Quickly Check Domain Computers (Servers) for MS17-010 Patches

This content 3 years old. Please, read this page keeping its age in mind along with the fact technology changes fast and the information on this page me be outdated, not best practice, or plain wrong.

I put this script together from a few different sources.  It basically enumerates Active Directory and checks any 2008+ server for existence of KB patch for MS17-010.

MS17-010 patches a critical vulnerability discovered in Microsoft Windows operating systems that involve SMB exploits from a ShadowBrokers NSA dump of leaked NSA hacking tools.  It’s been spreading from CPU miner payloads to Ransomware (WannaCry/WannaCry 2.0) etc.

import-module activedirectory

$ErrorActionPreference= 'silentlycontinue'

# *** SERVER VERSIONS ***
# Server 2016 / Win10 - NT 10
# Server 2012 R2 / Win8.1 - NT 6.3
# Server 2012 / WIn8 - NT 6.2
# Server 2008 R2 / Win7 - NT 6.1
# Server 2008 / WinVista - NT 6.0
# Server 2003 R2 / WinXP64 - NT 5.2
# Server 2003 - NT 5.2
# WinXP - NT 5.1

$computers = get-adcomputer -filter * -properties * | select-object name,operatingsystem

$computers | foreach {
 $hotfixes = @()
 $osdetect = $_.operatingsystem
 $computer = $_.name
 switch -wildcard($osdetect)
 {
 "*Server*2016*" { $hotfixes = @("KB4013429", "KB4019472", "KB4015217", "KB4015438", "KB401663") }
 "*Server*2012*R2*" { $hotfixes = @("KB4012216", "KB4015550", "KB4019215") }
 "*Server*2012" { $hotfixes = @("KB4012217", "KB4015551", "KB4019216") } # A bit of a hack, not sure how this displays...
 "*Server*2008*" { $hotfixes = @("KB4012212") }
 default {$hotfixes = NULL } # Do nothing if it isn't a server and not 2008-2016.
 }
 if ($hotfixes.count -gt 0) {
 $hotfixes | foreach {
 write-host "Checking $computer ($osdetect)..."
 if (!(get-hotfix -id $_ -computername $computer)) {
 write-host $computer "Missing ($_)"
 }
 }
 } else {
 write-host "Skipping $computer ($osdetect)..."
 }
}

Speak Your Mind

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.