The interest for Software Updates went from close to zero to a hundred over a weekend and suddenly you have managers demanding status reports on how well their're department are patched against WannaCry.
Normally when i create reports I use them myself for some time (sometimes months or years if i forget about it) to work out all most of the bugs before i release them.
Since this was a time sensitive issiue I published this report within hours after creating it. Fortunately it turned out to work fine, only some small issues with the Baseline CAB file not wanting to import on older systemens.
On Monday i started to create a report to find out if computers where patched or not.
First discovery was that "MS-17-010" was long gone and have been replaced by an bunch of new patches. (Think the list ending containing 27 patches, not including Vista, 2003 and XP)
I first tried to use the Software Update DB in Configmgr to find out if computers where patched or not, but ran into problems with supersedence and updates expiring. Basically when a update expires there is no way to tell if a computer have installed it or not, they will report "Update not Required" regardless if they had it installed or not.
The report sort of worked if you didn't expire the update immediately when they are superseded, but i decided to use Configuration Baseline and wrote a quick CI to check the if one of the patches where registered in win32_quickfixengineering or build number was higher than 15063(Creators Update)
Modifed the report to check the Baseline instead of Software Update Compliance and that seems to work perfectly.
Another good approach would have been to enable inventory of "win32_quickfixengineering" and use that.
I could also have included a CI for "SMBv1" in the Baseline to verify that the machines have it disabled.
 |
Since May 17 is a holiday in Norway we still have a quite a few machines that haven't been checked yet. |
have been running for a couple of days now and our compliance looks good.
We set 98% compliance as our working goal ,and set the apprentices to monitor the report as the results came in. They checked the non-compliant machines against a list with the Software Update statuses(Bottom Query in my last post) to see what the hold up was (Reboot Pending,Install Failures,++)
For machines that needed attention we created a ticket in our helpdesk.
At the time I'm writing this, not one of our machines have been infected by Wannacry.
Considering that one of our sites contain 8000+ student and teacher laptops ,that's amazing! |
| WannaCry Patch Compliance Report for one of our collections. |
Here's how the reports looks now. Default it's sorted with the machines in the "Non-Compliant" or "Error" state at the top.
Have updated the report with the new changes.(Last version have version 0.4 in the bottom left corner.)
For Server 2008 the patch KB4012598 is superseded by the patch KB4018466. After adding that, fully patched Server 2008 show as compliant again.
ReplyDeleteHello, i managed to import the baseline and is working but i can't get the report to run. I get "The updates parameter is missing a value". Any advice? Thanks
ReplyDeleteDid you remember to change the datasource for the report?
DeleteRight Click the report-->Manage
Select "Data Sources" in the left menu.
Under "A shared data source" click Browse.
Navigate to your ConfigMGR_Sitecode. Folder ,ther you'll find a GUID (XXXX-XXXXX--XXXXX....) looking datasource. Select that click og OK ,Click Apply and your done
Yes, changed the datasource but i still get this when i try to run the report:
Delete"Microsoft.Reporting.WinForms.MissingParameterException
The 'Updates' parameter is missing a value
Stack Trace:
at Microsoft.Reporting.WinForms.RSParams.ValidateReportInputsSatisfied()
at Microsoft.Reporting.WinForms.RSParams.EnsureParamsLoaded(Boolean forceCredentialsShown, ReportParameterInfoCollection parameterInfos)
at Microsoft.Reporting.WinForms.RSParams.EnsureParamsLoaded()
at Microsoft.Reporting.WinForms.ReportViewer.RenderReportWithNewParameters(Int32 pageNumber, PostRenderArgs postRenderArgs)"
I'm a beginner with sccm.
Hmm ,do you have Software Update Point Installed on your site?
DeleteNo, i use wsus on a different server.
Deletehttps://drive.google.com/uc?export=download&id=0B3gSJUbrB2yjcUxNdGRKa0EwZkE
DeleteSpecial No SUP version:-)
Update Info is removed ,only shows clients with compliance, should work.
Perfect! Many Thanks!
Deleteworks 100% thank you so much. cant wait for future reports from you
ReplyDeleteImported the report and assigned with Data source. After picking a collection, it throws:
ReplyDeleteThe 'Baseline' parameter is missing a value
What might be wrong?
you need to import(Or recreate, see my previous post) the baseline from the zip file and deploy it.
DeleteThis comment has been removed by the author.
ReplyDeleteHI THomas, i Have 300+ windows 2003 machines and i cant run baseline on them as there is no powershell installed on them. Can you get me a vbscript which can be used on windows 2003 collection
ReplyDeleteSorry I am new to SCCM and came across this dashboard and really like what I see. I am trying to import the baseline however I get errors, Invalid Reference in Content and The CI contains a missing or Invalid CI reference.
ReplyDeleteHow can I can resolve this?
Ok, so i followed your previous post and manually configured the CI. The report is now working ... thanks!
DeleteI am finding a lot of errors though ... what does this mean?
First of all, many thanks to Thomas Larsen for sharing his baseline and report. It was really helpful.
DeleteSecondly, the baseline also returned on our computers a lot of errors during the CI evaluation. We found out that the most frequent error was "The script execution has timed out" (0x87D00321).
You probably know that the SCCM property "ScriptExecutionTimeout" has a default value of 60 seconds. So it appears that the script embedded in the baseline need on some (slow) computers more than 60 seconds.
I've read somewhere that it's not advised to change this value. Instead, I've rewritten the CI script, in order to use the IUpdateSession interface as a substitute of the Win32_QuickFixEngineering query.
This comment has been removed by the author.
DeleteJean thanks for your update. I see that you have removed your comment regarding the update you made to the CI Script.
DeleteThis comment has been removed by the author.
DeleteMy bad, here's the working version:
Delete$ArticleID = @(
'KB4012212'
'KB4012213'
'KB4012214'
'KB4012215'
'KB4012216'
'KB4012217'
'KB4012598'
'KB4012606'
'KB4013198'
'KB4013429'
'KB4015217'
'KB4015219'
'KB4015221'
'KB4015438'
'KB4015549'
'KB4015550'
'KB4015551'
'KB4015552'
'KB4015553'
'KB4016635'
'KB4019215'
'KB4019216'
'KB4019264'
'KB4019472'
'KB4019473'
'KB4019474'
)
[int]$BuildNumber = (Get-WmiObject -Class "Win32_OperatingSystem").BuildNumber
# Version 1703 (OS build 15063)
if ($BuildNumber -ge 15063)
{
return $true
}
else
{
try
{
# IUpdateSession interface
# https://msdn.microsoft.com/en-us/library/aa386854(v=vs.85).aspx
$UpdateSession = New-Object -ComObject “Microsoft.Update.Session”
# IUpdateSession::CreateUpdateSearcher method
# https://msdn.microsoft.com/en-us/library/aa386865(v=vs.85).aspx
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
# IUpdateSearcher::GetTotalHistoryCount method
# https://msdn.microsoft.com/en-us/library/aa386524(v=vs.85).aspx
[System.Int64]$TotalHistoryCount = $UpdateSearcher.GetTotalHistoryCount()
# IUpdateSearcher::QueryHistory method
# https://msdn.microsoft.com/en-us/library/aa386532(v=vs.85).aspx
$UpdateHistoryEntryCollection = $UpdateSearcher.QueryHistory(0, $TotalHistoryCount)
# IUpdateHistoryEntryCollection interface
# https://msdn.microsoft.com/en-us/library/aa386409(v=vs.85).aspx
foreach ($UpdateHistoryEntry in $UpdateHistoryEntryCollection)
{
# IUpdateHistoryEntry interface
# https://msdn.microsoft.com/en-us/library/aa386400(v=vs.85).aspx
# UpdateOperation enumeration
# https://msdn.microsoft.com/en-us/library/aa387282(v=vs.85).aspx
# uoInstallation = 1
# OperationResultCode enumeration
# https://msdn.microsoft.com/en-us/library/aa387095(v=vs.85).aspx
# orcSucceeded = 2
if ($UpdateHistoryEntry.Operation -eq 1 -and $UpdateHistoryEntry.ResultCode -eq 2)
{
for ([int]$i = 0; $i -lt $ArticleID.Count; $i++)
{
if ($UpdateHistoryEntry.Title -match $ArticleID[$i])
{
return $true
}
}
}
}
}
catch
{
Write-Error $_
}
}
Cool! Have to give this a try. Looks like you put some work into this.
DeleteOne thing! Update the "if ($BuildNumber -ge 15063)" line to "if ([convert]::ToInt32($os.BuildNumber,10) -cge 15063)" (The -gte evaluated a string)
Haven't seen any performance issues with my baseline ,have 5 errors in total, no timeouts. (Have two catastrophic failures ,think the machines are exaggerating a bit:-) )
Didn't have many old machines at hand to test with ,oldest machine i had was my old Surface Pro (1) ,it used 601ms to run the WMI query.
Maybe older Operating Systems use more time ,but 60sec should be plenty of time....
Other things that may case errors are Broken WMI ,Missing\Old\Broken Powershell++
Hello! We are still managing computers dating from 2009 *sigh* (and a few older...), so we have sometimes to find tinker a bit... The WMI query you provided works like a charm on recent configuration, but takes way too much time to complete on older configuration. e.g.: on a 2009's desktop, the script I wrote run 4 seconds instead of the 120 seconds required by the initial CI script. So it appears that the WUA querying works a bit faster.
DeleteMaybe I've missed something, but I think my version of the BuildNumber test is correct (assuming you want to compare the numeric version). If not, could you explain why am I wrong ? :)
[int]$BuildNumber = (Get-WmiObject -Class "Win32_OperatingSystem").BuildNumber
if ($BuildNumber -ge 15063) { ... }
...maybe "if ($BuildNumber -ge 15063" works as expected, I see that you don't have the '' around 15063 so it may evaluate it as a integer.
DeleteIt's because I've forced the $BuildNumber to be a System.Int32, by typing it as an [int]. So I'm allowed to compare the numeric version of the BuildVersion to 15063.
Deletecaught my mistake 2 minutes to late ,didn't see the you had casted it to INT a few lines above.
DeleteI made a mistake in an earlier versions of the CI where it evaluated as string causing false 'compliant' with Windows 10. Luckily
WannaCry didn't spread to Windows 10 ,so it wasn't to big of an issiue.
It's fixed now so if EternalRocks is weponized the report is ready:-) (might need to ad a few more KB's to the list)
We deployed indead the faulty CI, and were a bit surprised about the results. Too good to be true, so we double checked. ;) Because "7601" -cge 15603, all our Windows 7 were then compliant... which was not always the case, unfortunately. I wonder why MS typed the Win32_OperatingSystem.BuildNumber property as "string"...
DeleteI have found that my SCCM server was not reporting correctly in the reports. When I had a look at the client and ran evaluation I received an error, and when looking at the report found this:
DeleteError Type
Setting Discovery Error
Error Code
0x80070001
Error Description
Incorrect function
Error Source
Windows
Is there anything that I can look at to resolve this as this may resolve other issues. I have also set the Powershell Execution to Bypass not sure if this is causing issues.
Have you tried to run interactively the Discovery script on a client reporting the error ? Did PowerShell return an error ?
DeleteIf i run the script in powershell it runs with no errors. I think i may have found the issue though ... the CI was set as VBScript by mistake ... will test and report back
DeleteJean-Francois - I have a variety of machines which are getting the following error using your script. Most work, but some do not. They have different OSes too, so I cannot figure out any commonality.
ReplyDeleteA script execution error has occurred. The script has no output in stdout and an error message in stderr. ScriptProvider 7/13/2017 2:50:56 PM 2632 (0x0A48)
Any thoughts?
ReplyDeleteIf you are stuck with your Law assignment then in this case you can opt for our Law Assignment Help. we provide the bestLaw assignment writing UK.We also provideLaw Assignment and Essay Writing Help UK for students across the globe. for more information contact us +16692714848.
We Fullassignment.com is among the best companies on the Programming Database and IT Assignments Help writing market. We offer top-notch essays, Online Programming Assignment Help research papers, thesis and other types of works that can be assigned to you at a high school or college. We also provide Angular JS Assignment Help from our experts. for more information contact us +16692714848.
ReplyDeleteWould you mind to get served by a global leader of Assignment Help? Of course not! Take a moment and get onboard to our World class assignment help writing services at a cost-effective price. Our writers serve to various locations & requisitions not only for Assignment Help Germany but also for Assignment Help Netherland & many more & they equally understand the importance of time and relevance of assignments. Both factors are essential to score good marks in your work but for that, you need to put your effort and time. If you have any issue or want to connect with experienced assignment helpers or search for someone to receive help with my assignment, you must visit our website.
ReplyDelete
ReplyDeleteEecocool Home Appliances is a one of the Best Cooler Manufacturer in Ghaziabad . In order to make a defect free range at our clients' end, our quality experts strictly check this cooler against many quality parameters. The specialized professionals design and develop the offered products with required structures and size to make them well-suited to their applications. This Cooler is manufactured using optimum grade devices and advanced technology.