Skip to content

Check if all WannaCry related Hotfixes are installed

This content is older than 1 year. It might be outdated.

I was asked if there is an easy way to check the complete Active Directory for systems that miss the WannaCry related Hotfixes are installed.

Yep! And it’s even easy to do.

Update:
Based upon several requests, I also published a small tool that could do the Job. You will find the tool (freeware) on GitHub.

Here is a (updated!!!Gist I created to do the job:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#requires -Version 2.0 -Modules ActiveDirectory

<#
		.SYNOPSIS
		Check if all systems have the WannaCry related Hotfixes installed
	
		.DESCRIPTION
		Check if all systems have the WannaCry related Hotfixes installed.
		Checks given Computers, or all server systems found in the Active Directory (default)
	
		.PARAMETER ComputerList
		Name, or list of computers to check
	
		.EXAMPLE
		# Check if WindowsServer1 have all WannaCry related hotfixes installed
		PS C:\> .\who_needs_wannacry_patches.ps1 -ComputerList 'WindowsServer1'

		.EXAMPLE
		# Check if WindowsServer1 and WinDC01 have all WannaCry related hotfixes installed
		# In this example the Server WinDC01 is unreachable.
		PS C:\> .\who_needs_wannacry_patches.ps1 -ComputerList 'WindowsServer1','WinDC01'

		WARNING: WinDC01 is offline or unreachable.

		.EXAMPLE
		# Check all systems found in the Active Directory have all WannaCry related hotfixes installed
		# In this example the System ZRHW10VM01 is missing some of the WannaCry hotfixes
		PS C:\> .\who_needs_wannacry_patches.ps1

		WARNING: ZRHW10VM01 is missing WannaCry hotfix
	
		.NOTES
		Advice:
		You need to review and tweak the Filter in Line 76
		Please note, that the WannaCry problem doesn't apply to Windows 10 (Just in case you change the filter to clients)

		History:
		2017-05-15 - Add the following KB4015549, KB4015552, KB4015553, and KB4019264
		2017-05-15 - Another tweak to the Filter (Line 76) to avoid Windows 10 but covers all other Windows OSes
		2017-05-15 - The newer version contains a fixed KB List / Removed the Signature
		2017-05-12 - Inital Version WannaCry

		License:
		Public Domain

		General:
		The code is provided 'as is,' with all possible faults, defects or errors, and without warranty of any kind.

		.LINKS
		https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
		https://hochwald.net/check-wannacry-related-hotfixes-installed/
#>
param
(
	[Parameter(ValueFromPipeline = $true,
			ValueFromPipelineByPropertyName = $true,
	Position = 1)]
	[string[]]
	$ComputerList
)

begin {
	# List of fixes we search for, in this case all fixes relates to WannaCry
	# Source List: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx and feedback
	$hotfixes = 'KB4012212', 'KB4012213', 'KB4012214', 'KB4012215', 'KB4012216', 'KB4012217', 'KB4012598', 'KB4012606', 'KB4013198', 'KB4013429', 'KB4015217', 'KB4015438', 'KB4015549', 'KB4015550', 'KB4015551', 'KB4015552', 'KB4015553', 'KB4016635', 'KB4019215', 'KB4019216', 'KB4019264', 'KB4019472'
}

process {

	if (-not ($ComputerList))
	{
		try 
		{
			# Filter for all Windows Systems, ignore our Mac's an Windows 10
			$ComputerList = Get-ADComputer -Filter {
				(OperatingSystem  -Like 'Windows*') -and (OperatingSystem -notlike '*Windows 10*')
			} | Select-Object -ExpandProperty 'Name'
		}
		catch 
		{
			Write-Error -Message 'Unable to get the List of computers from the Active Directory' -ErrorAction Stop
		}
	}

	# Loop over the List of computers
	foreach($computer in $ComputerList) 
	{
		if(-not(Test-Connection -ComputerName $computer -Count 1 -Quiet)) 
		{
			Write-Verbose "$computer is possibly offline or unreachable (Try anyway)."
		}

		try 
		{
			$hotfix = Get-HotFix -ComputerName $computer | 
			Where-Object -FilterScript {
				$hotfixes -contains $_.HotfixID
			} | 
			Select-Object -ExpandProperty 'HotFixID'

			if($hotfix) 
			{
				Write-Verbose -Message "$computer has hotfix $hotfix installed"
			}
			else 
			{
				Write-Warning -Message "$computer is missing WannaCry hotfix"
				continue
			}
		}
		catch 
		{
			Write-Warning -Message "Unable to get Hostfix Info from $computer"
			continue
		}
	}
}

<#
		I removed the signature to make it easier for others to adopt it (e.g. Tweak or changes)
		If you need a signed version, just drop me a line and I can sign one for you.

		NOTE: If you change something, upload it as Gist to GitHub and send me the link.

		And yes, I'll sign the script for free! Why not? (Before you ask!)
#>

This is script is based on an existing script that I use to and filter infos from the Active directory.
You might also want to review and/or tweak the filter option (Line 6974) and/or the Hotfix List (Line 4663). Normally the script returns a list of systems with systems that are not complaint. I changed this to a Warning (Write-Warning in Line 107105 and 111) for this use-Case!

I also added some examples to show the usage.

Even if all Hotfixes are applied, you should remove the SMBv1 functions whenever possible!

Please note:
If you change the script in any kind, the signature isn’t working and everything after line 112 should be removed.

Update:
Like Kaleb noted: The Script doesn’t work on all systems. The Application logic about the OS is missing. That was a quick hack and I will implement something soon. Something that uses a WMI call to get the OS information and then compare only the part of the Hotfix Array that applies.
The Script is now updated and it should fit.

Published inHowToPowerShell

20 Comments

  1. Kaleb Kaleb

    Hey There,

    Thank you for the script! I am running it right now in my env so I can make sure I get everything patched today.

    I am curious though; so far I see most of my devices are showing either as offline, or missing a wanacry hotfix.. 0 devices say that they are patched (my WSUS disagrees). Would this script need more logic that limits the search of KB #’s based on OS? Because each OS should be missing at least 1+ KB as I understand it.

    Let me know what you think or what I am missing :).

    Regards!

    • Agreed! The script is a Quick hack 🙂

      Most Windows 10 System report some Patches as missing. I still have to investigate what kind of Patches (based on the KB Number) needs to be installed on what OS.
      My biggest problem: Time!
      And the next challenge would be the testing. I just have a few windows 10 systems and a lot of Windows Server 2016 systems.

      At the moment the script checks for all(!) KB numbers.

      As a workaround: Filter the OS (based on the example in Line 63) and remove all Hotfixes that the system(s) doesn’t need.

    • P.S.: Offline could mean, that the connection doesn’t work as expected. One of my Hyper-V Nodes seems to be down all the time (and it is not!). Sometimes the “Test-Connection” seems to mark it as down. Even if the system is up and Remote PowerShell is working.

      My Problem: If you remove that (the Test-Connection check), the scripts waits very long if a system is down. And if you check a large number of Clients, that is not unusual.

    • The List is updated. Let me know if this solves the problem.
      If not, please let me know what kind of Operating System still has an error.

      • Kaleb Kaleb

        I will try the script using the changes mentioned above. Here is a quick list based on OS if you have time to add the logic.

        Windows Vista
        -4012598

        Server 2008
        -4012598

        Server 2008 R2
        -4012212
        -4012215

        Server 2012
        -4012214
        -4012217

        Server 2012 R2
        -4012213
        -4012216

        Windows 7
        -4012212
        -4012215

        Windows 8.1
        -4012213
        -4012216

        Windows RT 8.1
        -4012216

        Thanks Joerg!

        • Fist of all: Sorry, the System filtered your comment.
          Thanks for the List!!!

          The script is updated (based on the Microsoft Technet Entry).

          Maybe there will be an update that contains a bit more logic: A check what Operating System Version is in use and then check for the correct KBs.
          At the Moment a Windows 8.1 that just have the KB4012213 fix installed could pass. That is not perfect, I know! Same applies to all OS versions that need more then one Fix.
          But that was a quick hack, based on an existing script. And there was a lot of pressure to publish something.

          My biggest issue: I don’t have the systems to check all that. I’m one of the lucky guys with Windows 10 and Windows Server 2016 only.
          I need to install a few test systems and try to get all infos from the Active Directory (That should do the job). That would avoid any creepy WMI usage 🙂

  2. IT Manager IT Manager

    The script would not work unless you put in a computername so Option 3 does not work – Check all of AD.

    As well, I ran this and specified a ComputerName and it came back “Server is missing WannaCry Hotfix”

    My Windows Update reports “No updates” and is Green. This fix was supposed to be in the March rollup?

    • Please note my comment above: Not every KB is applicable to all OS versions.
      I will publish an updated version soon.

      • IT Manager IT Manager

        Thanks – just wanted to give feedback as this will be a useful script. We are primarily Win2008R2 and 2012

        • Just updated the script!
          Please check this version. Should find all Servers, if not try a bit with the following Filter:
          Get-ADComputer -Filter { OperatingSystem -Like ‘*Windows*Server*’ }
          And let me know.

          The List of Hotfixes is also updated!

    • Forget to mention: Please see and adjust the filter in the script.
      We have a lot of non Windows Domain joined systems (mostly Mac) and so I applied a filter.
      Just run the command in a regular Powershell session and you will see the return. Tweak it until you get the result you expect.

  3. Rico Dittmer Rico Dittmer

    How do we port the results to a text file?

    • Hi Rico,

      that depends on your requirements!

      What you might want to try (quick and easy way to do it):

      # Create a File (SampleReport.txt in this example)
      # Replace the following line (103):
      Write-Verbose -Message "$computer has hotfix $hotfix installed"
      
      # With this:
      Add-Content -Path 'c:\SampleReport.txt' -Value "$computer has hotfix $hotfix installed" -Force -Encoding 'UTF8'
      
      # And now search for (Line 107):
      Write-Warning -Message "$computer is missing WannaCry hotfix"
      
      # Replace it with this:
      Add-Content -Path 'c:\SampleReport.txt' -Value "$computer is missing WannaCry hotfix" -Force -Encoding 'UTF8'
      # You might also want to remove the "Continue" in the next line
      
      # To get a better reporting: Replace the following Line (113):
      Write-Warning -Message "Unable to get Hostfix Info from $computer"
      
      # With this:
      Add-Content -Path 'c:\SampleReport.txt' -Value "Unable to get Hostfix Info from $computer" -Force -Encoding 'UTF8'
      # You might also want to remove the "Continue" in the next line

      The code above is untested, but it should work.

      Cheers

  4. Idahoser Idahoser

    I am not a programmer and would not know how to put this to use. You will be receiving visits like me because you are being linked to as a way to perform this check from KnowBe4, perhaps others.

    So yes I’m a dummy, just ignore me if this is not something I should attempt;
    but if this is a thing I could do to check my network, can you point me to a tutorial please?

    Sorry to bother you

    • Hey there,

      You don’t need to be a programmer 🙂

      Just do the following:
      Download the File above (From the Link to the GIST) and save it as: who_needs_wannacry_patches.ps1

      Now open a Elevated Powershell (Run as Admin) and change to the directory where you stored the file. Then execute the following (As described in the examples above):
      .\who_needs_wannacry_patches.ps1 -ComputerList HOSTNAME

      That will check the System with the Name HOSTNAME.

      If you get an error, then you might need to execute this first: Set-ExecutionPolicy Unrestricted
      This allows the Script to run (I removed the Signature).

      And please note: On the target (If you check via your LAN) you need to enable Remote Administration for the Node that you use to run this script! (Minimum ‘Windows Remote Management’)

      Cheers
      Josh

      P.S.: Do not hesitate and ask if something went wrong! I can’t guaranty anything, but I will respond as soon as possible (as you might see now).

      • Idahoser Idahoser

        For this and all the following advice-
        THANK YOU!

    • Forget to mention: If you have a system where RSAT (Remote Server Administration Tools) is installed, you can just execute the following in an Elevated PowerShell:
      .\who_needs_wannacry_patches.ps1

      This will get all Windows Systems (just the Windows 10 Boxes are filtered, because the Hotfixes doesn’t apply to them) from your Active Directory and then tries to scann all.
      You need to do that with the right permissions, the user needs to have access to the Active Directory and to the remote systems as well.

      The first line of my script has a requirement: If it throws an error that the Active Directory Module is missing, you automatically know, that the RSAT is missing. You can easily install the RSAT via the Server Manager. If you execute it via an Windows Workstation, just Google for “Windows RSAT”, you will find the download within a few seconds.

      Please keep in mind, that the permission needs to fit and that all systems that you would like to scan needs to allow this (See my other Comment). This is by design (Microsoft).

    • Hey Idahoser,

      please check this: There is a tool for that!
      This might be an option for you 😉

      Cheers
      Josh

  5. halfluke halfluke

    I’m wondering why the script has stopped working in the last week or so… It seemed to work fine in my previous tests! Recently checked on 3 servers. It stopped recognizing any kb correctly installed on the server itself:
    WARNING: **** is missing WannaCry hotfix

    But more than one hotfixes is definitely there:
    example of successfull installation:
    April, 2017 Security Monthly Quality Rollup for Windows Server 2012 (KB4015551)

    Installation date: ‎4/‎30/‎2017 8:06 PM

    Installation status: Succeeded

    Update type: Important

    A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

    More information:
    http://support.microsoft.com/kb/4015551

    Help and Support:
    http://support.microsoft.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2018 by Joerg Hochwald. All rights reserved. ● Site is powered by Author