn't work good enough ,as soon as an update was superseded it set the old one to "Not Required" causing the report to show wrong info.
New version uses baseline ,should be accurate.
I seem to be having similar issue April Updates are strike out and reporting improper numbers because of it I can't find that in the query?
ReplyDeleteHi
DeleteI've rewritten the report to use Configuration Baseline. Using the SUP data didn't work good enough ,as soon as an update was superseded it set the old one to "Not Required" causing the report to show wrong info.
New version uses baseline ,should be accurate.
Also this tip from Reddit may solve the issiue
Deletehttps://www.reddit.com/r/SCCM/comments/6bb81j/is_there_a_good_report_i_can_run_to_verify_all/dhmixt0/
This comment has been removed by the author.
ReplyDeleteMicrosoft.Reporting.WinForms.MissingParameterException
ReplyDeleteThe 'Updates' parameter is missing a value
Stack Trace:
at Microsoft.Reporting.WinForms.RSParams.ValidateReportInputsSatisfied()
at Microsoft.Reporting.WinForms.RSParams.EnsureParamsLoaded(Boolean forceCredentialsShown, ReportParameterInfoCollection parameterInfos)
at Microsoft.Reporting.WinForms.RSParams.EnsureParamsLoaded()
at Microsoft.Reporting.WinForms.ReportViewer.RenderReportWithNewParameters(Int32 pageNumber, PostRenderArgs postRenderArgs)
-------------------------------
Did you remember to change the datasource for the report?
DeleteSCCM 2012 R2
ReplyDeleteMaybe I'm missing something but what's the reasoning behind using a configuration item? Why not use custom reports with the data that is already in the Database? The required and deployment data is available anyway...
ReplyDeleteOnce a update is expired the computer no longer report it as "Installed" or "Required" ,instead they are set as "Update not Required" making it impossible to distinguish between Update not required because it's expired or if it's not applicable to the system.
DeleteAnother approach is to enable "HW Scan" to inventory the Win32_QuickFixEngineering Class and use that.
Ok thanks for the explanation, I am gathering the Win32_QuickFixEngineering Class so I'll use that
Deletecannot import the baseline: "The CI contains missing or invalid CI reference) SCCM 2012 R2 SP1
ReplyDeleteAdded a video on how to create it manually (above the SQL Queries)
DeleteBaseline failing to import.
ReplyDeleteConfiguration Baseline
Invalid reference in content
Configuration Item
The CI Contains a missing or invalid CI Reference
...look like the baseline CAB file are really finicky. It was created on a CB1610 server, does't seem to work on older versions. Most likely because of the Supported OS list in the XML
DeleteAdded a short video on how to create it manually.
Works perfectly for me, thanks! How difficult is it to add the patches released for Server 2003 and XP? Is it just a matter of adding the KB numbers in the configuration baseline and rdl?
ReplyDeleteIf they are normal KB's that register in Win32_QuickfixEngeneering it should be straight forward to add them to the Configuration Item.
DeleteRun this Powershell command on a XP/2003 machine thats patched:
"Get-WmiObject -query "select * from Win32_QuickFixEngineering"
If you see the KB in the result returned your good to go, just add it to the Configuration Item.
just tack one or more " OR HotFixID = 'KBxxxxxx' " and it should work
With the $queryresult = hotfix_a or hotfix_b or hotfix_c
ReplyDeleteand then the if ($queryresult) {Return $True } else { Return $False}
Will that give an correct result? if a machine has 1 out of 26 KB's it will result in $True and therefore compliant?
Yes ,if buildnumber is 15063(Creators Update or higher)
Deleteor if one of the patches in the list are installed it returns true
I get an error on machines and when i look at the report after doing an evaluation it says Setting Discovery Error 0x87d00327 Script is not signed.
ReplyDelete@ Kevin J - change your PowerShell policy to "Bypass" in the SCCM Client settings.
DeleteDoes, this require a restart after? or can be done transparently
DeleteDon't think it requires a restart.
DeleteBypassing PowerShell policy is a risk for your environment.
DeleteBest optiob is to sign the script(thats what we do) ,next best is to allow configmgr to bypass the execution policy...last option is to set the execution policy to unrestricted. (Haven't testes If CI's work with "remote signed" level
DeleteThis comment has been removed by the author.
DeleteThis comment has been removed by the author.
DeleteIt looks like the logical statement is not working correctly... $os.BuildNumber -cge '15063'.
ReplyDeleteThe build number on my machine appears to be a string instead of an integer. Example.. my build number is 7601. In this case... '7601' -cge '15063' returns true.
I updated it to read... [convert]::ToInt32($os.BuildNumber, 10) -cge '15063'
Ahh, didn't catch that one. Thanx!
DeleteI'll update the compliance script.
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThanks for this but I'm getting the following error on some machines:
ReplyDeleteSetting Discovery Error 0x87d00321 The script execution has timed out. Any ideas what might have caused it? Thanks again.
Hi
DeleteIf you go to the comment field of my WannaCry Followup post, there's an alternativ script in the comment field by a "Jean-François Hensens". It should perform better on slower systems.
It's a direct replacement for mine ,just replace the script in CI with that one.
...while you're at it, doublecheck the KB-list in the script. Microsoft have most likely replaced some of the patches in the list by now.
This comment has been removed by the author.
ReplyDeleteAll my devices just say "Error" with no reason in the report. Where can I look for troubleshooting information please?
ReplyDeleteDid you find an answer to this? I have the same problem.
DeleteI am getting the same issue as well. Please let me know if you find the resolution
DeleteI assume it needs to be modified somewhere for the new june patch tuesday, as some of my win10 pc's are not compliant anymore...
ReplyDeleteAdded KB4022727 ,KB4022714 AND KB4022715 to the list. (....June Updates)
DeleteHello - can you please tell me where to look (log files?) for reason why "Error" might be all that shows up in my report? Thank you for the updated list!
Deletedid you get any answers to your question??? I'm having the same issue.
Deletei think it is happening because the powershell script is not digitally signed. check your dcmwmiprovider.log in windows\ccm\logs folder.
Deletei think so too. am working on bypassing signature requirement
DeleteHi Thomas,
ReplyDeleteThanks for the article, really helpful.
Is there a way you can combine the two reports, your baseline one is very good for flagging expired ones correctly as compliant (where as standard report incorrectly states compliant) however it requires the machine to be online to run the powershell.
Therefore I have to combine it with the usual compliance report on the non expired updates to get a value closer to the real figure for the offline machines.
I also have one more perhaps simpler question you may be able to explain to me.
ReplyDeleteWhen I run your original SUP report it comes back with an unpatched figure that is higher than if I ran the compliance report direct against a superseded (but not expired) update, I am adding the unknown and required to together from that compliance report and get a lower number than the SUP report.
Thanks
Hi Thomas,
ReplyDeleteOne more question, do you have any reports that cover office updates so I can add the KB's for the Petya patches. Win32_QuickFixEngineering only seems to cover O/S pathes
Thanks
OK what did I do wrong lol....
ReplyDeleteI created the baseline CI by copy pasting the script using the video walk through. I uploaded the report to ssrs and changed the data source, it said connected ok when tested.
But when I run the report it lists the 170 machines that make up the collection I pointed the baseline too and all the data columns show data except the "WannaCry Patch Status" column says "error" in red on each row.
Actually 164 show error, 6 are still compliance state unknown.
DeleteTo anyone getting error - set your SCCM agent settings to "Bypass" for powershell. Fixes it right up.
ReplyDeleteGetting this error when I run the report
ReplyDeleteThe 'Baseline' parameter is missing a value
You require being crazy in regards to the on-line casino where you wish to play the prominent ready real money. To learn more about best sportsbook malaysia, visit on hyperlinked site.
ReplyDeleteWe Fullassignment.com is among the best companies on the Programming Database and IT Assignments Help writing market. We offer top-notch essays, Online Programming Assignment Help research papers, thesis and other types of works that can be assigned to you at a high school or college. We also provide Angular JS Assignment Help from our experts. for more information contact us +16692714848.
ReplyDelete
ReplyDeleteEecocool Home Appliances is a one of the Best Cooler Manufacturer in Ghaziabad . In order to make a defect free range at our clients' end, our quality experts strictly check this cooler against many quality parameters. The specialized professionals design and develop the offered products with required structures and size to make them well-suited to their applications. This Cooler is manufactured using optimum grade devices and advanced technology.
I really appreciate your support on this.
ReplyDeleteLook forward to hearing from you soon.
I’m happy to answer your questions, if you have any.
คาสิโน
แจกเครดิตฟรี ฝากถอนง่าย
คาสิโนออนไลน์
Many thanks for your kind invitation. I’ll join you.
ReplyDeleteWould you like to play cards?
Come to the party with me, please.
See you soon...
เล่นบาคาร่า
เล่นบาคาร่า
เล่นบาคาร่า
คาสิโนออนไลน์