Notification

Icon
Error

Microsoft Patch Tuesday Report - May 2019

Posted: Wednesday, May 15, 2019 9:01:40 AM(UTC)
Esben.D

Esben.D

Member Administration Original PosterPosts: 1,966
9
Like
This month's patch Tueday brings a lot of fixes, in paticular for security. Updates for both Windows and Intel CPU vulnerabilities are included. You can find more details in our blog post.

As an exception, this month's report will also include Windows Server 2003 and Windows XP machines since Microsoft released a new update for those systems related to the RDS vulnerability (CVE-2019-0708).

Code:
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblState.Statename As State,
Case tblAssets.AssetID
When SubQuery1.AssetID Then 'Up to date'
Else 'Out of date'
End As [Patch status],
Case
When tblComputersystem.Domainrole > 1 Then 'Server'
Else 'Workstation'
End As [Workstation/Server],
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
Case
When tsysOS.OScode Like '10.0.10240%' Then '1507'
When tsysOS.OScode Like '10.0.10586%' Then '1511'
When tsysOS.OScode Like '10.0.14393%' Then '1607'
When tsysOS.OScode Like '10.0.15063%' Then '1703'
When tsysOS.OScode Like '10.0.16299%' Then '1709'
When tsysOS.OScode Like '10.0.17134%' Then '1803'
When tsysOS.OScode Like '10.0.17763%' Then '1809'
End As Version,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
Case
When tblAssets.AssetID = SubQuery1.AssetID Then ''
Else Case
When tsysOS.OSname Like '%XP%' or tsysOS.OSname like '%2003%' Then 'KB4500331'
When tsysOS.OSname = 'Win 2008' Then 'KB4499149 or KB4499180'
When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
tsysOS.OSname = 'Win 2008 R2' Then 'KB4499164 or KB4499175'
When tsysOS.OSname = 'Win 2012' Or
tsysOS.OSname = 'Win 8' Then 'KB4499171 or KB4499158'
When tsysOS.OSname = 'Win 8.1' Or
tsysOS.OSname = 'Win 2012 R2' Then 'KB4499151 or KB4499165'
When tsysOS.OScode Like '10.0.10240' Then 'KB4499154'
When tsysOS.OScode Like '10.0.10586' Then 'KB4093109'
When tsysOS.OScode Like '10.0.14393' Or
tsysOS.OSname = 'Win 2016' Then 'KB4494440'
When tsysOS.OScode Like '10.0.15063' Then 'KB4499181'
When tsysOS.OScode Like '10.0.16299' Then 'KB4499179'
When tsysOS.OScode Like '10.0.17134' Then 'KB4499167'
When tsysOS.OScode Like '10.0.17763' Or
tsysOS.OSname = 'Win 2019' Then 'KB4494441'
End
End As [Install one of these updates],
Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
Case
When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) > 3 Then
'Windows update information may not be up to date. We recommend rescanning this machine.'
Else ''
End As Comment,
Case tblAssets.AssetID
When SubQuery1.AssetID Then '#d4f4be'
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149','KB4499180','KB4499164','KB4499175','KB4499171','KB4499158','KB4499151','KB4499165','KB4499154','KB4093109','KB4494440','KB4499181','KB4499179','KB4499167','KB4494441','KB4500331')) As
SubQuery1 On tblAssets.AssetID = SubQuery1.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
tblAssets.AssetID
Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
And tblAssets.IPNumeric <= tsysIPLocations.EndIP
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
TsysLastscan.Lasttime As QuickFixLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
tblAssets.AssetID = QuickFixLastScanned.ID
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
tsysOS.OSname != 'Win 2000 S' And tsysAssetTypes.AssetTypename Like
'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName
Options
thoughtmonkey
#1thoughtmonkey Member Posts: 7  
posted: 5/16/2019 10:01:14 AM(UTC)
Is there a way to just have a report for the specific CVE-2019-0708 vulnerability only? I tried removing the non-affected OS but they appear in the report.

Thanks :)
3
Cindy.C
#2Cindy.C Member Administration Posts: 18  
posted: 5/16/2019 11:42:59 AM(UTC)
Updated the report to include 'KB4500331' in the where clause, as the report would show some assets as not up to date when they were, in fact, up to date.
0
tomscott2340
#3tomscott2340 Member Posts: 10  
posted: 5/16/2019 3:09:26 PM(UTC)
I'm also wanting what @thoughtmonkey is.. How do we get a report that just shows machines missing the zero day?

THanks
0
kltr
#4kltr Member Posts: 3  
posted: 5/17/2019 2:48:19 PM(UTC)
I made simple version for only shows CVE-2019-0708 vulnerability.

Here is code:
*******
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblState.Statename As State,
Case tblAssets.AssetID
When SubQuery1.AssetID Then 'Up to date'
Else 'Out of date'
End As [Patch status],
Case
When tblComputersystem.Domainrole > 1 Then 'Server'
Else 'Workstation'
End As [Workstation/Server],
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
Case
When tblAssets.AssetID = SubQuery1.AssetID Then ''
Else Case
When tsysOS.OSname Like '%XP%' Or
tsysOS.OSname Like '%2003%' Then 'KB4500331'
When tsysOS.OSname = 'Win 2008' Then 'KB4499149 or KB4499180'
When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
tsysOS.OSname = 'Win 2008 R2' Then 'KB4499164 or KB4499175'
End
End As [Install one of these updates],
Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
Case
When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) > 3 Then
'Windows update information may not be up to date. We recommend rescanning this machine.'
Else ''
End As Comment,
Case tblAssets.AssetID
When SubQuery1.AssetID Then '#d4f4be'
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149', 'KB4499180',
'KB4499164', 'KB4499175', 'KB4500331')) As SubQuery1 On
tblAssets.AssetID = SubQuery1.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
tblAssets.AssetID
Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
And tblAssets.IPNumeric <= tsysIPLocations.EndIP
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
TsysLastscan.Lasttime As QuickFixLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
tblAssets.AssetID = QuickFixLastScanned.ID
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
tsysOS.OSname Not Like '%8.1%' And tsysAssetTypes.AssetTypename Like
'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName
1
jbryant
#5jbryant Member Posts: 6  
posted: 5/18/2019 2:42:15 PM(UTC)
Originally Posted by: thoughtmonkey Go to Quoted Post
Is there a way to just have a report for the specific CVE-2019-0708 vulnerability only? I tried removing the non-affected OS but they appear in the report.

Thanks :)


This is the report I created to search for CVE-2019-0708 related updates. It's simple and easy to modify for future updates reports.

Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Firstseen,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblComputersystem.Domainrole,
tblQuickFixEngineeringUni.HotFixID
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode And tblAssets.OScode =
tsysOS.OScode
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Inner Join tblQuickFixEngineering On
tblAssets.AssetID = tblQuickFixEngineering.AssetID
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID =
tblQuickFixEngineering.QFEID
Inner Join tblQuickFixEngineeringUni tblQuickFixEngineeringUni1 On
tblQuickFixEngineeringUni1.QFEID = tblQuickFixEngineering.QFEID
Where tblComputersystem.Domainrole > 0 And tblQuickFixEngineeringUni.HotFixID In
('KB4499180', 'KB4499149', 'KB4499164', 'KB4499175')
Order By tblAssets.Domain,
tblAssets.AssetName
0
Hendrik.VE
#6Hendrik.VE Member Posts: 29  
posted: 5/21/2019 8:32:41 AM(UTC)
This report gives a complete color-coded overview of all systems vulnerable to the RDS vulnerability (CVE-2019-0708). When the security hotfix is installed OR the Remote Desktop Service is stopped, the affected system is marked as 'not vulnerable'.

Code:
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblState.Statename As State,
  Case tblAssets.AssetID
    When SubQuery1.AssetID Then 'Yes'
    Else 'No'
  End As [CVE-2019-0708 Patched],
  tblServiceState.State As [RDP Service Status],
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then 'No'
    When tblServiceState.State Like 'Stopped' Then 'No'
    Else 'Yes'
  End As Vulnerable,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then ''
    Else Case
        When tsysOS.OSname Like '%XP%' Or
          tsysOS.OSname Like '%2003%' Then 'Install KB4500331'
        When tsysOS.OSname = 'Win 2008' Then 'Install KB4499149 or KB4499180'
        When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
          tsysOS.OSname = 'Win 2008 R2' Then 'Install KB4499164 or KB4499175'
      End
  End As [Install one of these updates],
  tsysOS.OSname As OS,
  tblAssets.SP,
  Case
    When tblComputersystem.Domainrole > 1 Then 'Server'
    Else 'Workstation'
  End As [Workstation/Server],
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssets.Lastseen,
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 7 Then
      'Windows update information may not be up to date. We recommend rescanning this machine.'
    Else ''
  End As Comment,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then '#d4f4be'
    When tblServiceState.State Like 'Stopped' Then '#d4f4be'
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149', 'KB4499180',
        'KB4499164', 'KB4499175', 'KB4500331')) As SubQuery1 On
    tblAssets.AssetID = SubQuery1.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
    And tblAssets.IPNumeric <= tsysIPLocations.EndIP
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        TsysLastscan.Lasttime As QuickFixLastScanned
      From TsysWaittime
        Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
        Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
      Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
    tblAssets.AssetID = QuickFixLastScanned.ID
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        Max(tblErrors.Teller) As ErrorID
      From tblErrors
        Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
      Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
    ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
    tblErrors.ErrorType
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
  Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
    tblServices.ServiceuniqueID
  Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
      From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
      Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
  tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
  tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
  tsysOS.OSname Not Like '%8.1%' And tblServicesUni.Name Like '%TermService%'
  And tsysAssetTypes.AssetTypename Like 'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
  tblAssets.AssetName
5
jase
#7jase Member Posts: 1  
posted: 5/23/2019 10:17:06 PM(UTC)
Thanks for this! This is very usefl Applause

Originally Posted by: Hendrik.VE Go to Quoted Post
This report gives a complete color-coded overview of all systems vulnerable to the RDS vulnerability (CVE-2019-0708). When the security hotfix is installed OR the Remote Desktop Service is stopped, the affected system is marked as 'not vulnerable'.

Code:
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblState.Statename As State,
  Case tblAssets.AssetID
    When SubQuery1.AssetID Then 'Yes'
    Else 'No'
  End As [CVE-2019-0708 Patched],
  tblServiceState.State As [RDP Service Status],
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then 'No'
    When tblServiceState.State Like 'Stopped' Then 'No'
    Else 'Yes'
  End As Vulnerable,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then ''
    Else Case
        When tsysOS.OSname Like '%XP%' Or
          tsysOS.OSname Like '%2003%' Then 'Install KB4500331'
        When tsysOS.OSname = 'Win 2008' Then 'Install KB4499149 or KB4499180'
        When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
          tsysOS.OSname = 'Win 2008 R2' Then 'Install KB4499164 or KB4499175'
      End
  End As [Install one of these updates],
  tsysOS.OSname As OS,
  tblAssets.SP,
  Case
    When tblComputersystem.Domainrole > 1 Then 'Server'
    Else 'Workstation'
  End As [Workstation/Server],
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssets.Lastseen,
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 7 Then
      'Windows update information may not be up to date. We recommend rescanning this machine.'
    Else ''
  End As Comment,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then '#d4f4be'
    When tblServiceState.State Like 'Stopped' Then '#d4f4be'
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149', 'KB4499180',
        'KB4499164', 'KB4499175', 'KB4500331')) As SubQuery1 On
    tblAssets.AssetID = SubQuery1.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
    And tblAssets.IPNumeric <= tsysIPLocations.EndIP
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        TsysLastscan.Lasttime As QuickFixLastScanned
      From TsysWaittime
        Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
        Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
      Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
    tblAssets.AssetID = QuickFixLastScanned.ID
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        Max(tblErrors.Teller) As ErrorID
      From tblErrors
        Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
      Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
    ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
    tblErrors.ErrorType
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
  Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
    tblServices.ServiceuniqueID
  Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
      From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
      Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
  tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
  tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
  tsysOS.OSname Not Like '%8.1%' And tblServicesUni.Name Like '%TermService%'
  And tsysAssetTypes.AssetTypename Like 'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
  tblAssets.AssetName


0
thoughtmonkey
#8thoughtmonkey Member Posts: 7  
posted: 5/29/2019 11:25:55 AM(UTC)
Hi.

The report is great, i'm trying to have it show only "Out of date" items, but can't seem to get it to work.
Any ideas how to show only the "Out of date" patch status'?

Originally Posted by: kltr Go to Quoted Post
I made simple version for only shows CVE-2019-0708 vulnerability.

Here is code:
*******
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblState.Statename As State,
Case tblAssets.AssetID
When SubQuery1.AssetID Then 'Up to date'
Else 'Out of date'
End As [Patch status],
Case
When tblComputersystem.Domainrole > 1 Then 'Server'
Else 'Workstation'
End As [Workstation/Server],
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
Case
When tblAssets.AssetID = SubQuery1.AssetID Then ''
Else Case
When tsysOS.OSname Like '%XP%' Or
tsysOS.OSname Like '%2003%' Then 'KB4500331'
When tsysOS.OSname = 'Win 2008' Then 'KB4499149 or KB4499180'
When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
tsysOS.OSname = 'Win 2008 R2' Then 'KB4499164 or KB4499175'
End
End As [Install one of these updates],
Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
Case
When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) > 3 Then
'Windows update information may not be up to date. We recommend rescanning this machine.'
Else ''
End As Comment,
Case tblAssets.AssetID
When SubQuery1.AssetID Then '#d4f4be'
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149', 'KB4499180',
'KB4499164', 'KB4499175', 'KB4500331')) As SubQuery1 On
tblAssets.AssetID = SubQuery1.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
tblAssets.AssetID
Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
And tblAssets.IPNumeric <= tsysIPLocations.EndIP
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
TsysLastscan.Lasttime As QuickFixLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
tblAssets.AssetID = QuickFixLastScanned.ID
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
tsysOS.OSname Not Like '%8.1%' And tsysAssetTypes.AssetTypename Like
'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName


0
bbeavis
#9bbeavis Member Posts: 13  
posted: 5/30/2019 3:34:07 PM(UTC)
Due to the nature of the cumulative updating, this report seems to already lost usefulness. Example, on my 2016 boxes this report looks for KB4494440, but some of my systems have skipped this for a newer one. This reports them as out of date. I can updated the report, but was wondering if there is some logic to the KB numbers. The increase, but would it be valid to look for KB### or greater? Is there a numeric pattern to cumulative vs other? Is the a string match?

Thanks,
Bill
0
User18954
#10User18954 Member Posts: 8  
posted: 6/6/2019 3:43:28 PM(UTC)
Does Lansweeper intentionally skip Monthly Rollups?
My Win 2008 R2 server has 'KB4499164' installed however it is not reporting in Lansweeper.
I have refreshed the data with setting the scan to 0 days, and I have newer KB updates without an issue.
Previous monthly rollups are not included in the report either.


0
Jan-Hendrik
#11Jan-Hendrik Member Posts: 2  
posted: 7/2/2019 2:21:54 PM(UTC)
Originally Posted by: Hendrik.VE Go to Quoted Post
This report gives a complete color-coded overview of all systems vulnerable to the RDS vulnerability (CVE-2019-0708). When the security hotfix is installed OR the Remote Desktop Service is stopped, the affected system is marked as 'not vulnerable'.

Code:
Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblState.Statename As State,
  Case tblAssets.AssetID
    When SubQuery1.AssetID Then 'Yes'
    Else 'No'
  End As [CVE-2019-0708 Patched],
  tblServiceState.State As [RDP Service Status],
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then 'No'
    When tblServiceState.State Like 'Stopped' Then 'No'
    Else 'Yes'
  End As Vulnerable,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then ''
    Else Case
        When tsysOS.OSname Like '%XP%' Or
          tsysOS.OSname Like '%2003%' Then 'Install KB4500331'
        When tsysOS.OSname = 'Win 2008' Then 'Install KB4499149 or KB4499180'
        When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
          tsysOS.OSname = 'Win 2008 R2' Then 'Install KB4499164 or KB4499175'
      End
  End As [Install one of these updates],
  tsysOS.OSname As OS,
  tblAssets.SP,
  Case
    When tblComputersystem.Domainrole > 1 Then 'Server'
    Else 'Workstation'
  End As [Workstation/Server],
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssets.Lastseen,
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 7 Then
      'Windows update information may not be up to date. We recommend rescanning this machine.'
    Else ''
  End As Comment,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then '#d4f4be'
    When tblServiceState.State Like 'Stopped' Then '#d4f4be'
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149', 'KB4499180',
        'KB4499164', 'KB4499175', 'KB4500331')) As SubQuery1 On
    tblAssets.AssetID = SubQuery1.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
    And tblAssets.IPNumeric <= tsysIPLocations.EndIP
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        TsysLastscan.Lasttime As QuickFixLastScanned
      From TsysWaittime
        Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
        Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
      Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
    tblAssets.AssetID = QuickFixLastScanned.ID
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        Max(tblErrors.Teller) As ErrorID
      From tblErrors
        Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
      Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
    ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
    tblErrors.ErrorType
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
  Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
    tblServices.ServiceuniqueID
  Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
      From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
      Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
  tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
  tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
  tsysOS.OSname Not Like '%8.1%' And tblServicesUni.Name Like '%TermService%'
  And tsysAssetTypes.AssetTypename Like 'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
  tblAssets.AssetName


Hello Hendrik.VE,
could it be that your report does not take Win Server 2019 into account? All our completely patched Win Server 2019 will appear in red in the report. I don't have good SQL knowledge so I have to ask this stupid question here.

Many greetings!
0
Esben.D
#12Esben.D Member Administration Original PosterPosts: 1,966  
posted: 7/2/2019 2:50:05 PM(UTC)
When I created a new BlueKeep topic with Hendrik's report I added server 2019. Check it out: https://www.lansweeper.c...eKeep-Vulnerability.aspx
0

Active Discussions

Lansweeper TPM scanning
by  gene@sca   Go to last post Go to first unread
Last post: Yesterday at 10:40:24 PM(UTC)
Lansweeper Bulk AssetLock set
by  tcooper   Go to last post Go to first unread
Last post: Yesterday at 6:24:15 PM(UTC)
Lansweeper Set AssetType based on Model?
by  tcooper   Go to last post Go to first unread
Last post: Yesterday at 6:16:57 PM(UTC)
Lansweeper Public IP Address
by  David Goodwin   Go to last post Go to first unread
Last post: Yesterday at 4:57:14 PM(UTC)
Lansweeper Exchange Scan in v7 and DAG
by  Peter.Riederer   Go to last post Go to first unread
Last post: Yesterday at 8:42:48 AM(UTC)
Lansweeper Asset Scanning - Change Types
by  DNuhija   Go to last post Go to first unread
Last post: 12/12/2019 5:40:47 PM(UTC)
Lansweeper Plundervolt
by  NWSF   Go to last post Go to first unread
Last post: 12/12/2019 5:10:14 PM(UTC)
Lansweeper MSI Package
by  Stefano Magri   Go to last post Go to first unread
Last post: 12/12/2019 3:34:16 PM(UTC)