Querying for and uninstalling evil KBs with Powershell Remoting
You haven’t enabled Powershell Remoting yet? C’mon! Check out this blog post and this verbose guide (Secrets of Powershell Remoting).
Disregarding security flaw edge cases, Powershell Remoting defaults follow good security practices, such as Kerberos cert based authentication (much like accessing an admin share), and fully encrypted TCP pipe.
This past week, two KBs made news for cause BSODs. Although none of our systems (workstations or servers) had BSODs caused, we still wanted to get a grasp on where the KBs were installed.
In this case, the block starting with `get-wmiobject` queries computer objects (by OU) to check if the two given KBs are installed. A report is output to my desktop.
The block starting with `Invoke-Command` runs `wusa.exe` synchronously, and returns once the given KB is uninstalled. It will create a restore point. Before I did this, I took a look at WSUS to verify that the patch was pulled (and it was).
Note that if you use WSUS, you can find the update, and go to it’s Approval option and select Approve for Removal.