As of March 12, 2018, we will no longer be updating or maintaining the WannaCrypt Patch (MS17-10) collection. Even though we’ve removed the collection from the Collection Library, there are still ways to identify and keep computers patched.
It’s been nearly a year since the mass hysteria after WannaCrypt and its nasty host of friends hit newsstands. If you need a refresher, we previously posted about this vulnerability here.
Why Are We Doing This?
First, maintaining the collections each month takes up valuable resources and time. These would be better put to use making PDQ Deploy and PDQ Inventory even more powerful than they already are—not that we’re biased or anything.
Second, you are already patched for the WannaCrypt vulnerability if you’ve been regularly applying Microsoft Windows Updates to your machines. Microsoft released the patches for the MS17-10 vulnerability a year ago in March of 2017, with a few exceptions (looking at you, Windows XP). For more information, refer to Microsoft Security Bulletin MS17-010 – Critical.
But, I’ve Been Using Those
Many of you have been using the WannaCrypt Patch (MS17-10) collection to determine whether any machines on your network are vulnerable. If you currently have any collections, schedules, reports, or other references pointing to the WannaCrypt collection, you will need to update those to prevent incorrect or accidental deployments. I’m going to walk you through an easy way to stay current.
WannaCrypt Replacement Collections
The Windows Updates collections in the PDQ Inventory Collection Library identify which computers do not have the most current cumulative update or monthly rollup. Remember, the most recent Windows Updates include the WannaCrypt patches, as well as the patches to mitigate other vulnerabilities.
We recommend using these collections along with PDQ Deploy to automate Windows patch management. Our products are designed to work together to automatically deploy updates to the computers that need it; a true set-it-and-forget-it.
Automatic Windows Patch Management
If this is the first time you’re hearing about Auto Download packages, take a look at all of our Auto Download videos.
We recommend downloading two Windows Update packages from the Package Library; one for testing and another for production. This allows you to deploy the most current Windows updates to a pilot group of computers (perhaps belonging to your IT colleagues) to ensure that the update doesn’t break any of your end-users’ critical applications.
Configure a Test Package
Set the test package to immediate approval:
- Download the Windows update package you need (in this example, we used Win 10 (1607) and 2016 – Cumulative Update March 13 2018)
- Open the package and add to the name for identification purposes (optional).
- Change the approval setting to Immediate (Package Properties > Options tab).
Configure a Production Package
The second Windows update package will be for the rest of your environment.
Using a Manual approval setting will allow you sufficient time for testing to ensure the Windows Updates don’t make it out to any end-users until after testing is complete. However, if you know the amount of time the testing will take, you can select a set number of days with the Automatic approval setting.
- Download a second Windows update package.
- (Optional) Add identification to the package name.
- Change the approval settings.
Setting Up A Deployment Schedule
Now that you have two identical packages with different approval settings, you just need to set up a schedule. The schedule won’t deploy the new versions of packages until after approval.
Here is a video that walks you through establishing a schedule.
To ensure these packages deploy to computers that need the update, you can link to the PDQ Inventory Windows Update collections we discussed earlier.
Once you’ve created the schedules, the test package will be approved immediately after the update is released and deployed. You can then approve the production package for mass deployment to the rest of the organization once you are reassured no critical applications are affected.
What About Future Patches?
With this setup, the newest version of the Windows Update packages will auto download each month, and the scheduled deployment will only go out to the computers missing the update as defined in PDQ Inventory.
Good luck and godspeed.