cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Esben_D
Lansweeper Employee
Lansweeper Employee

Hello,

As you might know, I’m mainly responsible for the Patch Tuesday reports, and as you might have seen previously, I’ve been looking at improving it to make it more accurate both historically and for future updates.

In my previous attempt, I tried using “greater than” logic to make it so that when you run a patch Tuesday report, even after installing newer patches.

However, it seems that Microsoft’s patch numbers aren’t as stable as I thought, causing issues with accuracy due to out-of-band updates and SSU.

Attempt #2

We scan the specific build number of Windows which can be tied to a specific Patch Tuesday update.

For example, version 2004 and 20H2 UBR versions for Patch Tuesday are 928
https://support.microsoft.com/en-us/topic/april-13-2021-kb5001330-os-builds-19041-928-and-19042-928-...

By creating a report, linking each UBR to their Patch Tuesday, you would get a report which shows exactly on which patch Tuesday a machine currently is and it can indicate which ones are on, or higher than the latest patch Tuesday.

If you want to give this test a try, you can do the following:

  1. Run the report:
    PatchTuesdayV6.txt (5.3 KB)

  2. If the build number Column is outdated, rescan the assets in the report.
    1X_2a9dfc2f241cc0f2e49ef1c65ee59c97cd5fcdba.png

Let me know below about your findings and if the report is accurate for you. As long as your machines have the patch Tuesday of April installed, they should be listed as up to date.

32 REPLIES 32
Esben_D
Lansweeper Employee
Lansweeper Employee

Here is a new version for July. Let me know if it works for you or not.

PTBuildsV7.txt (5.6 KB)

proxykeeper
Engaged Sweeper III

I like the Highest KB Found column.
From a server perspective, Windows 2016 and 2019 OS’s look correct. It is reporting out of date for all Windows 2012 and Windows 2012r2 servers though.
If you could add the color codes back in too, that would be helpful.

Esben_D
Lansweeper Employee
Lansweeper Employee

I added the color-coding again and a column indicating which build number is the July PT build number.

PTBuildsV8.txt (8.0 KB)

You should check if your Windows 2012 and 2012r2 servers actually have the latest patch installed and what build number it is showing. If the build number is lower than the PT build number column, it will show as out of date

The July Patch Tuesday updates should update the build number to the PT build number.

proxykeeper
Engaged Sweeper III

Would it be possible to store the security KB’s in the database and then use that for the report? You could add the KB’s to the database and the report would automatically use that instead of having to manually update the report each month. It would also provide a simple way to report on specific KBs.

Esben_D
Lansweeper Employee
Lansweeper Employee

That would be a possibility, but one that would require an integration with Microsoft services to fetch the latest updates at a set interval. So a lot more dev work.

proxykeeper
Engaged Sweeper III

Sounds like a great idea! Are the current Patch Tuesday Audit reports created manually? Would it be possible to create the database table for the Microsoft KB’s and populate it manually, or use a similar method that is currently used to create the Patch Tuesday Audits, until it is fully automated?

Esben_D
Lansweeper Employee
Lansweeper Employee

I create them manually every month. Having a database table with the KB numbers wouldn’t help unless it is populated automatically. Otherwise we’re just updating a table instead of the report (which by the way we can only do with a software update at the moment).

In the IT Asset data platform we will be adding functionality to push reports to customers. So we could update/add reports straight to your interface. Long term we do want to automate patch Tuesday and vulnerability management much more (using the software standardization).

Esben_D
Lansweeper Employee
Lansweeper Employee

I actually found out I looked over the fact that we already scan the UBR number by default (so there is no need to scan the registry key).

So here is a version that uses that, hopefully it is more accurate:

PatchTuesdayV6.txt (5.3 KB)

proxykeeper
Engaged Sweeper III

I noticed the UBR number scanned by default with Lansweeper is only working on Windows 2016 and above.

To show this, the UBR Reg value column was added: