6 Replies Latest reply on May 17, 2017 9:49 AM by phoffmann

    Report on last ran windows update

    carlos Expert

      LDMS 9.6 SP2

       

      Hello, is there a way to get a report on the last time windows update was run by System?

       

      Thank you.

        • 1. Re: Report on last ran windows update
          phoffmann SupportEmployee

          Google may be your friend here. I'd *expect* to be able to find that info somewhere in WMI, but never had to.

           

          Perhaps to help clarify - I thought you would be using LANDesk to patch your systems? Or are you trying to keep tabs on users trying to use Windows Update independently of you (in which case, controlling the settings via GPO would usually be the way to go. no)?

           

          Just trying to make sense here. But - yes - "there should" be somewhere in Windows where that date/time exists, and therefor it should be pull-able. What sorts of hoops you have to jump through to get to it though, I can't help with that (other than pointing towards google-fu, as I doubt you'd be the first to ask this question) .

          • 2. Re: Report on last ran windows update
            phoffmann SupportEmployee

            ... or - after a bit more thinking this over ... do you mean "how do I get the relevant value into LANDesk" ?

             

            Once you find that data, that can be handled in a number of ways.

             

            You can do it via a custom vulnerability, via custom data ... it depends on how "friendly" (or not) the relevant data is in regards to human-readability. You *MAY* in fact have to perform some scripted operations to turn that data into something useful (i.e. - human-readable and comparison-operable ... so that you can check for "the last 60 days" or so).

             

            But yes - your first challenge is in locating it & figuring out what you need to translate. The "Last Windows Update check date/time" isn't something we pull back by default (as we've got our own vulnerability scanner which does do things more openly & effectively) ... but it's something that you can certainly add to your setup. It's "just custom data" ultimately.

            • 3. Re: Report on last ran windows update
              carlos Expert

              This is a result of the latest wcry attack, we wanted to know when was the last time each system ran the last update and check if the Windows Updates were turned off for some reason (we are using the CSA, all of these system are outside of our network)

              If I look under Inventory-->Updates-->updates I can see update that has been applied but can't see ON/OFF or Dates.

               

              -CS

              • 4. Re: Report on last ran windows update
                phoffmann SupportEmployee

                Yes - because we usually don't have reason to rely on Windows Update.

                 

                Assuming that you use our vulnerability scanner (not sure - do you? Or do you use WSUS) you can check for devices that are vulnerable for any of the following list of vulnerabilities (whilst this is vulscan data, you can query it in inventory) as part of the "Detected Patch and Compliance Definitions" section of Inventory (here's a screenshot to help you with what I'm talking about):

                 

                This article may help along as a "quick note" for what content you're scanning for -- Ivanti Patch News Bulletin: Ivanti Patch Support Table for WannaCry/WannaCrypt Ransomware Updates 16-MAY-2017 -- so it comes down to a fairly simple (quasy code) MULTI-INSERT based query:

                -- Begin with Widows XP & 2003

                COMPUTER.DETECTED PATCH AND COMPLIANCE DEFINITIONS.ID = MS17-010v2

                OR COMPUTER.DETECTED PATCH AND COMPLIANCE DEFINITIONS.ID = MS17-010v2_MSU

                -- Now on to others ...

                OR COMPUTER.DETECTED PATCH AND COMPLIANCE DEFINITIONS.ID = ...

                 

                This section of inventory *ONLY* shows you vulnerabilities that are *DETECTED* - so you don't need to worry about an additional "and detected = true" type filter.

                 

                If you DON'T use our stuff for vulnerability detection / remediation, you can still try to build a relevant query based on the "add/remove" side of things and check for the relevant KB ### (an example screenshot of such a query is included in this article - Latest information on WannaCrypt Ransomware (and How to Protect Against It) ) - you'd need to fill out the relevant KB ###-s (careful, these VARY based on the OS!).

                 

                Simiarly, as a "rapid version" (note that this does NOT worry about supersedence, so may need additional fine-tuning in your environment), here's a basic SQL statement that I whipped up for a customer (this WILL require you to use our vulnerability scanner though), along with a listing as to when the device(s) last performed a vulnerability scan (as an indication for how out-of-date or in-line the data is):

                select distinct COMP.DeviceName as 'Device Name', COMP.Type, OS.OSType as 'Operating System',
                VUL.Vul_ID as 'Missing Patch', COMP.SecurityLastScanDate as 'Last Security Scan Date Time'
                from COMPUTER(nolock) COMP
                
                LEFT OUTER JOIN OPERATING_SYSTEM (nolock) OS on COMP.Computer_Idn = OS.Computer_Idn
                LEFT OUTER JOIN CVDetected (nolock) CVD on COMP.Computer_Idn = CVD.Computer_Idn
                LEFT OUTER JOIN Vulnerability (nolock) VUL on CVD.Vulnerability_Idn = VUL.Vulnerability_Idn
                -- Search for *BOTH* VUL_ID itself and the TITLE fields, as security rollups include various possibilities
                where VUL.Vulnerability_Idn IN
                (select Vulnerability_Idn from Vulnerability where TITLE LIKE '%MS17-010%' or VUL_ID LIKE '%MS17-010%')
                -- and an ORDER BY for some cleaner data display
                order by OS.OSType, COMP.DeviceName
                
                

                 

                Hope that helps a bit?

                • 5. Re: Report on last ran windows update
                  carlos Expert

                  Thank you phoffmann I'll test this today.

                  • 6. Re: Report on last ran windows update
                    phoffmann SupportEmployee

                    Happy to help!

                     

                    That WannaCry shenanigans has got a lot of us running around - so more than happy to share what we can to help out with this shenanigans .