I put this script together from a few different sources. It basically enumerates Active Directory and checks any 2008+ server for existence of KB patch for MS17-010.
MS17-010 patches a critical vulnerability discovered in Microsoft Windows operating systems that involve SMB exploits from a ShadowBrokers NSA dump of leaked NSA hacking tools. It’s been spreading from CPU miner payloads to Ransomware (WannaCry/WannaCry 2.0) etc.
import-module activedirectory
$ErrorActionPreference= 'silentlycontinue'
# *** SERVER VERSIONS ***
# Server 2016 / Win10 - NT 10
# Server 2012 R2 / Win8.1 - NT 6.3
# Server 2012 / WIn8 - NT 6.2
# Server 2008 R2 / Win7 - NT 6.1
# Server 2008 / WinVista - NT 6.0
# Server 2003 R2 / WinXP64 - NT 5.2
# Server 2003 - NT 5.2
# WinXP - NT 5.1
$computers = get-adcomputer -filter * -properties * | select-object name,operatingsystem
$computers | foreach {
$hotfixes = @()
$osdetect = $_.operatingsystem
$computer = $_.name
switch -wildcard($osdetect)
{
"*Server*2016*" { $hotfixes = @("KB4013429", "KB4019472", "KB4015217", "KB4015438", "KB401663") }
"*Server*2012*R2*" { $hotfixes = @("KB4012216", "KB4015550", "KB4019215") }
"*Server*2012" { $hotfixes = @("KB4012217", "KB4015551", "KB4019216") } # A bit of a hack, not sure how this displays...
"*Server*2008*" { $hotfixes = @("KB4012212") }
default {$hotfixes = NULL } # Do nothing if it isn't a server and not 2008-2016.
}
if ($hotfixes.count -gt 0) {
$hotfixes | foreach {
write-host "Checking $computer ($osdetect)..."
if (!(get-hotfix -id $_ -computername $computer)) {
write-host $computer "Missing ($_)"
}
}
} else {
write-host "Skipping $computer ($osdetect)..."
}
}
