Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Patches not being pushed to all computers in the filter

Created: 16 Aug 2012 | 6 comments

Hello,

I've set up a small filter with 6 computers in it, to receive a particular patch (MS12-032).  I set a maintance window and a patching window and scheduled the patch to run.

2 of the computers got the patch, but the other 4 didn't.  When I look at the management agent on one of the computers that has not gotten the patch, I see the maintance window scheduled, but the "Next Update Due At" show Not Scheduled.

I refreshed all the filters and all the schedules to make sure they were applying to all of the computers in that filter, but the 4 computers are still not being updated. Connectivity does not seem to be an issue, as I can send configurations and receive inventory statuses from all 6 computers.

I'm using NS 7.1 and all 6 computers are running 2K8R2.

Has anyone seen this issue before?

 

Comments 6 CommentsJump to latest comment

Sergei Kljujev's picture

Hi Erica,

It is possible, that Some computers from Patch Target filter will not receive the specified update. That could happen, if patch is actually not required for this computer. To verify this, You could check Compliance by Bulletin report - whether it contains those 4 target computers. There are three options: (1) computers are listed as having this bulletin Applicable and Not Installed, (2) bulletin is not applicable - problematic computers are not listed in the compliance list for this bulletin at all, and (3) computers are listed as having this bulletin applicable and installed. Here are basic troubleshooting steps for each option:
1) patch should arrive to the listed computers sooner or later. You can speed this up by running windows task scheduler task - 'NS.Windows', (or 'NS.Microsoft', if You are running NS 7.0 or N.S 6.0)
2) either vulnerability assessment have not yet run on those computers, or patch is actually not applicable for them. Please, check if vulnerability assessment is running on the problematic computers.
3) somebody has already installed the patch. Either windows update, or patch solution itself and therefore it will not arrive to this computer.

Some more specific issues include, but are not limited to, for example: license nodes count exceeded - exceeded nodes cannot be patched. It may also be problems with receiving the right Configuration Policy for altiris agent - restart IIS on NS server machine and try to refresh policies on problematic clients again.

If the above information will not help, please contact us with more specific information about Your environment: which version of Altiris Patch Management Solution do You use, are there any roll ups and pointfixes installed, and any other additional information that You think would help to resolve the issue.

Best regards,
Sergei

Erica_Palmer's picture

Hello,

Following up here: The 4 servers that never got the patch package still haven't.  They all successfully run Windows System Assessment Scan every night.  Each one is still missing the patches included in MS12-032.

We are using Altiris patch management solution 7.1 sp2, and have 211 licenses left. I can't find logs for this period. I will try to grab them tonight, and post a copy for you to see of what is going on at the time when the patches are supposed to be pushed.

 

Erica

Sergei Kljujev's picture

Hi Erica,

Just some of additional checks, that could possibly point to a root cause of the problem:

1. Are those problematic computers listed in Compliance Report for MS12-032 as Not Installed?

To check this, open Reports -> Software -> Patch Management -> Compliance -> Compliance By Bulletin.; locate there MS12-032, Right Click on it and choose "View Not Installed Computers by Bulletin"

2. Are updates listed on problematic computers in Symantec Management Agent UI, Software Updates Tab?

3. Are updates of MS12-032 mentioned in InstallLog.csv file on Client, at C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\InstallLog.csv?

4. Which State is Software Update Plugin? To check this, please go to C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent, and run AexPatchUtil.exe /s. If state is READY, SCHEDULED, REBOOT_SCHEDULED - it's OK, in case NOT READY or other - please, mention it in Your next post.

5. Please, ensure that all MS12-032 updates in SWU Policy are enabled. To check this, go to the Software Update Policy in Patch Management -> Software Update Policies -> Your_Policy, Open Advanced tab and ensure that Checkbox is selected near all of MS12-032 updates.

 

Regards,

Sergei

 

 

Rajesh Mhatre's picture

Hello Support,

We have Altiris 7.1 SP2 in place in our environment & what we have seen so far is Altiris compliance report shows installed patches for the past month as missing.

When we deploy release patches in current month we make sure that they are listed as 100% compliant.

Could anyone see this issue? Or I would appreciate if you put on bird eye view to this issue.

Thanks
Rajesh

Roman Vassiljev's picture

Hi Rajesh

Have you checked that updates that are currently shown as missing on some machines ARE installed on those machines?
Probably configuration of machines has been changed and some bulletins are detected as missing again.

In case if updates are really installed but still shown as missing in Compliance reports, could you please run Windows System Assessment Scan on affected client and attach output files from this client (STPatchAssessment.xml and STPatchAssessment.log). These files are usually located at "C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\"
Also it would be great if you provide example of such update.

Thanks,
Roman

mmathews's picture

I have 7.1 sp 2 mp 1.1 installed. We are experiencing the following:

Clients are showing vulnerabilities in the Compliance by COmputer report. Using RAAD 2.0, I can connect to the machines, force patch inventory from the Patch tab, and force a patch cycle. The missing patches begin processing and show up/install. This has been an ongoing issue not with one particular patch but has happened every month since August.

Any ideas or help would be greatful. Seems similar to the above issues.