I tried my best to get the Lansweeper report out as soon as possible for everyone, so here is the July 2021 Patch Tuesday Report. Complete with color-coding to quickly check which machines have the updates.
I was looking for the automated Patch Tuesday thread, I guess the bot broke.
Regardless, you can find my usual summary here. Biggest headlines are the Exchange issue which is actively exploited and a Windows Defender RCE for which you might want to do a double check that they are all auto-updating as they should be.
Hi. I have zero knowledge about stuff like this, but was curious because my kids bring home chromebooks from school that I know have monitoring software also. I just haven’t checked what it is, like you have 😅 anyway, I just did a quick Google and it looks like lansweeper is a defunct software that doesn’t do much of anything.
“Although the name would suggest otherwise, LsClient was not a true client or scanning agent. It was an executable that, when run on a Windows client machine with specific parameters, would send a request to your Lansweeper scanning server to scan the client machine.”
Here’s the link to their site: https://www.lansweeper.com/knowledgebase/lsclient-parameters/
So another 2 Print Spooler vulnerabilities on top of the 2 we already had the last 2 months. 4 RCE vulnerabilities in 2 months must be some kind of record right?
Anyway, as usual, I've done a writeup with a report so can check what's included and which machines have been updated.
We created a simple report to get a quick overview of all potential vulnerable devices in your network. You can find it in this forum post.
IE is getting removed from Windows 10 in June of 2022, so... either way, you need to fix it.
Here is my overview of Patch Tuesday September along with a the usual report to check update progression.
Print Spooler vulnerability 6,7,8,9 and 10 got fixed, most noteworthy the one that was disclosed the day after last month's PT. We'll see how long it lasts this time.
Also it's the last day of our Sysadmin day giveaway, so don't forget to enter to reward yourself for all the good you do for others.
My summary in the monthly Patch Tuesday blog is ready along with the usual report to list the update status of all Windows devices. Two new additions this month due to the release of Server 2022 and Windows 11.
Excuse me, do you have a moment to talk about our lord and savior, LanSweeper?
https://www.lansweeper.com/
Free for less than 100 assets, also includes a ticketing system.
Hope that helps.
We've published our monthly patch report to help everyone keep an overview of their patching progress. Any questions or feedback are welcome ;)
I'm betting that "echo" is their client/agent. Here's the intro page from the support knowledge base. It's likely not nefarious, and in my experience LanSweeper doesn't collect much if any personal information or usage tracking type data, just metrics and telemetry on the computer itself. It's primarily an inventory tool, not a monitoring tool.
Here is the Lansweeper blog post + audit report to check the update progression. Let's hope all our emails still arrive/send post-update.
I don't have a whole solution for you, but here are some options:
Inventory/Software Deployment/Maybe Scheduled Tasks: Lansweeper https://www.lansweeper.com/purchase.aspx
Imaging: MDT
AntiVirus (take your pick)
Remote Desktop/Scheduled Tasks: GoverLan (I think it's $500 one time fee, but that might have changed)
I've created a blog post and most importantly and audit report to list all DCs and the Spooler Service state, and start mode to check if all your domain controllers are safe.
Not anymore
From the pricing page https://www.lansweeper.com/pricing/
>On your local networks, any device scanned by Lansweeper is considered an asset. This can be a Linux, Unix, Mac or Windows computer, VMware server or any other network device (printer, switch, firewall, etc.). Monitors are NOT counted towards the asset limit.
You have two options:
Issues that might occur when scanning different clients and putting it in one database is indeed with asset identification.For example, if two clients use the same domain\netbios, the Windows machines will start merging. A full explanation of how devices are uniquely identified can be found here if you're interested.
Another shout out for LanSweeper.
"Your Lansweeper installation allows you to upload blueprints/maps of your offices and place assets on them, so your employees can easily locate equipment. When an asset is placed on a map, you can click on its asset name to view its Lansweeper webpage and scanned data."
https://www.lansweeper.com/kb/114/placing-assets-on-a-map.html
LanSweeper can do most of this. I'm not a fan of their requirement to have a Domain Wide Account that has local admin to all machines. It's been requested to use something like LAPS but it hasn't had much movement it seems.
https://www.lansweeper.com/forum/yaf_postst15794_LAPS-managed-password.aspx#post53265
I've created a blog post and most importantly and audit report to list all DCs and the Spooler Service state, and start mode to check if all your domain controllers are safe.
If you're in a larger organization, we've created an audit for this Firefox version (also for the ESR version) so you can quickly identify outdated installations across your network and update them.
I use lansweeper to autodiscover and inventory everything. You can generate barcodes (QR) to print out for each asset in there to stick on the item.
​
https://www.lansweeper.com/knowledgebase/generating-qr-codes/
It's funny, because just yesterday I was reading about this: https://www.lansweeper.com/find-a-partner/8194/ - a solution which has been designed specifically for NHS organisations.
​
TBH £1/asset is good value. I tried PDQ but felt less flexible when it came to filtering quickly.
Jumping on after u/epsiblivion, here are some examples of reports he mentioned: https://www.lansweeper.com/news/how-much-disk-space-is-left-in-your-entire-network/
You can pick any of them and set-up an alert. They are also fully customizable so you can choose the % or GB remaining you want to be alerted at.
>>>>>I realise that I could create a topology to publish a scanning server of our own to the internet, but for various reasons (that I'll not go into here) that is less than desirable.>>>>>>
This is THE shortest distance between two points, and works perfectly.
I wonder if you couldn't spin up another instance of Lansweeper in the cloud and use a persistent VPN connection to aggregate your data?
https://www.lansweeper.com/knowledgebase/setting-up-an-installation-with-multiple-scanning-servers/
In the throes of desperation I tried a hail mary - and it worked. I used This script from this article to try and repair the WMI. It did not succeed because the IP helper service refused to stop. I then ran it in Safe Mode and it worked! WMI is fixed and I managed to promote my second server to a DC. Now all that remains is to transfer the FSMO roles.
Lansweeper. Push thee config back to server at logon.
Type username into Lansweeper and it tells you where they are logged on.
Can work externally using LSAgent. See: https://www.lansweeper.com/download/lsagent/
They are wrong. That’s extended support, which you pay millions for.
https://www.lansweeper.com/news/are-you-prepared-for-windows-7-end-of-life/
https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020
We've created an audit for all Firefox versions in your network so you can quickly identify vulnerable machines and help with patching.
Pretty much what SPedraza93 has said. My issues were Windows Firewall related. They also have a connection tool you can run against an endpoint to troubleshoot. https://www.lansweeper.com/knowledgebase/how-to-troubleshoot-devices-with-the-device-tester/
Not that I'm aware of, but lansweeper should be able to generate this for you pretty easily.
Did you spend 20 seconds googling this at all? Lots of hits on the lansweeper forums on how to do this.
https://www.lansweeper.com/knowledgebase/creating-and-adding-custom-fields-to-ticket-types/
Long story short: CONFIGURATION > TICKET CONTENT. Under "Ticket custom fields", create your new category and sub-category. Once those are created, under "Ticket types", select "Alter Custom Fields". Under "Selected", find your new category. Under "Available" find the sub-category and drag it to the right to your new category.
I use ScreenConnect (now Connectwise Control) all the time for this. Recently did a trial of Lansweeper, it does WOL and you can run it for free in small environments.
LanSweeper has an Agent now, and if you are a paid user of LanSweeper you get access to their cloud relay server which will allow remote agents to push scan reports into your local database. It's pretty awesome.
If you would like be alerted about low toner levels, you can use Lansweeper's report alerts. Lansweeper will only send an alert if the report you selected has results.
You can use the built-in report "Device: Printer almost out of toner" in your report alert and schedule it every minute. Once a scan picks up that a printer is almost out of toner, you will be alerted within minutes. This kind of configuration gets you pretty close to monitoring.
I'm a little confused by your first paragraph--I couldn't figure out if you were trying to inventory all of your properties or your computers...
Anyways, we use Lansweeper. It will scan just about anything. Unfortunately, it's agent-less (which is actually a pro). However, as long as your computers are on the network at some point, Lansweeper will detect them and inventory them. It will report the last user of the machine as well.
I have a couple of tools I use - Lansweeper (https://www.lansweeper.com/) - is good for pulling info from machines, and I use opsview (https://www.opsview.com/) for monitoring/alerting.
The advantage of opsview over nagios is the setup and configuration time - half a day to completely monitor ~ 100 machines.
You can use our software: Device42 or numerous others like lansweeper to do the job for you. If you don't have budget here is a rough DIY approach:
I think that will give you a pretty good outline.
>this system does not give us the barcode scanning capabilities.
Really you can handle this with just about any platform. Typically you don't generate & print the barcodes yourself because you want them to be on a high quality label, usually metalized and/or visible tamper indication. So you order something like this from your vendor of choice & the barcode generation and label printing is taken care of.
As far as scanning goes (if you even want to do that), generally speaking USB/BT scanners function just like a keyboard, the barcode is just a macro of key presses, so you position the cursor in the right place & scan, you can generally configure your scanner with pre/post-scan key presses like [tab] & [return] as well.
That said, I've been using Lansweeper for Inventory management for years and love it. Both companies I have worked at that use it tag assets and record the asset tags in Lansweeper, but we don't scan the barcodes, cost/benefit isn't really there to give the help desk guys scanners. Lansweeper can generate printable barcodes, but like I mentioned above we order pre-printed tags from a third party.
The guys from lansweeper added a query on their forums to find the computers in your network that don't have one of the needed patches, incase anyone with lansweeper hadn't seen it yet.
Lansweeper users, here's a nice report which will show the machines that do not have the updates installed.
For the Windows side we use microsoft endpoint manager for our hardware/software deployments and Cisco Secure Endpoint for endpoint security on workstations.
For Ubuntu and macOS, I couldn't really help.
If you want extra visibility into your network, tie LAN Sweeper into your SCCM database and watch the info pour in.
Hope that helps!
https://www.lansweeper.com/report/windows-11-requirements-audit/
Knapp die Hälfte aller PCs in den Firmen nicht kompatibel zum Win11, besonders bei CPUs und fehlende TPM Chips aufm Board. Langfristig mal wieder bullish für Semis oder wird Win10 das neue XP?
Remote support and chat is my go to solution. I sit in a 3 story bldg, and field requests of "can you come here and help me?" all day.
It is much more efficient for me to connect remotely*, even across the bldg, fix your issue, and be gone, with as little interaction as possible.
Very little chance of saying something users won't understand at best or get butt-hurt because they mishear what fell out of my pie hole.
​
​
*LanSweeper index of TeamViewer ID's means I don't even have to ask for TeamViewer details.
The PrintNightmare Strikes Back. At this point, it might just be best to just leave the service disabled wherever possible.
Anyway, for the ones that need it, a Print Spooler report of all devices and the Print Spooler status and start mode setting.
If you start a Lansweeper trial you'll have 30 days where you're not limited. Here is a link for some more information too: https://www.lansweeper.com/feature/performance-counter-scanner/
Here is a link to some example reports you could use. They are fully customizable so you can finetune them to exactly what you need. https://www.lansweeper.com/report/?fwp\_search\_reports=performance&fwp\_report\_category=hardware-components
Might want to take a look at tailoring what objects lansweeper is scanning on (Lansweeper Scanning
Also, maybe turn off/change scanning event viewer items, as I’ve seen that cause spikes in cpu/memory consumption. Though in my experience, it’s normally always the scanning server that takes the pain of it over the actual devices being scanned.
I think the most time sensitive blog of the week is the VMware vCenter Remote Code Execution (RCE) Found + Report on outdated vCenter Servers
The second blog is something just in time for tomorrow which is: Microsoft SCCM 1910 Going End of Life. This blog also has an report with it which lists when your specific version of SCCM is going end of life.
I've created a blog, but more interesting a report to get an overview of the vCenter server in your organization along with their version, build number and whether they have been updated to the latest version that fixes VMSA-2021-0010.
You can find the blog + report here.
I've created a report to identify which assets have updated to the Office version with the EX255650 bug.
So if you do have Lansweeper, you can run that quickly so you know which machines in your environment have been affected.
I adjusted a PowerShell script so that it looks for the files and deleted them. In addition it also writes a log file with the action taken: https://pastebin.com/yAjDciSb
It is an extension of my Lansweeper blog and report to detect all machines with one of Dell's update software and after running the script and scanning the log file have an overview of which machines have executed the script.
For all Lansweeper users out there, you can run our custom audit report: https://www.lansweeper.com/vulnerability/microsoft-exchange-vulnerability-detected/
I don't have experience with Lansweeper but I do use MSSQL as data source in my grafana instance.
Lansweeper seems to have documentation on the table layout:
What I usually do is open up a SQL Server Management Studio session next to Grafana so I can inspect the tables and table layout and then craft queries from there. Once I get a result I think I can use, I copy it over to Grafana. Rinse, refine, repeat.
Hope this helps at least a bit.
Lan Sweeper has a switch port report
https://www.lansweeper.com/report/switch-ports/
With that and their inventory management you can figure out who it is by MAC,then just update your descriptions in the switch.
If you want more accurate data, your options are either using AD scanning (which scans a computer within 15min of logging onto the DC by default) or use the old agent (LsPush) which can be used with a logon script (so it scans during every logon).
Continuing on u/insertGrawlix comment, the month trial period should be enough time to sort most of it out. The switch port mapping will be most useful for you: https://www.lansweeper.com/feature/switch-port-mapping/
This will spare you from doing everything manually from from IP addresses to ports and machine names.
I've made a report based on Intel's microcode update guidance for so you can quickly check which systems in your network get and need a microcode update. You can find the report along with additional details in this blog post.
It has a basic help desk, but it's focus is really asset inventory and management. The inventory is above anything I've seen and being able to report in plain SQL is a real treat if your capable with SQL. After all the shitty visual editors that limit you in so many ways it's great.
If you want to get a little deeper into configurations for security check out:
https://www.lansweeper.com/knowledgebase/marking-users-as-authorized-administrators/
​
This can help if you restrict local admins at all.
If you only use Carbon Black you can set the configuration for AV in Lansweeper. Then the canned "AV" report should report correctly.
https://www.lansweeper.com/knowledgebase/managing-anti-virus-software-reports/
Otherwise I would look on the forums for reports for a "software report" that looks for a specific software, then use that report to get what you need. Lansweepers community has a ton of reports you can easily adapt.
​
This is one I use to look for systems missing our "AV"
​
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Firstseen,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblAssets.AssetID Not In (Select Top 1000000 tblSoftware.AssetID
From tblSoftware Inner Join tblSoftwareUni On tblSoftwareUni.SoftID =
tblSoftware.softID
Where tblSoftwareUni.softwareName Like '%ANTI-VIRUS PRODUCT NAME HERE%') And
tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName
Granted, if you want a nice visual network map Draw.oi will be better for the visual part. Lansweeper is focused on discovering the data. As far as maps go, location maps in Lansweeper allow you to add your assets onto a map to mark their physical location. Additionally, a switch asset page will display all connected devices per port.
As far as asset identification goes, this varies based on the device, for network devices such as printers or switches, the model and manufacturer is taken from the device's OIDs. In rare situations these can be incorrect, but that is why you can remap OIDs so that it will be correctly identified in the future.
Non-network devices are mainly identified based on which ports are open. For example, if you open port TCP 135 on a Mac, that could cause issues since that port is used for Windows identification.
I hope this clears some things up.
Thank you for the shoutout good sir.
As a bonus, if you scan your switches too, Lansweeper can tell you which ports are connected to which devices. This should help you with your network mapping.
Pricing is within your budget too. You can download it for free and use the trial to to try it out yourself.
Two tools we use all the time:
Slitheris: http://www.komodolabs.com/network-scanner-news/ Lansweeper: https://www.lansweeper.com
Slitheris is basically a more robust Angry IP scanner. It will give you a lot of info from just a non-intrusive network scan. Unless the internal IT has some aggressive network monitoring, they would not see it being run. It can only scan one /24 network at a time though, so if the network is not flat it requires more work.
Lansweeper can get you a lot of info about end points, if you have domain admin credentials. Like Slitheris it is an agent-less scan, but it won't give much info if Windows Network Discovery is disabled on the desktops.
For Windows computers, Lansweeper does indeed use Kerberos authentication.
For SSH credentials, you are also correct, Lansweeper will send the configured SSH credential to a device in your scanning target if it has the SSH port open. Usually people only scan their own network devices, so as long as your network is secure there is nothing to be worried about. If you are uncomfortable with this, you can choose to use a SSH certificate credential instead.
Lastly, if you want to read up a bit about how Lansweeper handles security, you can go over this article.
Just adding one side note. Support for multiple service email addresses in the help desk is being implemented in the next Lansweeper release. You can already try it out in the beta version.
Really like Lansweeper as well, but they might possibly be slowing development on the help desk stuff if you read this post on their community.
edit: typo
Should you be worried about it, we have a blog post with a report so you can quickly find all devices with hyper-threading enabled.
Thanks!
In addition, if you only have 30 computers, even if your trial period runs out, you could continue to use it (however, you'll be limited to 100 assets and lose some features). Software inventory scanning will still be included.
If you quickly want to find all outdated Chrome installations, we've created a report which you can find in our forum post.
We created a simple report to get a quick overview of all potential vulnerable devices in your network. You can find it in this forum post.
It doesn't pop up with a gui element with the argument; it's supposed to run silently in the background. The documentation for the exe is here: https://www.lansweeper.com/kb/24/how-to-scan-with-LsPush.html
While it may not be entirely what you're looking for, I use a tool called Lansweeper which may be worth looking in to. It scans my entire network and reports on all devices it finds. You can create custom reports with e-mail notifications for basically most things you can think of.
For instance, I get alerts when hard drives are filling up past a pre-defined point (15% free space for me), I used a Lansweeper report to get insight into how vulnerable I was for things like Wannacry and I'm scanning network ranges like 192.168 to find any rogue DHCP.
I pay 500 bucks a year and it's totally worth it for me.
I have been a fan of Lansweeper. If you get it setup with all of your workstations, all clientless and easy to deploy, and your switches it will autodetect what is plugged in where.
We just released our own step-by-step guide on how to use Lansweeper to scan your network for this vulnerability. It includes a deployment package and report so you can easily and quickly find the machines affected. You can find it here: https://www.lansweeper.com/blog/305/discover-devices-vulnerable-to-intel-sa00086.html
We just released our own step-by-step guide on how to use Lansweeper to scan your network for this vulnerability. It includes a deployment package and report so you can easily and quickly find the machines affected. You can find it here: https://www.lansweeper.com/blog/305/discover-devices-vulnerable-to-intel-sa00086.html
Depends on your budget, there is lansweeper on the lower end, Device42 a bit more expensive. And also, depends on how much details you want.
I'd probably have a look at this, if you did the default IISExpress, otherwise check IIS and confirm what ports are listing and modify the config accordingly to port 80 https://www.lansweeper.com/kb/55/How-to-change-the-port-number-in-IIS-Express.html
I use it on occasion. Through the web interface you specify a package to install and set commands. You can have it run a script and people have made the scripts on the forums where you can download them to use in your organization. https://www.lansweeper.com/forum/yaf_topics28.aspx. It is actually pretty easy to use.
Here is their link for the KB article for Scanning Credentials. https://www.lansweeper.com/kb/108/creating-and-mapping-scanning-credentials.html
As for using local credentials, you can use .\username like @bantzaroff stated in his post and it'll work fine. But you'll need to make sure the local creds are the same across the board or you'll be needing a lot of local creds setup.
You can also map credentials to specific IP locations, IP address(es)/Range, type of machine, and more.
Adding to this, you can also upload blueprints so you've got exact physical locations that can be easily looked up: https://www.lansweeper.com/feature/asset-location-tracking/
Thanks to the unique screwup, I took the time to update the Lansweeper report. Not often they manage to break all the OS versions.
Thanks for making the megathread!
Here is the Lansweeper summary including the usual report to verify update progress.
The highlights are an HTTP protocol stack RCE, Exchange RCE and Office RCE. There are a total of 98 fixes with 9 being listed as critical.
I would stand up LanSweeper, give it all the credentials, and let the software figger it all out for you.
This sounds like a cool use case, feel free to PM with questions.
check out LanSweeper
Asset management, helpdesk ticketing system, license tracking and compliance, software installs/uninstalls, reporting and analytics, etc...it's all there.
LanSweeper should fit the bill. Instead of multiple products, utilize all of the features, helpdesk, software installs (and uninstalls), reporting, analytics, license compliance, event log monitoring, knowledgebase, switch/network topologies, cloud asset management, the whole nine yards, it's all there, on your phone.
Second month in a row it seems to be missing...
Lansweeper's overview can be found here along with the usual report to mange your patching process. This month I added a extra report for the iSNS vulnerability, that should make it a piece of cake to find servers with iSNS enabled.
>I also find I can't open a copy of this .dmg file I have stored on a backup drive. WTF?
This seems like a Monterey bug:
https://www.reddit.com/r/macsysadmin/comments/qrbxxs/encrypted_dmg_issues_in_monterey/
I also found another link about corrupted disk images in Monterey:
This post indicates that mounting from Terminal (using hduutil attach something.dmg
) might be a temporary workaround. Maybe give that a try?
I haven't dealt with that personally but it seems its possible: https://www.lansweeper.com/solution/it-network-inventory/#:\~:text=one%20click%20away.-,Scan%20Off-site%20Computers,-Lansweeper%20enables%20you
Look into an IT asset management system. Lansweeper is free for limited devices (100) and pretty straight-forward to set up. It'll pull any information from networked Windows devices available via WMI.
Alternatively, you can pull the information from PowerShell:
Get-CimInstance -ClassName Win32_DiskDrive | Select-Object Model, SerialNumber
If you have PowerShell remoting enabled in your environment, you can run it against remote PCs:
Invoke-Command -ComputerName REMOTE_HOSTNAME -ScriptBlock { Get-CimInstance -ClassName Win32-DiskDrive | Select-Object Model, SerialNumber }
We've updated the report to include a check for the patches released by Microsoft.
I'm not sure if a single solution will check all your boxes. There is a Lansweeper - License Dashboard integration which might fill the gaps you are missing.
This week there were 2 noteworthy items to highlight.
First a critical vulnerability in VMware's Carbon Black App Control along with a few other VMware software including VMware Tools. A small blog but primarily an audit report to find affected machines.
The second one this week is related to Dell's SupportAssist. A feature called BIOSConnect has a major vulnerability in it that affects the BIOS of 128 Dell models. Find out more in the blog post + audit report.
In addition to that, I have created a report for to identify if there are any of the Intel utility software tools installed in your network that have a vulnerability that was disclosed.
The blog post also has a link to the general CPU overview report if you just want an overview of all CPU models in your environment.
If you have any questions, feel free to shoot. Since you already know of Lansweeper, you can easily setup your trial and explore it yourself.
Specific for MSPs, we are working on a new cloud-based interface which allows database aggregation and advanced access control (for multi-tenancy), also an API for integrations. So you can also ask to get early access to it.
First blog is regarding the FragAttack vulnerability that was disclosed some time ago. Included with it is a report on how to check for DNS changes in your IT environment to detect possible DNS injections.
Second blog of this week is a short one regarding the latest Firefox 89 & Firefox ESR 78.11 releases. As usual, it also contains a report to check if your orgs environment has been updated.
Here are a few things:
We've created a extra report to identify which assets have updated to the Office version with the EX255650 bug.
I'll do my best to describe the Patch Tuesday report and how it works.
Basically, I provide a list of cumulative and security updates that are released in a month to the report. Based on that list, it checks whether those specific patches are listed on each machine.
You can find the list of patches at the bottom of the query:
Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID From tblQuickFixEngineering Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID = tblQuickFixEngineering.QFEID Where tblQuickFixEngineeringUni.HotFixID In ('KB4601360','KB4601366','KB4601347','KB4601363', 'KB4601348','KB4601357','KB4601384','KB4601349','KB4601331','KB4601318','KB4601354', 'KB4601345','KB4601315','KB4601319')) As SubQuery1 On tblAssets.AssetID = SubQuery1.AssetID
I did at some point create an example of how to create this report for the last 3 months: https://www.lansweeper.com/forum/yaf_postst17094_Patch-Tuesday-report--last-3-months.aspx#post57400
Hope that helps.
P.S. The last two months the report have been different since I was trying a new method, but we will be switching back this month to the old trusted version.
I don't have any Linux machines to speak of but if Lansweeper performs on Linux like it does on Windows, this is the way.
https://www.lansweeper.com/knowledgebase/how-to-scan-linux-computers/