Windows Security Patch Status Sanity Checks

Viewing Patch History

Powershell’s “Get-Hotfix” cmdlet

Open Powershell as a user with administrator-equivalent rights, and run:

Get-Hotfix [-computername <computername>] | sort installedon

Windows Update Control Panel Applet

Open Control Panel –> Windows Update –> View update history –> Installed Updates.

Notice that there is a discrepancy between ‘Get-Hotfix’ and the “Installed Updates” applet for some QFE’s (http://go.microsoft.com/fwlink/?LinkID=145071).

Using Microsoft Baseline Security Analyzer to Audit Patch Status

Initial Setup

Create a working directory (e.g., c:\temp\mbsa) and download the following items to it:

The *.cab files are a point-in-time database of update metadata and will need to be updated/re-downloaded when desired (after Patch Tuesday, for example).

Install Microsoft Baseline Security Analyzer.

Running MBSA Scans

Create a file (e.g., servers.txt) with the server names you wish to scan, where the text file contains servers in the same domain.

CD to the MBSA installation directory (if not in %PATH%) and run the MBSA scan (one line):

mbsacli.exe /catalog C:\temp\mbsa\wsusscn2.cab /listfile C:\temp\mbsa\servers.txt /wi /nvc /nd /n Password+IIS+OS+SQL /u:DOMAIN\ADMIN.ACCOUNT /p YOURPASSWORD

You can easily scan an entire domain with one line (not recommended, especially if there are workstations):

mbsacli.exe /catalog C:\temp\mbsa\wsusscn2.cab /d DOMAINTOSCAN /wi /nvc /nd /n Password+IIS+OS+SQL /u:DOMAINTOSCAN\ADMIN.ACCOUNT /p YOURPASSWORD

N.B.: It’s a Catch-22, but a computer scan may fail if the target’s Windows Update agent is far out of date.

Also note that due to prerequisites, Windows Update reports only the immediately applicable patches. More patches may become applicable after the first round, and in some cases (Windows 2012R2 rollups), the majority of patches will be missing until the prerequisites are applied. There is no logical way around this.

Analyzing MBSA Results in Excel

MBSA results are stored in XML files with *.mbsa extensions in the %userprofile%\SecurityScans directory.

  • Copy %userprofile%\SecurityScans\*.mbsa to working directory (optional).
  • Collate them into one file (e.g., "type *.mbsa >>final.xml").
  • Add <fullscan> to the beginning of final.xml, and add </fullscan> to the end:
fix XML

fix XML

  • Save final.xml.
  • Open Excel and import final.xml.
import to Excel

import to Excel

  • Within Excel, filter where IsInstalled equals FALSE. Those are the ones needed and missing.

Side note: The MBSA Scripting Samples seem like far more trouble than they’re worth; it’s trivial to import into Excel as is. And multimbsa.exe (spawns multiple parallel scans) seems to pass all options (notably the password option) in all caps, which makes it useless for multiple domains. I gave up trying to figure it out.