Otto  background

Automox Worklet: Internet Explorer 11 "One-Click" Remediation for Windows

Connect With Us

Start now, and patch, configure, and control all your endpoints in just 15 minutes.

Microsoft announced it has released the Internet Explorer (IE) zero-day patch via Windows Update. We addressed the zero-day vulnerability that is tracked under CVE-2019-1367 in a recent blog post. This vulnerability allows for malicious remote code execution, where a bad actor can run code under the same permissions as the current user.

Initially, Microsoft released the out-of-band patch on the Microsoft Update Catalog, requiring users to manually download this patch. Now, this patch is actively available through Windows Update and Windows Server Update Services (WSUS) to distribute it more widely to end users.

With this patch release, you should be set to run your policies to make the necessary IE updates. However, if your policy update window is far out, we can help you make those updates quickly using Automox Worklets.

Automox Worklets to Patch Out-of-Date Internet Explorer versions

In our earlier blog post, we documented an Automox Worklet that allows you to quickly and effectively remediate a group of devices and ensure they are patched against this vulnerability. However, with so many different KBs for each Windows OS version in both 32- and 64-bit processors, it can be especially time consuming to remediate all of the different endpoints that you manage within your infrastructure.

Below we share an IE11 “one-click” remediation Worklet that remediates all of your Windows devices no matter the OS version or processor. This Automox Worklet evaluates the Windows OS version and the processor to determine which .msu file is needed to install the respected KB. Once the .msu file is determined then it will automatically download the file and install it on the device.

Currently, this Worklet only works for the IE11. You must use the previous Worklet shown here to remediate IE9 and IE10.

Automox Worklet: To check for out-of-date IE 11 versions and patch

Evaluation:

#Define KB Number and check for presence

#64-bit AND 32-bit KBs

$kbID1903 = 'KB4522016'

$kbID1809 = 'KB4522015'

$kbID1803 = 'KB4522014'

$kbID1709 = 'KB4522012'

$kbID1703 = 'KB4522011'

$kbID1607 = 'KB4522010'

$kbID1507 = 'KB4522009'

$kbIDwin7881 = 'KB4522007'#command to check if the KB exists on the device

$installed1 = Get-Hotfix -Id $kbID1903 -ErrorAction SilentlyContinue

$installed2 = Get-Hotfix -Id $kbID1809 -ErrorAction SilentlyContinue

$installed3 = Get-Hotfix -Id $kbID1803 -ErrorAction SilentlyContinue

$installed4 = Get-Hotfix -Id $kbID1709 -ErrorAction SilentlyContinue

$installed5 = Get-Hotfix -Id $kbID1703 -ErrorAction SilentlyContinue

$installed6 = Get-Hotfix -Id $kbID1607 -ErrorAction SilentlyContinue

$installed7 = Get-Hotfix -Id $kbID1507 -ErrorAction SilentlyContinue

$installed8 = Get-Hotfix -Id $kbIDwin7881 -ErrorAction SilentlyContinueif ( $installed1 -Or $installed2 -Or $installed3 -Or $installed4 -Or $installed5 -Or $installed6 -Or $installed7 -Or $installed8 ) {

   #Compliant, so Exit 0 as success

   exit 0

} else {

   #Non-Compliant, so Exit 1 as failure

   exit 1

}

Remediation:

#OS version and architecture evaluation to determine which command to run $osversion = (get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId$windowsminor = [environment]::OSVersion.Version.Minor$osarch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture$proxy = [System.Net.WebRequest]::GetSystemWebProxy()$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials$web = New-Object Net.WebClient$web.proxy = $proxy

#determine wusa.exe location to install properly on both 32-bit or 64-bit systemsif ((Test-Path $env:systemroot\SysWOW64\wusa.exe)){  $Wus = "$env:systemroot\SysWOW64\wusa.exe"}else {  $Wus = "$env:systemroot\System32\wusa.exe"  }#64-bit .msu files$url1903 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu"$url1809 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu"$url1803 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu"$url1709 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu"$url1703 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu"$url1607 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu"$url1507 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu"$urlwin7 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu"$urlwin81 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows8.1-kb4522007-x64_917ea544f0fd5ede94f2088223d6f8638341a6f9.msu"$urlwin8 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu"#32-bit .msu files$url190332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu"$url180932 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu"$url180332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu"$url170932 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu"$url170332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu"$url160732 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu"$url150732 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu"$urlwin732 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu"$urlwin832 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu"$urlwin8132 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu"#installation of .msu files OS specificif (($osversion -eq '1903') -and $osarch -eq '64-bit')    {$web.DownloadFile($url1903, "windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu")        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1809') -and $osarch -eq '64-bit')    {$web.DownloadFile($url1809, "windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu")        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1803') -and $osarch -eq '64-bit')    {$web.DownloadFile($url1803, "Windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu /quiet /norestart" -Wait -PassThru    }    elseif    (($osversion -eq '1709') -and $osarch -eq '64-bit')    {$web.DownloadFile($url1709, "Windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1703') -and $osarch -eq '64-bit')    {$web.DownloadFile($url1703, "Windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1607') -and $osarch -eq '64-bit')    {$web.DownloadFile($url1607, "Windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1507') -and $osarch -eq '64-bit')    {$web.DownloadFile($url1507, "Windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1903') -and $osarch -eq '32-bit')    {$web.DownloadFile($url190332, "Windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1507') -and $osarch -eq '32-bit')    {$web.DownloadFile($url150732, "Windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu /quiet /norestart")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1607') -and $osarch -eq '32-bit')    {$web.DownloadFile($url160732, "Windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu /quiet /norestart")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1703') -and $osarch -eq '32-bit')    {$web.DownloadFile($url170332, "Windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu /quiet /norestart")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1709') -and $osarch -eq '32-bit')    {$web.DownloadFile($url170932, "Windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu /quiet /norestart")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1803') -and $osarch -eq '32-bit')    {$web.DownloadFile($url180332, "Windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu /quiet /norestart")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu /quiet /norestart" -Wait -PassThru    }elseif    (($osversion -eq '1809') -and $osarch -eq '32-bit')    {$web.DownloadFile($url180932, "Windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu /quiet /norestart")        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu /quiet /norestart" -Wait -PassThru    }elseif    (($windowsminor -eq '1') -and $osarch -eq '64-bit')    {$web.DownloadFile($urlwin7, "ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu")     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu /quiet /norestart" -Wait -PassThru    }elseif    (($windowsminor -eq '1') -and $osarch -eq '32-bit')    {$web.DownloadFile($urlwin732, "ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu")     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu /quiet /norestart" -Wait -PassThru    }elseif    (($windowsminor -eq '2') -and $osarch -eq '64-bit')    {$web.DownloadFile($urlwin8, "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu")     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu /quiet /norestart" -Wait -PassThru    }elseif    (($windowsminor -eq '2') -and $osarch -eq '32-bit')    {$web.DownloadFile($urlwin8, "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu")     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu /quiet /norestart" -Wait -PassThru    }elseif    (($windowsminor -eq '3') -and $osarch -eq '32-bit')    {$web.DownloadFile($urlwin8132, "Windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu /quiet /norestart")     Start-Process -FilePath $Wus -ArgumentList "Windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu /quiet /norestart /quiet /norestart" -Wait -PassThru    }elseif    (($windowsminor -eq '3') -and $osarch -eq '64-bit')    {$web.DownloadFile($urlwin81, "ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu")     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu /quiet /norestart" -Wait -PassThru    }else {exit 1}

You can assign this Worklet to all of your Windows groups and execute the policy. You can also set the Worklet to run on a schedule like any other Worklet. The Worklet will evaluate to determine if the KB is installed on a device. If the KB is installed, it will do nothing. If it finds the KB is not installed, it will run remediation and install the KB.

If the Evaluation code determines the KB is installed on the device, you can know that the device is patched and protected against the zero-day vulnerability.

Tips for Creating an Automox Worklet

Before deploying an Automox Worklet to the production environment, we suggest testing this on a few devices to confirm its accuracy. If you have any questions, please contact our support team for technical assistance at support@automox.com.

For step-by-step instructions on creating the Worklet, see our user documentation: Create a Worklet.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic

loading...