Video Screencast Help

Random Patches Disabled in Patch Policies

Created: 08 Apr 2013 • Updated: 20 Apr 2013 | 8 comments
This issue has been solved. See solution.

In looking through our Windows Compliance by Bulletin, I am finding some odd behavior in our environment...

I will use MS12-054 as an example here:

A policy was created for MS12-054 back in August of last year and the compliance report is showing that 2,300 machines (out of 8,000) still have not installed the bulletin. I right clicked on the bulletin and looked at the report of the machines which have not installed it. When I look in that report at the KBs that each computer is misssing, I noticed that the policy for that Bulletin has these KBs unchecked and are red. Windows 6.1-KB2705219-v2-X86.msu is an example of a KB that is unchecked and red in this policy.

I don’t see where this patch has been superseded, and I have no idea why this would be unchecked. Are there reasons why a KB would become unchecked like this?

I am seeing a lot of Bulletins which have been out for a long time and displaying a similar behavior so I am assuming this is a bigger issue than this one KB or bulletin.

Are machines are rebooted frequently (we have a reboot required application) and I dont see any other issues other then these KBs being disabled.

 

I appreciate your time.

Operating Systems:

Comments 8 CommentsJump to latest comment

Lery's picture

Are you using Patch Management 6.x or 7.x?

In 7.x there is an option under the Jobs and Tasks section of your console.  \Tasks\Jobs and Tasks\System Jobs and Tasks\Software\Patch Management\Import Patch Data for Windows:

 

Revise Software Update policies 
Enable this option if you want the existing Software Update policies to be revised after the Import task has completed. Revising existing Software Update policies ensures that they are kept up to date with the latest files from the patch vendor, and fixes data integrity issues
 
If you have the first option checked, Revise software update policies, when Symantec detects that a patch inside a bulletin has been revised, it will become disabled.  This gives you, the administrator, time to test that specific patch to make sure the revision does not cause problems in your environment.
 
If you do not wish for that behavior to happen, you can check the box that says Enable distribution of newly added Software Updates.
 
Next, there is an automation policy that can be enabled, to alert you when this action happens.  That is located under Automation Policies and is called Software Update Advertisement Disabled.
 
If you're using Patch 6.x this behavior is still the same if you're using the Revise Software Update option on the PMImport section of your console.  Unfortunately, you do not have the option to Enable distribution of newly added Software Updates.
 
Finally, it could be that when the software update policy was being created, the individual patches were unchecked.

 

J Henderson's picture

Hi Lery,

I appreciate the long, detailed response. I am using Patch Management 7.1 SP2, MP1. I have all three options selected:

 

 
Automatically revise Software Update policies after importing patch data
Enable distribution of newly added Software Updates
Disable all superseded Software Updates

 

Which is what is leading me to my confusion. I am the only person who manages patch managment in our environment, and I have not manually disabled any patches.

We did not have the Enable distribution of newly added Software Updates option selected for nearly a year, and I just selected that around a month ago. I was assured this option would go back and reenable any past date software update.

 

I appreciate any direction. Thanks.

Lery's picture

J, do you have hierarchy in your environment?  If so I'm wondering if something funky happened there?

J Henderson's picture

No hierarchy in our enviroment... I know, its kind of bizarre.

 

I haven't ruled out the SMP gremlins, yet.

J Henderson's picture

I had a case going with Symantec and they just admitted they were wrong... Enabling the 'Enable distribution of newly added Software Updates' option after the patch policy was created, will not go back and enable the old revised patches.

Their suggestion to fix was to disable all our patch policies, wait 7-10 days, delete the patch policies and recreate them after. Alternatively we could go into every policy and enable any KB that should be enabled (which would take longer than option 1, imo).

Anyone know of an easy way to disable policies in the database? You cant highlight mulitple policies to disable or delete, so this is going to take a while if there is no way through the database.

Joshua Rasmussen's picture

Hello J,

     It is possible you spoke with a technician who did not fully understand the process. To clarify further; the process regarding the 'Enable distribution of newly added Software Updates' is working as designed, for it will only affect the Software Update Policies created after the check box is enabled on the PMImport moving forward.

     This process is not retroactive, for it will not go back and enable any disabled revised ("newly added") Software Updates advertisements for existing Software Update Policies created prior to the check box being enabled.

     Regarding existing Software Update Policies; there are the two options you detailed above, and in review of requests for SQL scripts made on this post; I updated KM: TECH40390 with the following assist for each method:

1. Manually work through each Software Update Policy > Advanced tab and re-enable each advertisement that is still needed to be pushed out in the environment.

  • Added a SQL Report, which can be imported into the console, and viewed to see which Software Update Policies have disabled advertisements, so the Admin is able to quickly view which policies have advertisements to be manually re-enabled.

2. Disable the SUP for 3-5 days and then it can be deleted. This is to ensure you do not get every targeted client throwing an error 'Item not found' in the SMP Logs. Once all targeted clients confirm the change in status for the disabled policy; the SUP can be deleted.

  • Added a preliminary SQL script to display all Software Update Policies, with their respective Guid, and a secondary SQL script to disable the Software Update Policies by inputting their respective Guid, returned from the preliminary script, and running against the database.

CAUTION: ensure there is a current backup of the database in place before running any SQL scripts that modify the product in this manner.

Please view the KM article, or the added Connect Link, to obtain the scripts that assist with working through this product limitation. Feel free to post any concerns or feedback and I will be happy to help.

 

SOLUTION
J Henderson's picture

Wow, very helpful stuff Joshua. I appreciate you taking the time to write the SQL scripts, and replying to these posts! Thank you.

J Henderson's picture

I ended up running the SQL script that Joshua wrote to disable all of our patch policies. Also, just to save some folks a few minutes... Dont delete each policy. You can click on the Patch Management, Software Update Policies, Windows folder, then select multiple policies and right click to delete.

I know there are some quirks with SMP, but I hope deleteing them in this manner is OK.