Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Patch Microsoft MS12-063 (KB2744842) not applicable

Created: 24 Sep 2012 | 10 comments

Hi,

we have an Altiris Patch Management Solution 7.1 SP2, with about 500 machines registered in the Symantec Management Console. We need to distribute the patch in object, but the system say that is applicable only to 5 machines.

I am sure that more than 5 machines require this security update. How can I proceed? There is any way to modify the "applicable rule"?

Thanks in advance

Comments 10 CommentsJump to latest comment

andykn101's picture

Are you sure your Patch Inventory has caught up, isn't this a new patch?

I don't think the Rules are visible in the latest version of Patch Management, it doesn't use the Detection and Applicability Rules that Software Management does like it used to.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

gmirabella's picture

I'm pretty sure, the patch showed in my Patch Inventory after I've downloaded the last bulletins. Can this be a problem of the bulletin itself?

The Company has requested the application of this patch; how can I distribute it to the clients, if only 5 machines are "applicable"?

andykn101's picture

Sorry, I meant the inventory that patch management does of your clients. Perhaps that hasn't caught up yet. Check your event queues; c:\programdata\symantec...

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Roman Vassiljev's picture

Hello gmirabella,

Please verify that Windows System Assessment scan has been executed on affected machines AFTER last PM Import was executed and vulnerability results sent to NS. You can check it using Windows System Assessment Scan Summary report (Reports > Software > Patch Management > Diagnostics > Windows System Assessment Scan Summary). This report shows when last patch inventory was received from all managed computers.

If report shows that last patch inventory for all machines was received after last PM Import, could you please try to determine machine where this update has not been detected as applicable or vulnerable, but you believe it should. Provide us with assessment log from this machine where issue is observed.
Go to directory C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\,
Attach 2 files: STPatchAssessment.log & STPatchAssessment.xml

Thank you,
Roman

gmirabella's picture

Hi Mr. Roman Vassiljev,

this morning the machines with the applicable status were 180 instead of the previous 5. I think that you're right, some machines didn't send the patch inventory.

There is a way to force it?

I'm sending you a log for a machine that have never send the Patch Inventory (I can see it in the System Assessment Scan Summary as you said). As this, about 150 didn't send the patch inventory and other 200 have send it a couple of weeks ago. I can't understand the difference between those 350 anomalies and other 180 that have send it correctly.

Thank you,

Gianpiero.

 

 

 

AttachmentSize
STPatchAssessment.log_.txt 623.21 KB
STPatchAssessment.xml 47.57 KB
Roman Vassiljev's picture

Hello Gianpiero,

 

Thank you for the attached files.
According to these logs, Windows System Assessment Scan has not been executed since 2012/09/03 12:00:03.
Last time when scan was executed, it was based on old Patch Data 7.1.330.
 
I can advise you to check the following:

1. Verify that Software Update Plug-in is installed and works on affected machine. To check that plug-in is working, please go to C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent, and run AexPatchUtil.exe /s. If state is READY, SCHEDULED, REBOOT_SCHEDULED - it's OK, in case if state is NOT READY or other - please, mention it in your next post
2. Check that Windows System Assessment Scan policy is working on affected machine. open Software Delivery tab in Symantec Management Agent and find Windows System Assessment Scan policy - it should have scheduled for next run (By default it is scheduled to be executed every 4 hours in policy settings "NS console: Settings > Software > Patch Management > Windows System Assessment Scan"). If policy is Disabled or has unexpected status(status should be 'Run Completed'), please mention it in your next post
3. Check when Windows System Assessment Scan tool package has been downloaded last time - open Software Delivery tab in Symantec Management Agent on affected machine and double-click 'Windows System Assessment Scan policy'. Open Download History tab and check time of last successful downloading (Windows System Assessment Scan tool package should be re-downloaded after importing new Patch Data (after executed PM Import task))
4. Check that license count is not exceeded

Thank you,
Roman

gmirabella's picture

Hello Roman,

first of all thanks for all your help.

1. The Plug-in is correctly installed and the state is READY for all the machines.

2. On the NS, the policy is active and (as you can see in the attachment) it is scheduled to be executed every 23 hours (that's good for me; i guess that the only way to force it, for example, is set to 1 minute). However I can't see the status (where i should see "Run completed")

3. On some machines the Windows System Assessment Scan tool package download correctly, on others (for example the machine linked with the previous attachments) i can't see the download and I can't tell you why.

4. The current license count is 355/4000.

Thank you so much,

Giampiero.

 

 

windowsassessment.jpg
Roman Vassiljev's picture

Hello Giampiero,

I have attached screenshot from Symantec Management Agent, where you can check policy status.

You may force execution of assessment scan with three options:
1. Select Windows System Assessment Scan policy in Symantec Management Agent on client and click 'Windows System Assessment Scan' under Application Tasks pane(see attached screenshot)
2. Start patch task from NS console - Navigate to Manage > Jobs and Tasks > System Jobs and Tasks > Software > Patch Management > 'Run System Assessment Scan on Windows Computers'. Start task on any managed machine where Software Update plug-in is installed
3. Navigate to C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent on client machine, and run AexPatchUtil.exe /I

BUT in order to get correct results, the latest windows system assessment scan package should be downloaded to client when assessment is started. windows system assessment scan package is downloaded automatically as soon as Symantec Management Agent configuration is updated after executed new Patch Data import task.

Please try to update Configuration of Symantec Management Agent(Settings > Update), select 'Windows System Assessment Scan policy' in agent (see attached screenshot) and click Download from 'Package Tasks' pane. The latest package should be downloaded if it is needed from NS or PS.

Thanks,
Roman

WSAS.jpg
Charlie D Tran's picture

Hi Roman, my name is Charlie, working for DOC/USPTO. We have Altiris Patch Management Solution 7.1 SP2, with about 4000 Windows servers  registered in the Symantec Management Console. I've been running pilot testing before going production. I am new to this community, I don't even know how to start up my questions in the forum like this. I came across Giampiero's questions to you, and thinking that I cut in and hope to start my questions and get answers from you. You seem very confident and expert in this area. Please help.

We have variety of issue for our last 9 pilot tests, as follow:

1/ Can't install Altiris client agents to target server (Windows 2008 RS, SP2) by both push from Console and manual pull of Altiris client agents from NS. The error is "failed to down Symantec Management Agent"

2/ Successful status to push Altiris client agent to target server (Windows 2003), but found no Altiris client agents on target server

3/ One or two servers in the same server groups failed the scheduled updates (October KB2724197).

I am frustrated myself that I can't do much to troubleshoot the issue,management can't get the green signal to get Altiris update going production since October 1, 2012.

Would you please be so kind as to help out or pointer to the answers, please. Once, we're set, I am willing to provide all snapshot any other logs/configuration to you for your review.

 

Thanks so much. Charlie.

Roman Vassiljev's picture

Hi Charlie,

For question #3, Could you please create separate topic in Patch Management Solution forum about your issue with detailed description of problem:
What version of Patch Data is used?
What OS(including Service Pack, bitness) is installed on affected servers?
What is the name of failed update?
What exit code is shown after failed installation?
Did you try to start installation manually on affected machine?
Please attach STPatchAssessment.log & STPatchAssessment.xml from affected machine that are located at "C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\"

I don't have answer for questions 1 & 2, but I would recommend firstly to search similar topics - probably someone had same issues and has found solution for it. If you cannot find something useful please create separate topics for your issues related to Symantec Management Agent in appropriate forums i.e. Altiris Client Management Suite - https://www-secure.symantec.com/connect/endpoint-management/forums/client-management

Thank you,
Roman