Answer

The Software Update Agent (SUA) Diagnostic leverages the local IAD rule cache, registry, agent files and the Windows Update client on managed Software Update agent client computers to assist Symantec support and customers in maintaining and troubleshooting SUA related issues in the environment.

The SUA Diagnostic utility provides the following functionality in the current release

o    Inventory Solution Integration to enable remote diagnostics to be performed across many systems and provide reporting facilities.

o    Lists all bulletins currently targeted to the managed computer via Patch Management Solution.

o    Resolves associated targeted rule GUIDs.

o    Resolves associated targeted SUA package GUIDs.

o    Reports associated targeted SUA package settings and status.

o    Reports status of targeted bulletins.

o    Leverages Single Rule Evaluator functionality to evaluate IsInstalled and IsApplicable rule evaluation results.

o    Reports results of last vulnerability analysis for selected rule.

o    Provides interface for evaluating single rules not targeted at the client via GUID.

o    Leverages Microsoft Windows Update client to provide listing of all bulletins targeted by Windows update which are applicable and not installed per Windows Update logic.

o    Generates a directory structure containing primary support information such as rule evaluation results, logging information, verbose rule evaluation logs and associated client policy information quickly and easily.

o    Provides simple access to client package directories and the PatchInfo gathered data.

o    Allows for single-click force update behavior.

o    Allows single-click execution of SUA inventories.

o    Allows single-click execution of SUA full Patch Cycle.

o    Identifies the effective SUA policy and server of origin.

o    Identifies SUA version.

o    Provides formatted report output.

System requirements

-   Notification Server 6 client

-   Software Update Agent

-   Microsoft .Net Framework 2.0

Basic Usage

1.    Download the attached SUA_Diagnostic_build.exe to system meeting requirements.

2.    Execute the package.

3.    Package will extract to the users temp directory or any directory selected in the self extractor and execute “.\ PatchManagementDataGather.exe”.

4.    From the “Bulletins Targeted To This Machine” dropdown menu, select the bulletin to be evaluated.

5.    Click “Evaluate Selected”

6.    Once evaluation completes, the “View Rule Processing Detail” buttons will be enabled and available for use and the data fields in the UI will populate with available information.

7.    All generated and gathered files will be stored in .\SupportFiles subdirectories.

8.    The standard consolidated report will be located in the .\SupportFiles directory and named Agent_Full_Report.txt.

Command line arguments for PatchManagementDataGather.exe

None – Standard UI with manual evaluation

/I       - Generate inventory NSI in the default inventory directory of the agent (.\Altiris\eXpress\Inventory) for standard agent diagnostic information.  This will include all agent settings and evaluation of all software updates targeted to the client.

/IS     - Same as /I with added Windows Update scan of the computer with separate NSI in the standard inventory directory.

Data Elements gathered

Global Agent

          Computer Name

          Agent GUID

          Notification Server

          SUA Version

          Effective SUA Policy

          Effective SUA Policy GUID

          Reboot Pending

          SUA Bulletins Targeted to this computer

Per Bulletin

Package Details

                   Bulletin Name

                   Update Name

                   Bulletin GUID

                   Package GUID

                   Package Status

                   Install ASAP

                   Force ASAP

                   Failed Application Count

                   Max Reapplication Retries Exceeded

                   Reboot Before Install Code

                   Force Reboot

                   Allow Immediate Reboot

Single Rule Evaluation

                   IsApplicable Rule GUID

                   SRE IsApplicable Rule Result

                   IsInstalled Rule GUID

                   SRE IsInstalled Rule Result

Last Vulnerability Analysis Results (Results from Standard Vulnerability  Analysis)

          Applicable

          Installed

          Superseded

          ToBeInstalled

          Windows Update Scan (Optional)

List of all applicable and not installed bulletins per Windows Update scan.

Inventory Solution Integration (Optional)

An additional option for this tool is to integrate the data with the standard inventory solution for use in troubleshooting. This step is optional.

When using the Inventory Solution Integration, all data elements handled will be uploaded to the Notification server and inserted to the database.  Example reports are included in the package.

Data tables created:

dbo.Inv_PatchDiagWUSScan – table containing all Applicable and Not installed updates per Windows Update scan.

dbo.Inv_PatchDiagData – All data elements except the Windows update data.

Inventory Solution Integration instructions

1.    Extract the contents of the attached package to the Inventory Solution Package directory on the Notification Server.  Typically, .\Program Files\Altiris\Notification Server\nscap\bin\Win32\X86\Inventory Solution.  Note:  The provided SUADiag.ini file will default to Inventory mode only with no Windows Update Scan enabled.  To enable Windows update scan in the inventory, the SUADiag.ini file will need to be edited to provide the /IS switch instead of the /I.

2.    Open Tasks > Assets and Inventory > Inventory > Windows > Inventory Tasks in the Notification Server console.

3.    Clone the Software Inventory task.  Name the new task “SUA Diagnostic Inventory”.

4.    In the newly created inventory task, click Go To Package

5.    When the Inventory Agent Package comes up, Select the Programs Tab.

6.    On the Programs tab, click New.  Complete the fields as follows:

Name – SUA Diagnostic Inventory

Command Line - AeXInvSoln.exe /cleanbeforerun /hidden /s SUADiag.ini

(Note: CleanBeforeRun is optional but recommended)

Starting window – Normal

Run with rights – System Account

Program can run – Whether or not a user is logged in

7.    Click Apply

8.    Click Update Distribution points

9.    Close the Inventory Agent Package, returning to the SUA Diagnostic Inventory Task

10. Refresh the browser window using the IE toolbar.

11. Using the dropdown menu for Program Name in the SUA Diagnostic Inventory task, select the SUA Diagnostic Inventory program from the package.

12. Select the target collection using the picker for Applies to collection.  (Please note: All targets should have the Software update agent installed, be managed computers and if using the /IS switch, must have direct access to the internet without being prompted for credentials.

13. Set schedule, enable task and click apply.

 NOTE: This is an unsupported tool and is intended to be used only as a resource.

Build History

08/25/2009  1.0.0056    - Initial Release

08/26/2009  1.0.0075    - Corrected "Bulletins Targeted To This Machine" input validation issue.

                                 - Added exception handling logic for machines with no targeted bulletins.

08/27/2009  1.0.0076    - Consolidated support files location. 

08/27/2009  1.0.0077    - UI enhancements.

08/27/2009  1.0.0078    - Relative path support and override default extraction location.

09/03/2009  1.0.0079    - Agent_Full_Report output creation and formatting.

                                 - Inventory Solution Integration for remote diagnostics data gathering.

                                 - Reporting capabilities with example reports.

                                 - Command Line handlers.