Forum Discussion

F5Team's avatar
Icon for Cirrus rankCirrus
Dec 29, 2023

APM windows KB posture checks

I would like to understand how the APM (posture check) windows KB checks works exactly.

Based on the sample condition below, will the F5 compares all of the KB's or any one or few of them to pass the connection successfully.

Expression: expr { [mcget {session.windows_info_os.last.updates}] contains "123456" || [mcget {session.windows_info_os.last.updates}] contains "7891011" || [mcget {session.windows_info_os.last.updates}] contains "3247922" 

Is there any order in which the KB checks happen?

We observed an issue with a user unable to connect to VPN due to KB checks failing. The client machine had a few additional KB's compared with access profile.

We still had common/matching KB's on F5 and client machine.

Later once we added the additional KB on client machine to access profile, it resolved the issue.

3 Replies

  • The KB endpoint checks are performed on the client machine by using a Windows API to obtain the OS patch info, transformed into a list, signed, transmitted to APM, then verified with whatever expression you have set up. So all BIG-IP does here is obtain a simple text string.

    In your example you have:

    expr { [mcget {session.windows_info_os.last.updates}] contains "123456" || [mcget {session.windows_info_os.last.updates}] contains "7891011" || [mcget {session.windows_info_os.last.updates}] contains "3247922" 

    Leaving aside the missing end square and curly-braces, this is essentially 3 IF statements joined by an OR (||) operator, so there is no precedence here, it's just "X contains A or X contains B or X contains C" If X has A, B, or C it'll match.

    It may be that X (session.windows_info_os.last.updates) wasn't being transmitted to BIG-IP correctly. In that case, you'll have to check the session variable viewer or logs to obtain the raw value of that session variable. 

    There are also some rare cases where strings become malformatted due to the our TCL script interpreter, but this usually happens with non-ASCII characters.

    • F5Team's avatar
      Icon for Cirrus rankCirrus

      Hi Lucas,

      Thanks for the update.

      Could you help confirm more details on the Windows API and how does it fetch the OS patch info and transmit to APM.

      would the API use commands similar to "wmic qfe list full / brief" or any other specific commands