The interest for Software Updates went from close to zero to a hundred over a weekend and suddenly you have managers demanding status reports on how well their're department are patched against WannaCry.
Normally when i create reports I use them myself for some time (sometimes months or years if i forget about it) to work out all most of the bugs before i release them.
Since this was a time sensitive issiue I published this report within hours after creating it. Fortunately it turned out to work fine, only some small issues with the Baseline CAB file not wanting to import on older systemens.
On Monday i started to create a report to find out if computers where patched or not.
First discovery was that "MS-17-010" was long gone and have been replaced by an bunch of new patches. (Think the list ending containing 27 patches, not including Vista, 2003 and XP)
I first tried to use the Software Update DB in Configmgr to find out if computers where patched or not, but ran into problems with supersedence and updates expiring. Basically when a update expires there is no way to tell if a computer have installed it or not, they will report "Update not Required" regardless if they had it installed or not.
The report sort of worked if you didn't expire the update immediately when they are superseded, but i decided to use Configuration Baseline and wrote a quick CI to check the if one of the patches where registered in win32_quickfixengineering or build number was higher than 15063(Creators Update)
Modifed the report to check the Baseline instead of Software Update Compliance and that seems to work perfectly.
Another good approach would have been to enable inventory of "win32_quickfixengineering" and use that.
I could also have included a CI for "SMBv1" in the Baseline to verify that the machines have it disabled.
Since May 17 is a holiday in Norway we still have a quite a few machines that haven't been checked yet. |
have been running for a couple of days now and our compliance looks good.
We set 98% compliance as our working goal ,and set the apprentices to monitor the report as the results came in. They checked the non-compliant machines against a list with the Software Update statuses(Bottom Query in my last post) to see what the hold up was (Reboot Pending,Install Failures,++)
For machines that needed attention we created a ticket in our helpdesk.
At the time I'm writing this, not one of our machines have been infected by Wannacry.
Considering that one of our sites contain 8000+ student and teacher laptops ,that's amazing!WannaCry Patch Compliance Report for one of our collections. |
Here's how the reports looks now. Default it's sorted with the machines in the "Non-Compliant" or "Error" state at the top.
Have updated the report with the new changes.(Last version have version 0.4 in the bottom left corner.)