Description

This procedure checks to see if machines have had the Microsoft patch installed to protect machines from the ZeroLogon exploit.
Microsoft have release a number of patches that address this issue - August Cumulative update, September Cumulative update, August Security Only Update and so on.
This agent procedure checks for the existence of a specific registry key - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection
Regardless of the patch type that is installed, this key is created by the patch that addresses this issue.
This agent procedure will update a custom field called "zeroLogonVuln" with 4 possible options

"Vulnerable" - The registry key does not exist, so the machine has not received any patch that addresses this issue
"Patched - 0" - The registry key was found, and currently has the value 0
"Patched - 1" - The registry key was found, and currently has the value 1
"Unsupported OS" - If the agent is not a Windows OS, you will see this message.

Microsoft is releasing this patch as 2 parts, the first part is to create the registry key and set the value to 0. They aim to then release a later patch, currently targetted for February 2021, which will set this value to "1".
Further information can be found here - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

The procedure will also create an Agent Procedure Log entry, starting with "zeroLogonResult: ".

Using the Custom Field, you can filter machines in the interface and use the agent procedure log entry to report.

NB. This procedure makes no changes to the endpoint - it simply reads a registry value - there are no files to be delivered or modifications to the endpoint.