Client Management Suite

I'm trying to patch some workstations using Patch Management but am running into a problem where "applicable" patches are not being deployed. The "Microsoft Compliance and Vulnerability by Computer" report shows the patch is applicable yet when I deploy it, the patch is not applied and the status within the client-side Agent says "Not currently applicable".

I checked the "Applicability" section of the Resource manager for those software updates that are not being applied and the workstations meet the requirements listed there (for example OS and SP level).

Are there other prerequisites that are not being met, and if so how do I find out what these are? I don't see why there should be a discrepancy where the report says "Applicable" and status says "Not currently applicable". The report now lists these udpates under the "vulnerable" count which I would like to clear.

Thanks in advance!

1) What version of patch?

2) What OS are your clients?

3) Do the agents have software update agent installed, and an software update agent policy applied?

1) patch mgmt version 6.2

2) clients are Windows XP Pro SP3

3) yes, software update agent is installed on all clients. the default software update agent policy is enabled.
settings for this policy are:
reinstallation attempts after task failure: 3
reinstallation attempts when task requires a reboot: 3
max# of conseq installs allowed per update: 25
Reboot at end of software update cycle, allow multiple reboots during update cycle.

thank you

Kristen,

There are various issues that can cause this to happen, including incorrect/invalid registry entries, "missing" files (though that usually results in a patch continually reinstalling, when the rule says that a file should be version a.b.c.d, but the file in question doesn't actually exist to BE patched), or an error on the Symantec/Altiris side in the definition of the IsApplicable/IsInstalled rules.  Can you provide some example bulletins and specific update .exe files which are showing as not applicable?  There are several KBs that you can use to determine exactly why a patch is showing as not applicable (or not vulnerable, or vulnerable, etc):

http://www.symantec.com/docs/TECH40145 (start here; it links to the others I believe)
http://www.symantec.com/docs/HOWTO2123
http://www.symantec.com/docs/TECH40144
http://www.symantec.com/docs/HOWTO3063
 

Hi.

Have you looked at the log files for the local agent?

You can use the RAAD tool (Remote Altiris Agent Diagnostics) available from http://www.symantec.com/docs/HOWTO21449 or the LogViewer.exe in %ProgramFiles%\Altiris\Diagnostics on your NS.

Find all lines where the source is 'SoftwareUpdateAgent'. Every time the agent starts up, the patch rules are evaluated and you'll see if a patch is applicable to the workstation and then if it is installed. You should see line entries similar to

Applicable Rule evaluated TRUE for windowsxp-kb2419632-x86-enu.exe
Installed Rule evaluated TRUE for windowsxp-kb2419632-x86-enu.exe
Applicable Rule evaluated FALSE for windowsxp-kb2483618-x86-enu.exe

Does this correspond to what you see reported in the agent or on the NS?

Have you also tried to delete & recreate the inventory? Deleting C:\Program Files\Altiris\Altiris Agent\Agents\InventoryRuleAgent\InventoryRuleCache.iad when the Altiris agent is stopped is very important. See http://www.symantec.com/docs/HOWTO4689.

Thanks all for your guidance so far. There are 2 or 3 patches that do not install on the majority of workstations:

MS08-069 WindowsXP-KB954459-x86-ENU.exe
MS08-067 WindowsXP-KB958644-x86-ENU.exe

The isApplicable inventoryrulexml shows constant value = "true" for both so I looked at the pre-reqs/applicability for these and they are Windows XP Pro SP3, which is what we have.

The isInstalled returns a False when I run the xml script on the client, which agrees with the Update Installed = False on the NS resource manager for the client. I also see "update task Enabled" = False in the NS Software Inventory for the client. Does that matter?

I installed RAAD and also tried looking at logviewer but it does not show any lines with Source=SoftwareUpdateAgent. There are a lot of entries with source=CPreReqRuleProvider and CRuleProvider but is not helpful.

Thanks

I've seen cases where a bulletin is staged, and a policy created, but then at some point is not fully staged and needs the packages recreated.  If you go out to the patch remediation center and right-click on these bulletins, do you get the option to Recreate Packages?  If so, recreate packages and your client should download successfully.  And obviously if Stage is visible there for some reason, do the same.

If everything looks fine there, I'd create a new policy for just these two bulletins and then apply it to your test systems/problem systems, enabling the policy.  Force your Microsoft filter updates on your NS or wait for the interval to lapse, then update the policy on your clients.  It doesn't sound like this is the issue since you're seeing applicability/installed checks, but I thought I'd mention it as a step to try.

Thanks mclemson, recreating the packages did the trick! Even though the status was already "Staged" I recreated them and re-ran the task. The vulnerable count is now 0, finally.

Thanks everyone else for your suggestions. The links provided were very helpful in understanding how PM evaluates applicability.