I've been active in the community for a few years now but have never really posted in the forums. I've put together a script/remote monitor to address the latest RDP vulnerability from Microsoft and figured I've learned enough from the MSPGeek community it can't hurt to give some back. This first link is a SQL inject that will create a remote monitor on your "Service Plans\Windows Servers\Managed 24x7" and "Service Plans\Windows Workstations\Managed 8x5" groups. What groups it installs the monitor on are just defined on the inject with the GroupID so if you just look at the inject it's easy to change that GroupID to whatever you want before you run it.
!!!WARNING!!!! - You're running a SQL inject on your DB...this can be dangerous, proceed at your own risk. Read through the inject, make sure you're comfortable with what it's doing. This monitor is also live pulling a powershell script from MY github. This means if I decided to have a bad day and change the powershell script in my github to something malicious then I could effectively run my malicious code on ALL of your machines. I'm not malicious, but ya know...be smart, be safe! Feel free to host the powershell script at your own location and just swap the URL on the monitor. Lastly, I've tested this on several machines in my environment, but that doesn't mean there can't be an issue I haven't ran into yet. If you find a problem, let me know so I can fix it!
SQL Inject: https://github.com/dkbrookie/Automate-Public/blob/master/CVE/CVE-2019-1182/SQL/CVE-2019-1182_Remediation.sql
This script is outputting either !ERROR:, !WARNING:, or !SUCCESS: with details on the state of the install process. If you set the monitor alert template to create a ticket (I have it set to Default - Do Nothing so just change to what you want) it will output the Powershell results right into the ticket. The keywords from the script output above are to use in a state based remote monitor in Automate so this will go through what that looks like briefly.
The script checks the OS of the machine and figures out the correct KB number it needs to have installed to patch this vulnerability. Once it finds the right KB, it checks to see if the KB is installed or not. If it's not installed, it will install it with no reboot so this is safe to run mid-day. That means right from the monitor CHECK it is actually installing the remediation, so there is no separate script attached. The patch download/install is all self contained in the monitor check itself.
!FAILED: will only output if the machine is eligible to receive the CVE-2019-1182 patch and something in the script actually failed and needs attention
!WARNING: will only output if the machine is not eligible for the CVE-2019-1182 patch. The reason I've chosen the all managed servers/workstations groups is so you can highlight all of the machines quickly/easily in WARNING state that do not have this patch available to them. This would be a good time to use this as leverage to get your clients to upgrade some machines
!SUCCESS: will only output if the patch has been verified to be installed
The monitor will be named "CVE-2019-1182 Remediation"
The monitor runs every 4hrs but you can change this to whatever you want
FAILED state: Looks for the keyword "!ERROR:" from the powershell output
WARNING state: Looks for the keyword "!WARNING:" from the powershell output
SUCCESS state: Looks for the keyword "!SUCCESS:" from the powershell output