Patch Management is an intricate product. Understanding the Patch Management work flow and processing is key to troubleshooting the failing Software Update installations.
Patch Management Processing broken-down summary:
· Licensing / Annual Upgrade Protection (AUP) installed through SIM on SMP for Patch Management Solution
· Download the Import Patch Data for Windows on the SMP
· Software Update Plug-in rolled out to targeted clients
· Licenses are consumed as clients download the Plug-in and return Patch Inventories.
· Patch Management pools the client’s Patch Inventories with the Import Patch Data to ensure the ‘IsApplicable’ & ‘IsInstalled’ rules are satisfied and marked for compliance. Client is deemed ‘vulnerable’ or ‘compliant’ on each targeted update.
· Software Update Package is created on the Patch Remediation Center. This will create codebases in the database for each package and outlines to client’s targeted download location.
· Software Update Policy is created to target specific clients to download the packages. Client downloads the package and waits in a ‘Scheduled’ status.
· Default Software Update Plug-in Policy configures the schedule to execute the Software Update Cycle and reboot process if desired. Advisory: It has been observed; once the Software Update Cycle has begun it will not stop, even if the Maintenance Window closes, and that appears to be a result of the Client's Operating System committing to the install and once it is queued it will not stop, and that limitation is set by the OS.
· Client runs the Software Update Cycle. Reboots as needed. Gathers client data for this event and returns it to the SMP for processing.
· SMP processes client inventory and populates the database with the returned compliance numbers for viewing in the Compliance Reports.
1. Troubleshooting begins with configuration:
a. Patch Management configuration is outlined in KB: 180589 "Configuring Patch Management for Windows - Best practices for 8.x"
i. Ensure configurations are in order.
ii. Some deviations may be necessary as the environment grows (i.e. Windows System Assessment Scan interval is expanded from every 4 hours to every 6-8 hours as more clients are added).
2. PMImport is the foundation of Patch Management:
a. Ensure the Import is not configured to run on schedule more than once per day.
i. Enable the ‘Incremental download’ to ensure that only the newest day is downloaded. This setting may be disabled if a complete fresh PMImport is needed to ensure rules are current.
1. Note: this data replicates to all Patch Agents once it has completed download. The client will return Patch Inventories from this data.
b. Troubleshooting Import Patch Data for Windows is outlined in KB: 154817 'PMImport failing to download successfully'
i. Ensure network security and communications are in order, along with permissions for the user executing the download, as those are the most common causes for PMImport failure.
c. Custom Notification Policy may be created to send an email if the import failed
i. Outlined in KB: 181132 'How do I create a custom Automation / Notification Policy and Report to see if 'Import Patch Data for Windows' failed to run.'
3. Patch Agent fails to deploy, or displays updates stuck in a ‘Pending’ Status:
a. Client may not be getting all components of the Patch Plug-in
i. Troubleshooting outlined
1. KB: 180699 'How does managed client consume a Patch Management Solution license for 8.x?'
b. Client may not be getting all necessary policies required
i. Troubleshooting outlined on KM: 152288 'Updates show as 'Pending' on the Software Update tab of the Symantec Management Agent'
4. Patch Agent failing to be targeted by the Software Update Policy:
a. Ensure the client is vulnerable to the Bulletins / Updates in the policy
i. Review the Compliance Reports
ii. Run the SSE Reports for Patch Management outlined in KB: 180504 'SSE Reports'
1. These reports will show if the computer is targeted by the update’s ‘IsApplicable’ rule.
b. Windows Patch Remediation Settings needs to have at least one client targeted
i. Troubleshooting outlined in KB: 181166 'Changing the Default Target for Software Update Policies during creation'
5. Patch Agent fails to download Software Update Package:
a. Client may be stuck in a ‘Retrying’ state for download
i. Troubleshooting outlined in KB: 154257 'Management Agent GUI > Software Updates Tab displays Software Updates in a 'Retrying' status.'
b. Software Update Policy advertisements may be stale
i. Troubleshooting outlined in KB: 177049 'Software Updates are generating errors for the client policy xml files.'
6. Reporting: Clients are compliant, but reporting displays updates are vulnerable
i. Client fails to return Patch Inventories:
1. Run the Diagnostics > Windows System Assessment Scan report to see the recent scan for Patch Inventories
2. Troubleshooting outlined in KB: 180730 'Client failing to return Patch Management Inventories for v8.x'
ii. Patch Inventories return, but reports fail to display data properly
7. Software Update fails to install on the client
a. Exit codes will show what the issue is regarding the install process
b. A rule for ‘IsApplicable’ may be over targeting the client
i. Data gathering for Rules Issues: 180740 'What data is needed to troubleshoot a possible rules issue in Patch Management?'
8. Client reboots outside the Software Update Cycle - Reboot Schedule
a. This rarely happens, and is most often caused by mis-configuration as outlined in KB 180859 'Configuring Patch Management for Windows - Best practices for 8.x'
b. Review the process for troubleshooting outlined in KB: 178429 'How do I troubleshoot the Patch Management - PMImport failing to download successfully?'
Note the following helpful articles that assist with further troubleshooting for Patch Management
KB: 180633 'How do I use Patch Management for Windows in a Hierarchy and with Replication?'