Patching via K1000 ineffective and slow
I am trying to set up patching for our newly imaged/scripted installations. As a test I created a machine label called "New Win 7 Machine", and manually added the label to a freshly scripted installation of Windows 7x64 SP1.
We do a complete detect every day at 3:00am, and all the active Microsoft patches show as downloaded to the K1000.
Under the Patch listing, I have created a smart label that sees all critical MS patches for Windows 7x64 SP1.
Under Detect and Deploy, I created a Detect and Deploy patch schedule to apply the critical MS Patches for Windows 7 x64 SP1, and pointed that to the machine with the "New Win 7 Machine label." I also created a label that lists all active Microsoft patches and set the Patch Schedule to apply those and got very similar results.
After running the patch schedule against the target machine for over two days, the results look like this:
PPLDPIK-NG0G834 | 10.1.100.80 | completed | Patched: 15, Not Patched: 215, Detect Failures: 15 , Deploy Failures: 0 |
Looking at the report "For each Patch, what machines have it installed" the listing for this machine shows 44 patches have been applied. To check what still needs to be patched, I ran Windows Update, and it says there are still 116 important updates available.
What am I missing, to cause such poor results? I have searched ITNinja, but haven't seen any postings about similar issues.
If anyone can point me in the right direction, I would really appreciate it!
(edit: spelling correction....)
(edit, removed Link)
Answers (2)
Do you have it set to auto reboot? Do you have anything under "Suspend Pending Tasks after "X" minutes" in your patch schedule?
215 is a lot of not patched to begin with. Have you thought about slipstreaming your updates into your media so it's a little more update out of the box?
I'm assuming on the deploy schedule you are not deploying the same patch labels as the ones you are detecting every day at 3:00? If you have nothing set to ever deploy those patches then it will continue to show 215 unpatched.
Comments:
-
It is set to Force Reboot, but hasn't rebooted on its own since finishing the installation. I will try turning that off to test.
Slipstreaming updates is definitely on our list of things to do because we are looking at a company wide upgrade to windows 7 this fall. At this point we will be happy just to get the patching to work.
Thanks for your response! - jgeorge 11 years ago-
I edited my answer. I believe the reason it is showing completed is because you are not using the same labels in both the detect, and the deploy schedule.
So you are detecting say 300 patches every day at 3.
On your deploy schedule you are only deploying MS Critical patches. In this case will probably be 15. So until you set a deploy schedule to deploy all of those other patches it will continue to show 215 unpatched. I'm betting it you looked at some of those 215 they are not MS Critical. - dugullett 11 years ago-
Another thing you might want to include is creating a smart label for newly imaged machines. Then create a detect/deploy schedule to patch these machines more frequently. I have this label below set to patch every hour. It detects machines that have been imaged in the past two hours.
select *, UNIX_TIMESTAMP(now()) - UNIX_TIMESTAMP(LAST_SYNC) as LAST_SYNC_TIME,
UNIX_TIMESTAMP(MACHINE.LAST_SYNC) as LAST_SYNC_SECONDS
from ORG1.MACHINE
LEFT JOIN KBSYS.KUID_ORGANIZATION ON KUID_ORGANIZATION.KUID=MACHINE.KUID LEFT JOIN KBSYS.SMMP_CONNECTION ON SMMP_CONNECTION.KUID = MACHINE.KUID AND KUID_ORGANIZATION.ORGANIZATION_ID = 1
where ((( MACHINE.NAME rlike 'CW|MW|UW') AND MACHINE.OS_INSTALLED_DATE > DATE_SUB(NOW(), INTERVAL 2 HOUR) AND OS_NAME = 'Microsoft Windows 7 Enterprise x64')) - dugullett 11 years ago
-
Also, "Suspend Pending Tasks" is not enabled.... - jgeorge 11 years ago
-
Alternatively you can create a post install task to install the wsusoffline-packages ( www.wsusoffline.net ) or a managed install to install them to keep a higher patching level. The KACE is great if only few patches need to be applied but needs a long time to catch up if you have old patching levels. - Nico_K 11 years ago
-
Thank you to both dugullett and Nicko-K! I am still working on the problem between interruptions, so it may be a little while before this gets resolved. I appreciate your sharing the wsusoffline link and the code for the smartlabel. Hopefully I will be able to continue looking at this later today. - jgeorge 11 years ago
-
Update: I found the Update Rollup patch for Win7 SP1, applied the label "w7rollup" to the patch, and to the machine. I created a patch schedule to apply this specific patch with the w7rollup label to the PC which is also labeled with the w7rollup patch.
The settings are set to:
Detect and deploy,
Limit run to machines with the w7rollup label
Limit to Win7 SP1 machines
Limit detect and deploy to w7rollup
Don't Alert User
Show Patch progress
Show Patch Completed message
Force Reboot.
The results are consistent with all the other patch scenarios I have been trying this week to push patches to this machine.
PPLDPIK-NG0G834 10.1.100.80 completed Patched: 0, Not Patched: 1, Detect Failures: 0 , Deploy Failures: 0 2013-07-18T09:57:18-06:00
I tried again with the settings set to Deploy Only and got similar results:
PPLDPIK-NG0G834 10.1.100.80 completed Patched: 0, Not Patched: 0, Detect Failures: 0 , Deploy Failures: 0 2013-07-18T10:19:02-06:00
Based on what I have documented here, does it look like I am missing any steps? This has become very frustrating.....
Thanks,
John - jgeorge 11 years ago -
Update #2.
Thinking the update rollup may not have been applicable to my system, I moved the w7rollup label to the "Cumulative Security Update for Internet Explorer 8 for Windows 7 x64 (KB2846071)" patch and immediately received the same results as above.
PPLDPIK-NG0G834 10.1.100.80 completed Patched: 0, Not Patched: 1, Detect Failures: 0 , Deploy Failures: 0 2013-07-18T10:29:40-06:00 - jgeorge 11 years ago -
Update: Contacted KACE Support and Brian Arthur hooked us up with a patch that resolved the issue. It turns out there was a bug with version 5.4 sp1 that broke how KACE communicates with the version 5.3 and 5.4 versions of the Kace Agents. Brian said to contact Kace Support if you are experiencing the same issues after upgrading the K1000 to ver. 5.4 sp1.
Thanks Brian! - jgeorge 11 years ago