Hello there! BlueKeep (CVE-2019-0708) is a dangerous vulnerability in Microsoft’s Remote Desktop Protocol (RDP). It is wormable (it can spread autonomously from computer to computer), so you should patch it ASAP. I wrote a PowerShell script to help you find the computers you need to patch.
My PowerShell script runs rdpscan, parses the results, then feeds those into two Custom Fields in PDQ Inventory. Once the results are in Inventory you can create Collections and Reports to see which of your computers are vulnerable, then patch those vulnerable computers with PDQ Deploy (cumulative updates are great). In this post, I’ll show you how to run my script, and in Part 2 I’ll go into more detail about some of the things I had to do to get this script working.
Disclaimer: This script is a work in progress. Since it’s functional, I’m releasing it. Although I do have a list of things I want to change/add, I don’t want to delay this blog any longer. Also, since it is on GitHub I highly encourage you to submit pull requests if you have any ideas for improvements.
The to rdpscan.exe.
A list of PDQ Inventory Collection names to retrieve computer names from.
A list of computer names. You must provide this parameter or -Collections.
The number of instances of rdpscan.exe that will be executed simultaneously. This defaults to the number of CPU threads in your system times four. Increasing this number will use more RAM and could cause weird issues.
The name of the Custom Field that will store the status (SAFE, VULNERABLE, UNKNOWN). Defaults to “BlueKeep Status”.
The name of the Custom Field that will store the notes (CredSSP/NLA required, got appid, name resolution failed, etc.). Defaults to “BlueKeep Notes”.
Randomizes the order of the target list. Defaults to $false.
Shows informational messages that are hidden by default.
Download the latest version of rdpscan from the and unzip it.
Copy and paste into your favorite text editor (such as VS Code), then save it as a PS1 file (Find-BlueKeepVulnerableComputers.ps1). If you have git installed you can instead.
PDQ Inventory must be installed on the computer you are running my script from, and it must have an Enterprise License. This script should work with all three modes, Enterprise Local, Server, and Client.
Open a PowerShell window as admin.
Navigate to my script.
Execute my script with the required parameters and any optional parameters that you desire.
The minimum required to run this script:
A more advanced example:
Sit back, relax, and wait for the scans to finish. It could take a while depending on your environment. On my system, it usually takes around four to five minutes to scan ~650 targets. Once it finishes you should open a computer in Inventory and check its Custom Fields page. Make sure BlueKeep Status and BlueKeep Notes are there and contain sensible looking data. If everything is hunky-dory you can start creating reports and collections.
To create a Basic Report you simply need to add BlueKeep Status and BlueKeep Notes (under the Computer table) and any other fields you’d like. I created a Basic Report with a few fields to get you started.
Once you run the report I recommend grouping it by BlueKeep Status so you can quickly drill down to the computers that need your attention.
I suggest creating five Collections, an empty Static Collection to act like a folder and four Dynamic Collections beneath it based on BlueKeep Status. Here’s my set of Collections if you want a head start. I went with “Not Scanned”, “Safe”, “Unknown”, and “Vulnerable”. They all start with “Computer | BlueKeep Status | Equals”, then each one has a different Value. For “Not Scanned” just leave Value empty.
And that’s it! Hopefully, this helps you find and track vulnerable computers in your environment so you can start remediation efforts. I highly recommend patching your computers as soon as you can. If you have any questions you can ask them in the comments below, or open an issue on my GitHub repository with the `question` label.
Colby was an employee at PDQ.