Using PowerShell to patch Windows Servers against Wannacry (MS17-010)

Last week I received an advisory regarding the urgent patching of Windows servers used on the corporate network due to the Wannacry vulnerability and that all non-compliant machines had to be patched with MS17-010.

Now I use Windows Servers quite a bit in my day job for reproduction of customer issues but I knew the majority of VM’s I used were either Linux based or VMware Appliances.  I did not have any physical boxes so this made the information gathering exercise easier.

After some internal dogfooding using vRealize Configuration Manager (part of vRealize Operations Suite), I ran a vCenter Guests collection and was then able to get a complete list of Windows VM’s which would require patching.  The final total was 35 machines spread over 3 OS types – Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.

Now I could have copied the required MSU files to each server and executed the patching process manually but I wanted to make this more interesting so I decided to flex my PowerShell skills and semi-automate the process.

The premise of the script was the following:

  • Read in a list of machines from .txt file
  • Check if connection to machine can be established
  • Detect the OS version and the patch variant required to install
  • Create temp folder on C:\ if it does not exist (subject to permissions)
  • Launch PS Exec and then execute remote call to WUSA to install the patch
  • Based on the code output from WUSA, script either reported success or fail.
  • The code iteratively worked through each machine and once the .txt file had been read the script would exit gracefully.

After a few coding iterations I created DeployPatch_MS17_010.ps1, the screenshot below shows the script running on 1 out of 26 machines.

Note: I have had to obfuscate the VM name as this was a customer repro VM.

ps_ms17010_patch_

To follow on from this I plan to create 2 more scripts which will detect which machines require reboots and then detect that the patch is installed correctly and is now compliant.  I may also make additional changes to v1.0 to allow for pre-selection of .txt file plus other enhancements.

Thanks for reading and please feel free to leave a comment or message me on twitter (@lukaswinn) if you found this article useful.

— Lukas

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

%d bloggers like this: