Video Screencast Help

Software Updates During Deployment

Created: 22 Nov 2012 | 11 comments
SaschaH's picture

Situation is the following. As last step of deployment of new computers patch management should install the majority of patches. For that we have 3 task doing the assessment scan several times after the setup of win7 and during the isntallation of default applications. In the end we only have 50/50 patched clients so.

The clients show up in patch management compliance by computer, they also show the applicable updates in resource manager and the update policies under policies overview in the console.

What they dont do is showing the updates in the client agent (at least 50% dont do it) and when we trigger the update cycle with AexPatchutil /Xa they wont install something.

Things already tried include, extra inventory scan and triggering an update of the default software update plugin policy. During deployment the clients ask for configuration updates ever 5 minutes(later normal 1h) so they should get policies in time. Patch Filter Update is set to 15 min. All in all should be enough time.

Quite weird behaviour, anyone knows a scheme of software update plugin communication with the smp? Just need to know how the client requests the policies  or why the smp is not delivering them.

Comments 11 CommentsJump to latest comment

Mistral's picture

It works like this:

- Run Assessment Scan (result is sent to SMP)

- Data must go to the DB (might take a minute)

- Patch Filters must be updated (up to 15 Minutes for you)

- Get the new policies (up to 5 Minutes for you)

- Now the required updates (applicable and not installed) should be seen in the Agent

- Installation is done at the remediation schedule (in the end there will run an Assessment Scan again)

- ... DB ... filter update ... get policies ... updates will be gone (not vulnerable anymore)

 

so might take a while if they missed the filter update.

SaschaH's picture

Well that sequence was all clear to me :)

Its just the part where the client get the update list locally that makes me scratch my head, I mean from the logic it should be enough for the client to have a license, report the assessment and be in a policy.

It shouldnt be the missing filter or policy update as we run the assessment scan several times during the deployment, inbetwetween should be more than 1 Patch Filter and Policy update. Even so in the console the updates show up for the client.

Edit: compared the times.. so the differentiator is the third assessment scan, its full scan either way triggered by command line and not the prebuild task, need to check the logs of the failing clients..

Jobs Working Broken
Start of the Job 0:00 0:00
First Assessment 0:38 (15s) 0:41 (15s)
Second Assessment 1:01 (43s) 1:04 (45s)
Third Assessment 1:23 (3min33s) 1:27 (50s)
Patch Cycle 1:30 (45min38s) 1:36 (2min54s)

 

Bechtle – your strong IT partner. Today and tomorrow

If that seems to help, please "Mark as Solution"

Roman Vassiljev's picture

Hi SaschaH,

Please correct me if I am wrong. You have the following:
- Compliance reports show bulletins / updates that are applicable to affected clients but not installed yet.
- Software update policies for these bulletins are created and enabled, Updates within these SWU policies are enabled as well.

Considering that compliance reports show bulletins / updates for affected machines, I believe assessment scan is working correctly and is reporting to NS about required updates. So it looks clients do not receive SWU policies.

Do the affected clients receive other policies(not related to Patch Management)?
Could you please double check that targets for required SWU policies really include affected clients?

Thanks,
Roman

SaschaH's picture

Thats the weird thing, they get all policies that are not excluded(we have a global exclude filter to avoid policies interfering while using quick deliveries during deployment) besides the patch ones.

After more testing I come to the conclusion it is related to the assessment scan or the policy update of the client, I took out the other assessment scans, so only 1 assessment scan(Aexpatchutil.exe /I) plus patch policy update(AexPatchUtil.exe /C) is running late in the deployment.

Client has most software installed, does a reboot, runs assessment scan, reboots, starts patch cycle.

On the working system the task takes around 3min 30s, on the ones that are not working only 49s. So next step will be separating the two commands and see if /I or /C should take longer. Just a slow process which takes setting up a lot of new machines or cleaning out old ones.

Bechtle – your strong IT partner. Today and tomorrow

If that seems to help, please "Mark as Solution"

SaschaH's picture

Update for the problem. So apparently the assessment scan is not always running. Error in windows log is Event ID 10010 Server did not register with DCOM within the required timeout.

Anyone having experience with 10010 DCOM errors? Seems to be a broad topic.

Bechtle – your strong IT partner. Today and tomorrow

If that seems to help, please "Mark as Solution"

Mistral's picture

Do you have file and print sharing services up and running? I think the scanner does need this.

SaschaH's picture

The dubious thing is its running on 25 to 50 % of newly installed machines. So nothing in general should be wrong with the client settings. Maybe some GPOs or other policies messing around with the system.

Bechtle – your strong IT partner. Today and tomorrow

If that seems to help, please "Mark as Solution"

Roman Vassiljev's picture

Hi SaschaH,

So initial problem was caused by failed execution of assessment scan, right?
Could you please attach Agent log from affected machine captured when assessment scan is not working correctly?

Thanks,
Roman

SaschaH's picture

"12/5/2012 3:00:25 PM","Application exception caught: Patch assessment failed","BaseApplication::Run","AeXPatchAssessment.exe","3520"

 

"12/5/2012 3:00:25 PM","Message='Patch assessment failed' (ExitCode=4).","Utils::ApplicationException::ApplicationException","AeXPatchAssessment.exe","3520"

 

"12/5/2012 3:00:25 PM","HR=0x80080005, MSG='Shavlik::ShavlikPatchAssessmentImpl::OnInitialize()- Couldn't create Shavlik COM engine'","Utils::ComException::ComException","AeXPatchAssessment.exe","3520"

Again at COM Exception.. which fits with the DCOM Error.

Bechtle – your strong IT partner. Today and tomorrow

If that seems to help, please "Mark as Solution"

SaschaH's picture

Interesting find. Will follow up with this when I'm next time on site. Maybe tweaking the COM settings like in the KB makes a difference. Else need to write a script to catch the error and restart the assessment scan after a sleep.

Bechtle – your strong IT partner. Today and tomorrow

If that seems to help, please "Mark as Solution"