search cancel

Patch Management scan doesn't execute

book

Article ID: 162812

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

Client's Altiris Agent GUI > Software Delivery Tab displays the Windows System Assessment Scan in 'Task queued to start' state:

Cause

  1. Found NTFS Permissions and ownerships were not in place on SMP / Site Servers for packages.
     
  2. Found the 'Inventory Plug-in for Windows Install' and 'Software Management Solution Plug-in for Windows (64-bit) - Install' packages were stuck in 'Retrying download' status due to network security restrictions (e.g. GPO-Group Policies / Virus Scan Software restrictions).
    1. ‚ÄčTo find these; enabled the settings on the Agent GUI > Software Delivery tab as follows:
      • Show scheduled tasks and packages
      • Show internal tasks and packages
      • Show expired packages

         

Resolution

Work through the following resolution for Issue #1:

  1. Drill down to default directory: C:\Program Files\Altiris\Notification Server\NSCap\bin\Win64:
    • Set Rights: Right-click > Properties > Security tab; click the 'Edit' button > allow full rights to the Administrators group
    • Set Permissions: Right-click > Properties > Security tab; click the 'Advanced' button > Permissions tab; ensure that Administrators are listed with SYSTEM and have Full control
      • Ensure the 'Replicate down...' is checked enabled
      • Click 'Apply / OK'
    • Set Ownership: Right-click > Properties > Security tab; click the 'Advanced' button > Owner tab > Edit button; Select the 'Other users or groups...' button, add the Administrators group name and click 'Check Names' to confirm, and close with 'OK'
      • Ensure the 'Replace owner on subcontainers and objects' setting is enabled
      • Click 'Apply / OK'
      • Note: If on Windows 2008+ will need to work through the following on that folder: Right-click > Properties > Security tab; click the 'Advanced' button, and select the 'Change' link near the top of the window, input the Administrators group name and click 'Check Names' to confirm, and close with 'OK'
        • Ensure the 'Replace all child object permissions entries with inheritable permission entries from this object
        • Click 'Apply / OK'
           
  2. Repeat this process on all other package locations (e.g. C:\Program Files\Altiris\Patch Management\Packages\Updates) failing to download on Clients/Site Servers as needed
    • It is standard to deploy as Administrators, so this could be performed on the Altiris Root folder if able
       
  3. Repeat if this is affecting only the Windows System Assessment Scan Package; work through the process only on the following Package:
    • On SMP Server: C:\Program Files\Altiris\Patch Management\Packages\WindowsVulnerabilityScan
    • On Package Server: C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}
       
  4. Clear security restrictions that prevent the download process for the Agent Plug-ins and the Windows System Assessment Scan will run following completion and the filters updating on the SMP, and note these restrictions could be managed by, but aren't limited to, routers, gateways, Group Policies (GPOs), Virus Scan Software or even Caching Servers. This process will be moderated outside the ITMS Software and may require Network Admin assistance or sniffing tools to track what is causing the restrictions (e.g. WireShark et.). 
    • Ensure the SMP Server and Package Servers/Site Servers are cleared of these restrictions for full access within the environment. 

A possible workaround for Issue #2:

1. Download plug-ins on the Client:

  • Open the Altiris Agent GUI on the Client
    • Go to the Software Delivery tab
      • Highlight the Software Management Solution Plug-in for Windows (64-bit) - Install
      • Double left-click and go to Download History
      • Click the Source Location URL
      • Click on the download .msi link in Windows Explorer and 'Run'
        • This will restart the agent services; re-open the Agent GUI
    • Go to the Software Delivery tab
      • Highlight the Inventory Plug-in for Windows Install
      • Double left-click and go to Download History
      • Click the Source Location > URL
      • Click on the download .msi link in Windows Explorer and 'Run'
    • Agent GUI > Settings Button (upper right corner)
      • Click the 'Send' button


2. Manually update Filters & Policies on the SMP as follows:

  • Go to the SMP Console > Settings > Notification Server > Resource Membership Update; run ‘Policy…’ & ‘Delta…’


3. Manually Update Configuration on Client:

  • Open the Altiris Agent GUI; Settings Button (upper right corner)
  • Click the 'Update Configuration' button


4. Manually update Patch Filter to display Clients in Patch Compliance Reports:

  • Go to the Server Manager > Configuration > Task Scheduler > Task Scheduler Library; run the NS.Windows Patch Remediation Settings

Note: If this workaround is not able to download the packages and run them manually; the restrictions will need to be lifted within the network.

Attachments