Patch compliance reports display inaccurate compliance numbers and reboot required status.

book

Article ID: 154871

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

The Patch Management Solution for Windows Compliance Reports are showing clients needing a reboot when they have been rebooted, or they display inaccurate data concerning the client's compliance.

 

Applies To

Patch Management

Cause

Software Update Cycle data is captured as an 'Event' for Patch Management. If the event is missed due to client tasks being backed up or stale, then the 'Event' is lost. If the Event is lost, the Patch Reports are not able to provide accurate 'IsInstalled=TRUE' or 'Reboot Required' data.

  • Note: This is an environmental issue and not a bug of the product. The status will be remediated the next time a Software Update Cycle has executed, capturing the Event, and provided the environment is in order; process to the database resolving this temporary problem.
  • Advisory: This Event cannot be duplicated with a reboot. The process for Software Update Cycle, reboot required and reboot executed, is the only way to generate the event.

Utilizing scripting to execute the Software Update Cycle does not trigger the event, so the process does not gather the event data. This is not supported, for it is utilizing other solutions (Software Delivery or Task Jobs) to execute the Patch functions. Ensure that the process is completely owned by Patch Management.

Additionally, this can be caused by a myriad of things:

  • SMP unable to process NSE files due to queue full or other errors
  • 503 errors on SMP or other IIS issues
  • Database is unable to process with deadlocks or other maintenance issues
  • Client GPO blocks return of NSE files

Resolution

Review the following to see if the issue is present:

1. Check the Client's Registry to see if a reboot is required

  • This process it outlined on KM: TECH127365
    • Value of 1 indicates that a reboot is needed
    • Reboot the client and allow for time to gather the event files
    • Review KM: HOWTO77167 if this process needs to be manually executed to refresh the Reboot Event

2. Check the Client's Resource Manager

  • Console > Manage > Computers > All Computers pane
    • Right-click Client > Resource Manager
  • Resource Manager > View > Inventories > Data Classes > Software Management > Patch Management > Installed Windows Software Update
    • Current tab in the right pane
    • Match the installed list with the compliance report to see what is conflicting.

Once deemed this is the issue in the environment, wait for the Software Update Cycle to execute on the client(s) once more to resolve this temporary problem. However, if unable to wait for another Software Update Cycle / Reboot Event; review the work around section if needed.

Advisory: This has been resolved in Patch Management 8.x by enabling the 'Send additional status events for Software Update policies (Aex SWD Status)' on the Windows Patch Remediation Settings (Settings > All Settings > Software > Patch Management > Windows Settings)

 

Note: This process is not real-time and is dependent upon scheduled tasks to execute. The results should be present within a day at the most, but as early as 4 hours following, for the setting will request the missing event from the Clients following 'Update Configuration' to get this policy's change, the run of the Windows System Assessment Scan, and return inventory to the SMP Server to be processed to the database.

Work Around: run the attached sql files to update the views in the Symantec_CMDB database; vPMCore_SWDEventExecutionSuccessByComputer and vPMCore_SWDEventExecutionSuccessByComputer2

  • This work around will remove the Reboot Event requirement from the Compliance Report. The report will render compliance based on the IsInstalled Rule returned value.
    • Advisory: Before running the SQL rename the existing view for backup purposes.
    • Note: This change slows down the view slightly when rendering the report. In most environments it will not be noticeable; however, larger databases may see a greater impact.

Workaround Addition 1: Import the attached custom report: Listed Missing Reboot Events

Workaround Addition 2: View the attached 'Custom RebootRequired Inventory_Dataclass_Report.zip' file; walks through the process to create a custom Inventory Job (gather reboot data without event), custom DataClass (store inventory in database) and custom Report (view data in Console).

Additional Info: Uninstalling / Reinstalling the Altiris Agent will not resolve this issue, for the Patch Inventory is held in the Symantec_CMDB database and will not be affected.

  • However, if the Client Resource is deleted through the Console > Manage > Filters > Computers; the client will return Patch Inventories and the database will process the inventory as 'Installed by User' which will bypass the Reboot Event check.
    • Caution: Perform this process at your own risk, for database data will be lost for the client's full inventory, and this data is not recoverable through product.

 

Attachments

Updated Views - Workaround.zip get_app
PowerShell PM Reboot Required.zip get_app
Custom RebootRequired Inventory_Dataclass_Report.zip get_app
All Computers with missed Reboot Events.xml get_app