After this weeks WannaCrypt fiasco I found a couple posted scripts for scanning a domain to check if servers had the necessary patches installed to mitigate against the vulnerability. After patching a couple of systems that the scripts said were vulnerable I found that they kept reporting that the patches were missing. Upon reviewing Get-Hotfix and doing a stare and compare at what was showing as having been installed via the "View Update History" I noticed that there were missing KB's.
The output from Get-Hotfix, you can see there are only 6 KB’s that start with KB40…
If I look at the Update History on the server I see there are some missing ones:
After a bit of research I found that this post on TechNet from Mervyn Zhang:
Windows Update and Office update are separated in two catalogs. Get-hotfix which leverage Win32_QuickFixEngineering only lists Windows updates. Starting with Windows Vista, Win32_QuickFixEngineering returns only the updates supplied by Component Based Servicing (CBS). These updates are not listed in the registry. Updates supplied by Microsoft Windows Installer (MSI) or the Windows update site (http://update.microsoft.com) are not returned by Win32_QuickFixEngineering. For your information: Understanding Component-Based Servicinghttp://blogs.technet.com/askperf/archive/2008/04/23/understanding-component-based-servicing.aspx
I then devised the following script that searched the Windows Update Agent COM Object for all KB's installed on a system including rollups and CU's. To download the script grab it from TechNet: