I was asked if there is an easy way to check the complete Active Directory for systems that miss the WannaCry related Hotfixes are installed.

Yep! And it’s even easy to do.

Based upon several requests, I also published a small tool that could do the Job. You will find the tool (freeware) on GitHub.

Here is a (updated!!!Gist I created to do the job:

This is script is based on an existing script that I use to and filter infos from the Active directory.
You might also want to review and/or tweak the filter option (Line 6974) and/or the Hotfix List (Line 4663). Normally the script returns a list of systems with systems that are not complaint. I changed this to a Warning (Write-Warning in Line 107105 and 111) for this use-Case!

I also added some examples to show the usage.

Even if all Hotfixes are applied, you should remove the SMBv1 functions whenever possible!

Please note:
If you change the script in any kind, the signature isn’t working and everything after line 112 should be removed.

Like Kaleb noted: The Script doesn’t work on all systems. The Application logic about the OS is missing. That was a quick hack and I will implement something soon. Something that uses a WMI call to get the OS information and then compare only the part of the Hotfix Array that applies.
The Script is now updated and it should fit.