After this weeks
WannaCrypt fiasco I found a couple posted scripts for scanning a domain to
check if servers had the necessary patches installed to mitigate against the
vulnerability. After patching a couple of systems that the scripts said were
vulnerable I found that they kept reporting that the patches were missing. Upon
reviewing Get-Hotfix and doing a stare and compare at what was showing as
having been installed via the "View Update History" I noticed that
there were missing KB's.
The output from
Get-Hotfix, you can see there are only 6 KB’s that start with KB40…
If I look at the Update
History on the server I see there are some missing ones:
After a bit of research I found that this post on TechNet from
Mervyn Zhang:
Windows Update and Office update are separated in two catalogs. Get-hotfix which leverage Win32_QuickFixEngineering only lists Windows updates. Starting with Windows Vista, Win32_QuickFixEngineering returns only the updates supplied by Component Based Servicing (CBS). These updates are not listed in the registry. Updates supplied by Microsoft Windows Installer (MSI) or the Windows update site (http://update.microsoft.com) are not returned by Win32_QuickFixEngineering. For your information: Understanding Component-Based Servicinghttp://blogs.technet.com/askperf/archive/2008/04/23/understanding-component-based-servicing.aspx
I then devised the
following script that searched the Windows Update Agent COM Object for all KB's
installed on a system including rollups and CU's. To download the script grab
it from TechNet:
