How to Verify Systems Are Patched for WannaCrypt Using SCCM

Posted by | · · · | SCCM · Uncategorized | No Comments on How to Verify Systems Are Patched for WannaCrypt Using SCCM

patch-systems

 

 

Due to the emergence of the WannaCrypt ransomware last week, SCCM admins worldwide were tasked to discover how many of their organization’s devices were at risk for becoming infected. Unfortunately, many organizations were learning lessons about patching, staying up to date with security, and prevention the hard way.

 

Most had gone through this drill before, but this time there was a new wrinkle. Late last year, Microsoft announced that they would change the way they released and handled supersedence for security updates. In March 2017, this new model was officially cut-over and replaced the way that things had been done for years. This was also the month that Microsoft released updates that protected against the vulnerabilities used by WannaCrypt to infect new systems.

 

Due to the newness of the update process, determining if a system was properly patched for this specific vulnerability became more complicated than before.

 

In this blog post, I am going to provide you with two resources. First, I’ll explain the new update model. Second, I’ll share a SQL query that provides detailed per-system status of the update process via SCCM against a specific Microsoft Update.

 

Using these two tools, you should be able to answer the questions you are dealing with currently, as well as in the future.

Making Sense of the New Update Model

In the past, all updates followed the same rules for supersedence and application. This is no longer the case.

 

The new model is really a few different models, depending on what Operating System you are dealing with.

The “Simple Method”

Windows 10, Windows Server 2016 and future operating systems use what I like to call the “Simple Method”.
Whenever Microsoft releases new security updates, they come as part of a cumulative update package that includes all security updates that apply to the operating system since it’s initial release. As such, you only need to have the latest installed to be current. These usually come monthly, but could come more frequently.

 

These updates are named in a specific way, for example:

 

YYYY-MM Cumulative Update for Windows xx Version xxxx for xxx-based Systems (KBxxxxxx)
– or –
YYYY-MM Cumulative Update for Windows Server xxxx for xxx-based Systems (KBxxxxxx)

Note: The “YYYY-MM” prefix was added starting in May 2017.

The “Hybrid Method”

Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 use what I like to call the “Hybrid Method.” Just like the “Simple Method,” whenever Microsoft releases new security updates, they come as part of a cumulative update package that includes all security updates that apply to the operating system since it’s initial release. However, Microsoft will also release what they call a “Security Only Quality Update.” This is essentially just like the old method where the update contains only the new fixes, but not any of the old ones. Both of these also usually come monthly, but could come more frequently.

 

These are named in a specific way, for example:

 

Month, Year Security Only Quality Update for Windows xx for xxx-based Systems (KBxxxxxx)
– or –
Month, Year Security Only Quality Update for Windows Server xxxx for xxx-based Systems (KBxxxxxx)
– or –
Month, Year Security Only Quality Rollup for Windows xx for xxx-based Systems (KBxxxxxx)
– or –
Month, Year Security Only Quality Rollup for Windows Server xxxx for xxx-based Systems (KBxxxxxx)

Note: As of May 2017, the “Month, Year” prefix was replaced with the same “YYYY-MM” prefix used by the “Simple Method.”

The “Old Method”

Any updates released prior to October 2016, or new updates for older Operating Systems use the “Old Method.”
In this method, each update contains specific fixes and may or may not supersede older updates.

 

 

Most of these are named as follows:

 

Security Update for Windows xx (KBxxxxxxx)
– or –
Security Update for Windows Server xxxx (KBxxxxxx)
– or –
Security Update for Windows xx for xxx-based Systems (KBxxxxxxx)
– or –
Security Update for Windows Server xxxx for xxx-based Systems (KBxxxxxx)

What Update Do I Need to Patch WannaCrypt?

The fix for the WannaCrypt vulnerability was released as part of the March 2017 monthly patch cycle.

 

 

Windows 10 and Server 2016 need to have:

– the March 2017 Cumulative Update or a later one (currently April or May)

 

 

Windows Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 need either:

 

– the March 2017 Cumulative Update or a later one (currently April or May)
– OR –
– the March 2017 Security Only Quality Update
– OR –
– the March 2017 Security Only Quality Rollup

 

 

Details for the March 2017 Updates can be found at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

Microsoft issued special updates for Windows XP, Windows 8, and Windows Server 2003.   You can locate these updates if needed at https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

How Do I Find Out If My Devices Are Patched?

At the end of this blog post, I have provided the code for a sql query that can be run against your SCCM Site Database. It will return the following information:

Client Device Details

ResourceID: The SCCM ResourceID of the device

Name: The Machine Name of the device

ADSite: The Active Directory Site of the Device when it was last discovered.

Active: This will show “Active” or “Inactive” based on the time periods you have configured within SCCM to determine client active status.

Client: “Client” if it is an SCCM Client, “NonClient” if it is not.

ClientVersion: The version of the SCCM Client (if installed).

Decomissioned: “Yes” means the device has been deleted from a child primary site, but has not yet been purged from your CAS. (only if you are running the query from your CAS).

OU: The AD OU the device resides in.

Type: “Physical” or “Virtual” based on the detection added in SCCM 2012 R2.

Obsolete: “Yes” means that this is a duplicate client record that SCCM will eventually delete.

OS: The Operating System of the device.

SP: The Service Pack of the device.

PrimaryUserID: The userid of the user that SCCM has identified as the “Primary User”

PrimaryUserName: The username of the user that SCCM has identified as the “Primary User”

PrimaryUserEmail: The Email of the user that SCCM has identified as the “Primary User”

ComplianceStatus

Shows the current status of the device for the update that matches the ArticleID you queried against.

 

It will show only one of the following possible values:

Installed – Pending Reboot: Update is installed but client reboot is needed.

Installed: Installed, no reboot needed.

Not Required: The update is Not Applicable/Not Needed for this device.

Unknown – Non SCCM Client: The device has no compliance status and isn’t an SCCM client.

Unknown – Old Scan Data: The last Software Update Scan of the device used old WSUS metadata that did not contain information about this update.

Unknown – Offline: This device has not been active in SCCM since the update was released by Microsoft.

Unknown – Scan Error: The last Software Update Scan of this device failed.

Unknown: Unknown for undetermined reason.

Required – Waiting for maintenance window: The device is waiting for a maintenance window before applying the update.

Required – Failed to download updates: The devices experienced an error when downloading the files for this update.

Required – Waiting for content: The client cannot find content on a DP and is waiting until it is available.

Required – Offline Since Deployment: This device has not been online since the deployment of this update started.

Required – Not Targeted by Deployment: This device needs the update, but is not part of a deployment for the update.

Required – Error ##########: This client encountered an error during install. The error code is provided as part of the status.

Required – Waiting for Enforcement Date: The client is targeted by a deployment for the update that has not yet reached it’s enforcement date.

Required – Reboot Pending: A previous installation required a reboot that must be completed before the update can be installed.

Required – In Progress: Installation is in progress, currently no issue.

Required: Required with a status not listed above.

 

 

To use the query below, replace 4019111 with the ID Number of the Article you want to query clients against.

 

Please contact us and let us know if you encounter an issue with this query, or if this article/query was of benefit to you. Also, take note of The Three Biggest Lessons to be Learned From WannaCrypt, and join our webinar on June 6, 2017 at 10:00 AM central time to learn more about how Windows 10 drives business value through security and other means (click here to register).

 

Here is the query code:

About the author

Todd Linke

Senior Consultant, Model Technology Solutions

Todd became a professional “IT guy” 19 years ago, when he realized that playing with computers could become a real job. Since then he has gained a deep understanding of the inner workings of SCCM, PowerShell, SQL Reporting, Software Deployment, and is intimately familiar with the SCCM database. He is a firm believer in process automation combined with data warehousing. In short: he has become a data geek.


No Comments

Comments are closed.