Report on when Machine was Last Patched

Here is a guide i wrote up on how to create a custom client setting to show when the last time the machine was patched. You can create a pre and post action in your patch policy so when the policy runs it can also write to the client setting on when it was last patched. This guide will walk you through on how to set it up.

https://www.linkedin.com/pulse/bigfix-report-last-patch-date-brad-sexton-xakfe%3FtrackingId=qV4fsdocRESwwv9dJ%2FMDkg%3D%3D/?trackingId=qV4fsdocRESwwv9dJ%2FMDkg%3D%3D

3 Likes

That’s pretty neat approach, Brad, but have to say it is limited to only when machine was patched through BigFix. If there are any instances administrators login and install stuff manually/Windows Update/etc (maybe as a troubleshooting step or maybe it’s a patch that BigFix doesn’t currently support, or maybe BigFix agent is not currently working), then the date would be off. I did write a property a lot of years ago to extract the same thing from either registry or wmi Win32_QuickFixEngineering class which in my opinion would be a lot more accurate but the caveat is that it may be a heavy property to evaluate. Granted that I haven’t used/re-checked this property since but as far as my server administrators tell me it is still working, feel free to test it.

Alternative (as a way to avoid the redundant evaluation performance hits), maybe the pre- / post- scripts that you higlighted can have “sync” functionality to the OS - run similar approach to check if the data they hold as client setting is different than what the OS has, and if it is to “sync” them; if they are the same skip it.

(((day_of_month of it as string & "-" & month of it as three letters & "-" & year of it as string ) of date (local time zone) of it) of maximum of ((if (((it starts with "win2008" and it contains "r2") or it starts with "win2012" or it starts with "win2016") and (exist wmi whose (exists selects "InstalledOn from Win32_QuickFixEngineering" of it) | False)) then (maximum of ((((following text of first "/" of preceding text of last "/" of it & " " & (month(preceding text of first "/" of it as integer)) as three letters & " " & following text of last "/" of it) as date as string & " 00:00:00 " & local time zone as string) as time) of string value of it) of selects "InstalledOn from Win32_QuickFixEngineering where InstalledOn IS NOT NULL and InstalledOn != %22%22" of wmi) else (nothing)); (maximum of last write times of keys whose (name of it contains ".KB" or name of it contains "_KB" or name of it starts with "KB") of keys( "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\";"HKEY_LOCAL_MACHINE \Software\Microsoft\WindowsNT\CurrentVersion\Hotfix") of (registry; native registry)))) of (name of operating system as lowercase)

1 Like

Highlighted similar things -

I appreciate the suggested solution by Brad, and I can see its potential value in creating a post-patch success report with a timestamp or informing the client about the last machine patched using BigFix. However, I’m inclined to explore an alternative approach that could potentially save time and effort by utilizing the following relevance to retrieve the “Last Patch Date” based on any applied patch, irrespective of whether the installer is BigFix or another tool or process.

Q: maximum of ("1 Jan 1601 00:00:00 -0000" as time + it * second) of ((item 0 of it * 4294967296 + item 1 of it) / 10000000) of (values "InstallTimeHigh" of it as integer, values "InstallTimeLow" of it as integer) of keys whose (name of it starts with "Package_") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry
A: Fri, 15 Dec 2023 11:54:47 +0530
T: 19.959 ms

Or combining both options, one for confirming the patching action specifically done using BigFix and recording the “BigFix Last Patch Date”, and another for capturing the exact date when any patch was applied, seems like a robust solution.

I’ve worked closely with patching teams in a variety of organizations, and nearly all of them use a combined approach. In these settings, a single post-patching script is used to record post-patching metrics in a file or client setting with multiple pieces of information. This information may include the date of the patch, the patching action/time/success/failure, etc.

On other hand, they have also shared RPs that include the most recent patch date based on MS OS feed.

2 Likes

What will be the relevance for Linux based OS for fetching the last patch dates? I need to create a relevance that if last patch date is more than 30 days then it should say compliant else non compliant for linux based OS.

Afaik there is no relevance for Linux. In my opinion you need to create a Textfile and create an Analyse against this File.
Creating the File during yum, zypper or whatever Update might bei the easiest was. Another approach might be a fixlet to create such File eg from yum History command Output.