SELECT name, display_name, start_type, path, status, user_account, CASE WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. Print Nightmare' END AS SpoolerCheck, CASE WHEN start_type != 'Disabled' THEN 'Set Spooler service to DISABLED to prevent it from starting' END AS ServiceCheckFROM servicesWHERE name = 'Spooler' AND (status = 'RUNNING' OR start_type != 'DISABLED')
The first query was a copy of the canned script, "Services installed on the device", which looks like
SELECT name, display_name, start_type, path, status, user_accountFROM services
To which I added the WHERE line. The example from our query desk https://news.sophos.com/en-us/2021/07/01/printnightmare-vulnerability-what-to-do/ inspired to add suggestions for actions.