A short but sweet blog today, mindful that today most Australians will be coming back to work after the ‘WannaCrypt’ attack that was reported in the media on Friday.
I would like to just point out the work of Kieran Walsh – he’s done the ‘hard yards’ of extracting all of the Knowledge Base (KB) article numbers that you need to be searching for, to determine your patching status of Microsoft Security Bulletin MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx). Microsoft’s detailed blog about the ‘WannaCrypt ransomware’ can be found here: https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
If you don’t have an Enterprise patch deployment tool such as SCCM or WSUS (there are many many others), Kieran’s script executes a simple ‘Get-Hotfix’ PowerShell command remotely against a Windows Server or workstation, and uses all the computer objects in Active Directory as a reference. I personally haven’t run this yet, so please test this first against a test AD if you have one. The ‘Get-Hotfix’ command is relatively ‘benign’ so the risk is low.
Conversely, if you’re looking to run this on your local workstation, I’ve modified his script and made a simple ‘local’ check. Copy and paste this into a PowerShell window with ‘administrator’ permissions:
#— Script start
$hotfix = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property “HotFixID”
if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID}) {write-host “Found hotfix” $_.HotfixID
write-host “Didn’t find hotfix”
** Update @ 5pm – The MS blog about the ransomware attack itself specifically states Windows 10 machines are not impacted even though there are patches for the security bulletin that apply to Windows 10. Ignore Windows 10 devices in your report unless there’s updated information from Microsoft.
** Update @ 8pm: Kieran has updated his script to exclude Windows 10 computer objects from the AD query.
** Update @ 9:30 am 16/05: Updated list of KBs from Kieran’s script (who has been sourcing the latest KB list from the community)
** Updated @ 2pm 17/05: Updated list of KBs (including Windows 10 updates) from the comments area from Kieran’s script (user: d83194). For future updates, I’d suggest reviewing Kieran’s comments for the latest KB articles. I’ll let you make the decision about whether to keep the Windows 10 filter (-notlike ‘Windows 10‘) in Kieran’s script. Maybe produce two reports (with Windows 10/without Windows 10).
Can confirm the Get-hotfix script works perfectly.
Thanks Marc, glad it works for you.
Hi, what it needs to run? Most machines got status unable to connect, some got cannot check hotfix, less got its status correctly reported. I checked on 2 of good working that it got psremoting on, but test-winrm got errors (its strange that it reports status well and i cannot connect with test-rm). Thanks for the information.
Hi Mr K, ‘Get-Hotfix’ doesn’t require PowerShell remoting (see: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.management/get-hotfix)
“This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of this cmdlet even if your computer is not configured to run remote commands.”
In terms of permissions for Kieran’s script, I’d recommend try using an AD account that has administrator permissions to all your workstations/servers you’re executing his script against. It might work with a lower privileged account, but it’s not documented and I haven’t tested it using anything but a Domain Admin. Good luck.