WannaCrypt - Missing KB's?

After this weeks WannaCrypt fiasco I found a couple posted scripts for scanning a domain to check if servers had the necessary patches installed to mitigate against the vulnerability. After patching a couple of systems that the scripts said were vulnerable I found that they kept reporting that the patches were missing. Upon reviewing Get-Hotfix and doing a stare and compare at what was showing as having been installed via the "View Update History" I noticed that there were missing KB's.

The output from Get-Hotfix, you can see there are only 6 KB’s that start with KB40…

If I look at the Update History on the server I see there are some missing ones:

After a bit of research I found that this post on TechNet from Mervyn Zhang:

Windows Update and Office update are separated in two catalogs. Get-hotfix which leverage Win32_QuickFixEngineering only lists Windows updates. Starting with Windows Vista, Win32_QuickFixEngineering returns only the updates supplied by Component Based Servicing (CBS). These updates are not listed in the registry. Updates supplied by Microsoft Windows Installer (MSI) or the Windows update site (http://update.microsoft.com) are not returned by Win32_QuickFixEngineering. For your information:  Understanding Component-Based Servicinghttp://blogs.technet.com/askperf/archive/2008/04/23/understanding-component-based-servicing.aspx

 I then devised the following script that searched the Windows Update Agent COM Object for all KB's installed on a system including rollups and CU's. To download the script grab it from TechNet:

https://gallery.technet.microsoft.com/Search-Domain-For-Specific-4b6388e9

​​Lessons Learned: Bug with Windows DNS Client

Last week I encountered an issue with what initially appeared to be a problem with DNS scavenging, but after hours of troubleshooting and research I was able to determine that it was actually a known issue with the Windows DNS client.

It all began on Monday when I spun up two new Windows Server 2012 servers, one physical and one VM, to be new domain controllers in our domain. I began testing on Wednesday, after replication had completed, to make sure that Directory Services and DNS BPA’s were clean. We were not receiving any alerts from System Center Operations Manager regarding any AD or DNS related issues. At that point I moved the Operations Master (FSMO) roles to the new servers and changed several system’s primary and secondary DNS to point to the new DC’s. By Thursday afternoon without any issues or alarms I began moving the rest of our servers to point to the new DC’s for primary and secondary DNS. 

The following afternoon, 24 hours later, I began to receive alarms and calls from our end users about various issues with Lync 2013, as well as an email from our developers reporting that they could not connect to the production database. I attempted to connect and was unable to. When I pinged the servers I received an IPv6 entry in return and not an IPv4 response as I had expected. When I attempted to force an IPv4 ping I received “hostname not found”. I jumped onto the new 2012 domain controller as well as one of the 2008 DC’s and immediately saw that DNS entries were missing.

At this point I thought DNS scavenging might have been enabled when I promoted the 2012 servers. I quickly checked and found that scavenging was enabled at the zone level but not at the server level. I could not figure out how or why the DNS entries were just disappearing on their own and began restoring one of the 2008 servers from the previous day using System Center Data Protection Manager 2012 so that I could have a list of all the entries before they started disappearing. After restoring and making the comparison I was able to determine that none of the static entries had been touched which again confirmed my theory that it was not scavenging as some entries were over 3 years old. I began to compare the list of entries and determined that only the 2008 and 2008 R2 servers had been affected. Our production Hyper-V cluster, Operations Manager, and Configuration Manager are all on 2012 and were still correctly published in DNS. I sent out an update to our infrastructure consulting group and Ryan Jackson replied with a KB he came across that stated there is an issue with the DNS client’s on:

Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2

Microsoft has identified and provided a hotfix and workaround for the issue:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;2520155

Upon installing the hotfix and running ipconfig /registerdns the servers re-registered in DNS and have not disappeared since.