question

Steven-4403 avatar image
0 Votes"
Steven-4403 asked AJTek-Adam-J-Marshall commented

How to check if all PCs have the latest Windows security update

Hi,

I disabled some windows features to prevent CVE-2021-40444 MSHTML Remote Code Execution Vulnerability. I know the patch is available since last week.

My PCs are on a Windows 2012 R2 AD, I have a SIEM and I'd like to know a way to know who is up to date or not relate to that update. (before re-enable the preview pane)

Someone know which log entries in eventviewer I can check to be sure the CVE-2021-40444 is really patched on my computers?

If someone have another Idea to check that (powershell script push by GPO, utility to remote check for all PCs, etc)

Any idea would be appreciate.

Thanks and have a good day!

windows-10-securitywindows-server-update-serviceswindows-server-2012
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered AJTek-Adam-J-Marshall commented

Hello Steven,

When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO) linked to an Active Directory container appropriate for your environment. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS settings.

The settings for this policy enable you to configure how Automatic Updates work. You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update.

To configure the behavior of Automatic Updates do follow the below link,

https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127451#configure-automatic-updates



Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your answer,

That's what I've already done but with Windows update. What is the advantage to use a WSUS locally?

If someone know which metric or log can tell me windows is up to the latest update, it would be really usefull for me to check in my SIEM!

Thanks

0 Votes 0 ·

The advantage is that you wouldn't have asked this question. The reporting that WSUS gives you CONFIRMS that the machines are up to date and that no other updates are waiting for the system to install. If you wanted to know if a particular update was installed, you can search for it and see the report and it will tell you if it was installed, if it not applicable, or if it's supposed to be installed and at what part is it at (Downloaded, Needed but not downloaded) or if it tried to install it but it errored (and what error did it have)


https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/
https://www.ajtek.ca/blog/is-wsus-worth-it/

0 Votes 0 ·