Notification

Icon
Error

Assets missing Quickfix data

Posted: Sunday, May 14, 2017 5:59:09 PM(UTC)
ARTP

ARTP

Member Original PosterPosts: 5
2
Like
This issue has been solved! Click here to view the solution
Hi,

Currently having issues with assets missing Quickfix data. I've built a report to ensure we have no machines in our estate missing KB4012212 due to the recent WCrypt craziness however it is full of false positives due to some assets having no Quickfix data.

Has anyone came across this before? I've had a look through the community and couldn't see anything similar. Any advice is greatly appreciated.

Examples:

Quickfix data missing:
Quickfix Data Missing

Quickfix data:
Quickfix data
maupaiva
#1maupaiva Member Posts: 2  
posted: 5/15/2017 3:12:09 AM(UTC)
I am looking for something similar too :p
Nick.VDB
#2Nick.VDB Member Lansweeper Developer Administration Posts: 251  
posted: 5/15/2017 9:01:36 AM(UTC)
The report below will give back the machines that do not have the hotfixes installed. We added some further KB's that have the fix for MS17-010. These hotfixes are scanned from the Win32_QuickFixEngineering WMI class. There is an interval of 7 days for scanning the Win32_QuickFixEngineering WMI class, this can be modified by going to Scanning\Scanned Item Interval and setting it to 0. You can then do a full rescan of your machines so that the quickfixengineering table is updated with any new updates. Once the rescans have been done you can then run this report. In the report it is also required that the assets be set to the 'Active' state. If

Recap:
  • Go to Scanning\Scanned Item Interval
  • Change the interval time for the 'QUICKIX' item to 0
  • Rescan all your assets to update the quickfixengineering tables with the new updates
  • Run the report

The hotfix must be found in Win32_QuickFixEngineering for Lansweeper to be able to scan it. The following command lists all the Hotfixes that are found in the Win32_QuickFixEngineering table.

wmic path Win32_QuickFixEngineering

Code:
Select Top 1000000 Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As
icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
Case When tblAssets.Lastseen Is Null Then 'Unknown' Else 'Vulnerable'
End As IsVulnerable,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Where
tblAssets.AssetID Not In (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering Inner Join tblQuickFixEngineeringUni
On tblQuickFixEngineeringUni.QFEID = tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4012216', 'KB4012215',
'KB4012217', 'KB4012212', 'KB4012213', 'KB4012598',
'KB4012214', 'KB4012606', 'KB4013198', 'KB4012212', 'KB4012217', 'KB4015551', 'KB4019216', 'KB4012216', 
'KB4015550', 'KB4019215', 'KB4013429', 'KB4019472', 'KB4015217', 'KB4015438', 'KB4016635', 'KB4019264', 'KB4015549', 'KB4015221', 'KB4019474', 'KB4015219', 'KB4019473')) And tsysAssetTypes.AssetTypename
Like 'Windows%'
Order By tblAssets.Domain,
tblAssets.AssetName
ARTP
#3ARTP Member Original PosterPosts: 5  
posted: 5/15/2017 1:30:12 PM(UTC)
Originally Posted by: Nick.VDB Go to Quoted Post
The report below will give back the machines that do not have the hotfixes installed. We added some further KB's that have the fix for MS17-010. These hotfixes are scanned from the Win32_QuickFixEngineering WMI class. There is an interval of 7 days for scanning the Win32_QuickFixEngineering WMI class, this can be modified by going to Scanning\Scanned Item Interval and setting it to 0. You can then do a full rescan of your machines so that the quickfixengineering table is updated with any new updates. Once the rescans have been done you can then run this report. In the report it is also required that the assets be set to the 'Active' state. If

Recap:
  • Go to Scanning\Scanned Item Interval
  • Change the interval time for the 'QUICKIX' item to 0
  • Rescan all your assets to update the quickfixengineering tables with the new updates
  • Run the report

The hotfix must be found in Win32_QuickFixEngineering for Lansweeper to be able to scan it. The following command lists all the Hotfixes that are found in the Win32_QuickFixEngineering table.

wmic path Win32_QuickFixEngineering

Code:
Select Top 1000000 Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As
icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
Case When tblAssets.Lastseen Is Null Then 'Unknown' Else 'Vulnerable'
End As IsVulnerable,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Where
tblAssets.AssetID Not In (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering Inner Join tblQuickFixEngineeringUni
On tblQuickFixEngineeringUni.QFEID = tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4012216', 'KB4012215',
'KB4012217', 'KB4012212', 'KB4012213', 'KB4012598',
'KB4012214', 'KB4012606', 'KB4013198', 'KB4012212', 'KB4012217', 'KB4015551', 'KB4019216', 'KB4012216', 
'KB4015550', 'KB4019215', 'KB4013429', 'KB4019472', 'KB4015217', 'KB4015438', 'KB4016635', 'KB4019264', 'KB4015549', 'KB4015221', 'KB4019474', 'KB4015219', 'KB4019473')) And tsysAssetTypes.AssetTypename
Like 'Windows%'
Order By tblAssets.Domain,
tblAssets.AssetName


No joy i'm afraid, changing it to 0 days does not add the data to any machines that were missing it;
UserPostedImage
heybobby1
#4heybobby1 Member Posts: 40  
posted: 5/15/2017 2:48:11 PM(UTC)
Originally Posted by: Nick.VDB Go to Quoted Post
The report below will give back the machines that do not have the hotfixes installed.


Thanks for the report. You're missing some KBs BTW. Here's the complete list:

('KB4012598', 'KB4012212', 'KB4012215', 'KB4015549', 'KB4019264', 'KB4012214', 'KB4012217', 'KB4015551', 'KB4019216', 'KB4012213', 'KB4012216', 'KB4015550', 'KB4019215', 'KB4012606', 'KB4015221', 'KB4019474', 'KB4013198', 'KB4015219', 'KB4019473', 'KB4015438', 'KB4015217', 'KB4019472'))

From Microsoft's "WannaCrypt Ransomware Customer Guidance" webcast earlier today: https://1drv.ms/b/s!AsSKRAC3eQiE16glLQ2KTGNFnpSNAA
Bruce.B
#5Bruce.B Member Administration Posts: 537  
posted: 5/15/2017 3:12:52 PM(UTC)
Thank you for providing the document, we've verified the KBs and added them to the main report.
shsheikh
#6shsheikh Member Posts: 5  
posted: 5/15/2017 3:35:01 PM(UTC)
I have a big chunk of Windows 10 machines reporting back vulnerable. This includes my own laptop, which definitely is fully patched (creators update). Anyone else having a similar problem?
ARTP
#7ARTP Member Original PosterPosts: 5  
posted: 5/15/2017 3:38:28 PM(UTC)
Originally Posted by: shsheikh Go to Quoted Post
I have a big chunk of Windows 10 machines reporting back vulnerable. This includes my own laptop, which definitely is fully patched (creators update). Anyone else having a similar problem?


Do the machines show any data in Config -> Windows -> Quickfix? This is the issue i'm having where the table is empty.
Bruce.B
#8Bruce.B Member Administration Posts: 537  
posted: 5/15/2017 3:38:34 PM(UTC)
I've updated all reports in this topic to match the latest report. For future reference, use this forum topic as it will contain the most recent version of the report as more information about KB numbers comes in.
ARTP
#9ARTP Member Original PosterPosts: 5  
posted: 5/15/2017 3:41:24 PM(UTC)
Originally Posted by: Bruce.B Go to Quoted Post
I've updated all reports in this topic to match the latest report. For future reference, use this forum topic as it will contain the most recent version of the report as more information about KB numbers comes in.


Why are you marking posts as solutions? I still have assets showing no quickfix data which is the problem.
shsheikh
#10shsheikh Member Posts: 5  
posted: 5/15/2017 3:54:19 PM(UTC)
Originally Posted by: ARTP Go to Quoted Post
Originally Posted by: shsheikh Go to Quoted Post
I have a big chunk of Windows 10 machines reporting back vulnerable. This includes my own laptop, which definitely is fully patched (creators update). Anyone else having a similar problem?


Do the machines show any data in Config -> Windows -> Quickfix? This is the issue i'm having where the table is empty.


Yes, machines do have the quickfix data scanned. Another thing to note is that, at least for us, Quickfix data is only collected every 7 days. I dropped it to 3 to help have the latest information.

For mine in particular, I only have three updates:

KB2693643 Update 4/6/2017
KB4016871 Security Update 5/9/2017 NT AUTHORITY\SYSTEM
KB4020821 Security Update 5/9/2017 NT AUTHORITY\SYSTEM

I am running the Windows 10 Creators Update which has the fix built-in.

JasonSimone
#11JasonSimone Member Posts: 3  
posted: 5/15/2017 4:35:37 PM(UTC)
I think our machines are also missing QuickFix data. In my case, I have run the wmic command provided and the information seems to be missing from the WMI database on the machines even though in some cases I know the patches are installed. Hundreds of machines are on the list which doesn't make much sense.

I am trying to determine why some large-scale number of patches would be missing from the WMI Win32_QuickFixEngineering table on so many machines.
shsheikh
#12shsheikh Member Posts: 5  
posted: 5/15/2017 4:49:24 PM(UTC)
Another change I had to make to the provided report was to only include active assets. That cut the results down by a little more than half.
JasonSimone
#13JasonSimone Member Posts: 3  
posted: 5/15/2017 4:58:31 PM(UTC)
Originally Posted by: shsheikh Go to Quoted Post
Another change I had to make to the provided report was to only include active assets. That cut the results down by a little more than half.


Very helpful, thanks! For those who need to know how to do it, replace the line: "Like 'Windows%'" with:

Code:
Like 'Windows%' And tblAssetCustom.State = 1
Bruce.B
#14Bruce.B Member Administration Posts: 537  
posted: 5/15/2017 6:43:58 PM(UTC)
We've intentionally included assets of all states (not only active) to avoid potentially omitting vulnerable computers. That said, we are constantly adjusting the report to be more accurate, though we are leaning on the safe side as we'd rather have false positives then to let a computer slip through the cracks. The current version of the report in this post excludes Windows 10 computers on the Creator Update as they're deemed safe.

Regarding the Config\Windows\Quickfix information being blank on certain computers, if you've recently rescanned the "Quickfix" item on the computer, for instance via the Rescan Asset button which overrides scanned item intervals, the data should reflect what is found on the local computer. If you run the command below in an elevated CMD on the local computer in question you can verify the data, as Lansweeper scans KB information from this WMI class (Win32_QuickFixEngineering)

Code:
wmic path Win32_QuickFixEngineering
SystemsIT
#15SystemsIT Member Posts: 18  
posted: 5/15/2017 7:20:15 PM(UTC)
I am having this same problem, it seems quickfix is not showing the installed updates?

Example server:
First seen: 08/02/2016 07:47:49
Last seen: 05/15/2017 12:23:35 (about 3 mins ago)

Quote:

wmic path Win32_QuickFixEngineering >lansweeperwmi.txt

http://support.microsoft.com/?kbid=3210132 N**-DISCOVERY Update KB3210132 NT AUTHORITY\SYSTEM 1/6/2017
http://support.microsoft.com/?kbid=3210135 N**-DISCOVERY Update KB3210135 NT AUTHORITY\SYSTEM 1/23/2017
http://support.microsoft.com/?kbid=4014551 N**-DISCOVERY Update KB4014551 NT AUTHORITY\SYSTEM 4/29/2017
http://support.microsoft.com/?kbid=4014567 N**-DISCOVERY Update KB4014567 NT AUTHORITY\SYSTEM 4/29/2017
http://support.microsoft.com/?kbid=4015553 N**-DISCOVERY Update KB4015553 NT AUTHORITY\SYSTEM 4/29/2017



But, according to Windows:
UserPostedImage

So something is not being properly scanned or located.
shsheikh
#16shsheikh Member Posts: 5  
posted: 5/15/2017 9:47:58 PM(UTC)
Originally Posted by: Bruce.B Go to Quoted Post
We've intentionally included assets of all states (not only active) to avoid potentially omitting vulnerable computers. That said, we are constantly adjusting the report to be more accurate, though we are leaning on the safe side as we'd rather have false positives then to let a computer slip through the cracks. The current version of the report in this post excludes Windows 10 computers on the Creator Update as they're deemed safe.

Regarding the Config\Windows\Quickfix information being blank on certain computers, if you've recently rescanned the "Quickfix" item on the computer, for instance via the Rescan Asset button which overrides scanned item intervals, the data should reflect what is found on the local computer. If you run the command below in an elevated CMD on the local computer in question you can verify the data, as Lansweeper scans KB information from this WMI class (Win32_QuickFixEngineering)

Code:
wmic path Win32_QuickFixEngineering


Thanks for the update! I appreciate you guys putting together the query as we've used it heavily to track progress in getting everything patched.

I understand the need for including non-active assets (everyone has different criteria, ours are 90 days with no contact or not in AD), but the immediate need for us is to get everything online patched. Once it is, we'll switch to non-active assets and see what needs to be handled.
SystemsIT
#17SystemsIT Member Posts: 18  
posted: 5/15/2017 10:17:08 PM(UTC)
If you want to see just active and seen in the last X days i added this:
Code:
 And
  tblAssets.Lastseen >= DateAdd(day, -30, GetDate()) And
  tsysAssetTypes.AssetTypename Like 'Windows%' And tblAssetCustom.State = 1
ARTP
#18ARTP Member Original PosterPosts: 5  
posted: 5/15/2017 10:37:02 PM(UTC)
Originally Posted by: SystemsIT Go to Quoted Post
I am having this same problem, it seems quickfix is not showing the installed updates?

Example server:
First seen: 08/02/2016 07:47:49
Last seen: 05/15/2017 12:23:35 (about 3 mins ago)

Quote:

wmic path Win32_QuickFixEngineering >lansweeperwmi.txt

http://support.microsoft.com/?kbid=3210132 N**-DISCOVERY Update KB3210132 NT AUTHORITY\SYSTEM 1/6/2017
http://support.microsoft.com/?kbid=3210135 N**-DISCOVERY Update KB3210135 NT AUTHORITY\SYSTEM 1/23/2017
http://support.microsoft.com/?kbid=4014551 N**-DISCOVERY Update KB4014551 NT AUTHORITY\SYSTEM 4/29/2017
http://support.microsoft.com/?kbid=4014567 N**-DISCOVERY Update KB4014567 NT AUTHORITY\SYSTEM 4/29/2017
http://support.microsoft.com/?kbid=4015553 N**-DISCOVERY Update KB4015553 NT AUTHORITY\SYSTEM 4/29/2017



But, according to Windows:
UserPostedImage

So something is not being properly scanned or located.


Can confirm, this is the issue i'm having as well. I've checked wmic path Win32_QuickFixEngineering and have plenty of results however Lansweeper holds no Quickfix data for the same asset.

heybobby1
#19heybobby1 Member Posts: 40  
posted: 5/16/2017 10:13:32 AM(UTC)
You can put the WMIC query in an asset action too. Here's the code:

Code:
cmd.exe /K wmic /node:"{smartname}" qfe | findstr "KB4012598 KB4012212 KB4012215 KB4015549 KB4019264 KB4012214 KB4012217 KB4015551 KB4019216 KB4012213 KB4012216 KB4015550 KB4019215 KB4012606 KB4015221 KB4019474 KB4013198 KB4015219 KB4019473 KB4015438 KB4015217 KB4019472"


I find this useful for querying individual assets.
RickS
#20RickS Member Posts: 3  
posted: 5/16/2017 1:58:27 PM(UTC)
I may be missing something, but I had to use tblQuickFixEngineeringhist to get some of the patches that were installed back in March (when the initial one was released)....

Couldn't find any way to comment/reply on the initial posting, so doing so here.

Hope that helps.
poweld1
#21poweld1 Member Posts: 102  
posted: 5/22/2017 10:13:22 AM(UTC)
You need to run the System Update Readiness tool on PCs which don't have QuickFix data.

https://support.microsof...em-update-readiness-tool
SystemsIT
#22SystemsIT Member Posts: 18  
posted: 5/23/2017 3:41:33 AM(UTC)
Originally Posted by: poweld1 Go to Quoted Post
You need to run the System Update Readiness tool on PCs which don't have QuickFix data.

https://support.microsof...em-update-readiness-tool


But the updates did not fail to install and did in fact install with out prior errors?
Susan.A
#23Susan.A Member Administration Posts: 1,535  
posted: 5/24/2017 10:44:39 AM(UTC)
If you require further assistance with the WannaCry report or Windows updates not being scanned, please contact us via email at support@lansweeper.com and provide a description of the problem. It will be a lot easier to troubleshoot if everyone submits their own support ticket, so we can look at each individual case. The cause of the issue may not be the same for everyone.

I'm going to lock this topic for now, just because it's become too long and confusing to comment on. If you contact us via email, we would be happy to troubleshoot from there. If you mention this forum topic in your email, we'll also be happy to post the conclusion of our support conversation in this forum topic, once your ticket is resolved.

Active Discussions

Lansweeper Infopath installer help
by  Dave Ward   Go to last post Go to first unread
Last post: 11/12/2019 11:16:51 AM(UTC)
Lansweeper Remote Registry 2019
by  gareauk  
Go to last post Go to first unread
Last post: 10/24/2019 7:33:06 PM(UTC)
Lansweeper Deploy
by  CyberCitizen   Go to last post Go to first unread
Last post: 10/10/2019 2:31:27 AM(UTC)
Action Backup Computer with Disk2VHD to network share
by  pryan67  
Go to last post Go to first unread
Last post: 10/7/2019 3:36:05 PM(UTC)
Lansweeper Patton SN4970
by  Randomusername   Go to last post Go to first unread
Last post: 9/27/2019 6:33:45 PM(UTC)
Action Change Windows domain PC Name
by  max204  
Go to last post Go to first unread
Last post: 9/19/2019 10:28:29 AM(UTC)
Lansweeper Launch PowerShell remote PSSession
by  Ian   Go to last post Go to first unread
Last post: 9/9/2019 12:10:56 PM(UTC)
Action Remote print management
by  CyberCitizen  
Go to last post Go to first unread
Last post: 9/4/2019 3:53:00 AM(UTC)