Troubleshooting Patch Management 7.5.x - 8.0:
Patch Management is an intricate product. Understanding the Patch Management work flow and processing is key to troubleshooting the failing Software Update installations.
Patch Management Processing broken-down summary:
· Licensing / Annual Upgrade Protection (AUP) installed through SIM on SMP for Patch Management Solution
· Download the Import Patch Data for Windows on the SMP
· Software Update Plug-in rolled out to targeted clients
· Licenses are consumed as clients download the Plug-in and return Patch Inventories.
· Patch Management pools the client’s Patch Inventories with the Import Patch Data to ensure the ‘IsApplicable’ & ‘IsInstalled’ rules are satisfied and marked for compliance. Client is deemed ‘vulnerable’ or ‘compliant’ on each targeted update.
· Software Update Package is created on the Patch Remediation Center. This will create codebases in the database for each package and outlines to client’s targeted download location.
· Software Update Policy is created to target specific clients to download the packages. Client downloads the package and waits in a ‘Scheduled’ status.
· Default Software Update Plug-in Policy configures the schedule to execute the Software Update Cycle and reboot process if desired. Advisory: It has been observed; once the Software Update Cycle has begun it will not stop, even if the Maintenance Window closes, and that appears to be a result of the Client's Operating System committing to the install and once it is queued it will not stop, and that limitation is set by the OS.
· Client runs the Software Update Cycle. Reboots as needed. Gathers client data for this event and returns it to the SMP for processing.
· SMP processes client inventory and populates the database with the returned compliance numbers for viewing in the Compliance Reports.
1. Troubleshooting begins with configuration:
a. Patch Management configuration is outlined on KM: HOWTO56242
i. Ensure configurations are in order.
ii. Some deviations may be necessary as the environment grows (i.e. Windows System Assessment Scan interval is expanded from every 4 hours to every 6-8 hours as more clients are added).
2. PMImport is the foundation of Patch Management:
a. Ensure the Import is not configured to run on schedule more than once per day.
i. Enable the ‘Incremental download’ to ensure that only the newest day is downloaded. This setting may be disabled if a complete fresh PMImport is needed to ensure rules are current.
1. Note: this data replicates to all Patch Agents once it has completed download. The client will return Patch Inventories from this data.
b. Troubleshooting Import Patch Data for Windows is outlined on KM: TECH166778
i. Ensure network security and communications are in order, along with permissions for the user executing the download, as those are the most common causes for PMImport failure.
c. Custom Notification Policy may be created to send an email if the import failed
3. Patch Agent fails to deploy, or displays updates stuck in a ‘Pending’ Status:
a. Client may not be getting all components of the Patch Plug-in
i. Troubleshooting outlined
1. KM: HOWTO59456: How a Patch License is consumed
2. KM: TECH170397: Troubleshooting Client failing to get licensed
3. KM: TECH158125: Troubleshooting Client ‘not ready’ for Patch
b. Client may not be getting all necessary policies required
4. Patch Agent failing to be targeted by the Software Update Policy:
a. Ensure the client is vulnerable to the Bulletins / Updates in the policy
i. Review the Compliance Reports
ii. Run the CRT Reports for Patch Management outlined on KM: HOWTO52986
1. These reports will show if the computer is targeted by the update’s ‘IsApplicable’ rule.
b. Windows Patch Remediation Settings needs to have at least one client targeted
5. Patch Agent fails to download Software Update Package:
a. Client may be stuck in a ‘Retrying’ state for download
b. Software Update Policy advertisements may be stale
6. Reporting: Clients are compliant, but reporting displays updates are vulnerable
i. Client fails to return Patch Inventories:
1. Run the Diagnostics > Windows System Assessment Scan report to see the recent scan for Patch Inventories
2. Troubleshooting outlined on KM: HOWTO60750 (Step #8 is the most common cause and has been resolved in PM 8.0 per TECH167291)
ii. Patch Inventories return, but reports fail to display data properly
7. Software Update fails to install on the client
a. Exit codes will show what the issue is regarding the install process
b. A rule for ‘IsApplicable’ may be over targeting the client
8. Client reboots outside the Software Update Cycle - Reboot Schedule
a. This rarely happens, and is most often caused by mis-configuration.
b. Review the process for troubleshooting outlined on KM: TECH44665
Note the following helpful articles that assist with further troubleshooting for Patch Management
KM: HOWTO58954- Replication Settings for Patch Management in Hierarchy