Client Management Suite

I'll try to lay this out clearly so you can point out what I'm doing wrong here...

On an agent's software update tab:

1 failed to install update (ms10-74)

6 installed updates.

0 pending updates.

Under All Reports > Software > Patch Management > Compliance > Microsoft Compliance by Computer...

Locate said agent in the list, and it shows 17 vulnerable updates...

Right click > View Vulnerable Updates

That report only returns 11 updates (7 of which are in the agents update tab above)

My questions are:

Is the agent waiting for a reboot before it even schedules the other 4 updates?  Is there any way I can tell? 

Where are the 6 mystery updates between the Compliance by Computer report, and the Vulnerable Updates by Computer for that computer?  And yes, the 6 installed and the 1 failed updates on the agent show up the Vulnerable Updates by Computer for that computer, so those are accounted for. I have re-run all the Resource Membership updates if that even matters.

I want to mention that I've tried re-running the patch cycle on the agent, it is within a maintenance window, and I have all views checked under Show Updates.

At a loss here, any pointers would be appreciated.

Thanks,

Dan

However, you should be able to run the compliance by Computer and drill down or right click and show the vulnerable updates. Many updates, especially critical ones, do not apply until a reboot is done, regardless of status of install.

In addition, you may have vulnerabilities for updates you have not staged yet. The patch inventory process takes updates into account outside of what you have distributed via Altiris.

Another common misconception is that if you run the MBSA or Windows update, it will show more vulnerabilites than Altiris. That is because Altiris only takes into account security related updates, while Windows considers things such as IE version and service packs as security related. You cannot apply service packs or IE version upgrades via Altiris Patch Management, you need to use Software Management Solution.

SP1 for 7.1 will allow you to use Patch Management to release Service Packs, Updates, Update Roll-ups, etc.  Everything except Drivers, if I remember correctly.

It is hard to tell anything without logs or at least screenshots.

>Is the agent waiting for a reboot before it even schedules the other 4 updates? 

No, policy should be received by the agent regardless of the current reboot status. Typical problems:

1. Do you have policies created/enabled for those 4 updates?

2. Does this client appear in the target of those policies?

3. Do those 4 updates also show up as vulnerable?

4. Try selecting all the options under "Show Updates" on the client side.

>Where are the 6 mystery updates between the Compliance by Computer report and the Vulnerable Updates by Computer for that computer?

This is typically because of the filters mismatch between the reports. Make sure that filters you use are the same in both reports.

Regards,

Robert

...I think the "extra" updates are ones which have been superseded by a later release (the missing 4 for the 7 of 11).  If you run the Superseded Bulletin summary report, do the "missing" 4 updates supersede each other?  That's one thing that somewhat annoys me with Patch Management.  Say you just upgrade to IE8...Altiris will show that you have 15+ missing updates, since it includes every IE8-KBxxxxxx-WindowsXP-x86-enu.exe update there is, though installing the most recent one will (most of the time, AFAIK) fix compliance for all of them.

Regarding the different counts...sometimes (and I thought this was fixed in 6.2 of Patch), you may see individual updates (the actual .exe file), along with an associated .bat file Symantec creates to install it, listed as vulnerable.  So you'll see WindowsXP-KBxxxxxxx-x86-enu.exe and WindowsXP-KBxxxxxxx-x86-enu.bat both "vulnerable".

As mentioned above however, a pending reboot will technically still count as vulnerable, if the files that are updated by the patch can't be installed while the OS is running.