KBox shows many patches needed on a system that MBSA shows needs none
Can anyone explain why our KBox is showing a bunch of patches as NOTPATCHED on a system that MBSA shows needs no patches? Attached are screen captures from the MBSA results and the KBox detect job. For example, the KBox still thinks MS11-018 for IE 7 is still needed, when in fact the system now as IE 9 installed.
I'm getting very frustrated by the KBox's patching system not showing accurate information and/or inability to install security patches every other month. When I originally purchased this system I was hoping that it would reduce the amount of time I spend dealing with security patches, not increase it. Is anyone else experiencing this sort of thing?
Thanks in advance for any insight.
I'm getting very frustrated by the KBox's patching system not showing accurate information and/or inability to install security patches every other month. When I originally purchased this system I was hoping that it would reduce the amount of time I spend dealing with security patches, not increase it. Is anyone else experiencing this sort of thing?
Thanks in advance for any insight.
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
zookdj
12 years ago
Here is an update on this. I've been going back and forth with Dell KACE support. I ran Windows Update on the machine, and it shows the same thing: all critical patches are installed. I even installed the merely "important" patches that WU found, restarted, ran a detect again, and the KBox still shows a multitude of patches that *do not* need to be installed. Of course, if I let the KBox try to install them, it returns an error and still shows them missing. I've sent about 10-15 screen captures to tech support.
If anyone else has experienced something like this, please share what you did to fix it.
Thanks,
djz
If anyone else has experienced something like this, please share what you did to fix it.
Thanks,
djz
Posted by:
zookdj
12 years ago
Another update...
KACE says "Our engineers have said that your patch lists are checking for certain programs and patches on your systems, such as MS Internet Explorer. If you are searching for it broadly like this the K1000 will reply with all patches needed for MS Internet Explorer that the system has had, even in the past. So since you once had IE 7 and your patch list is searching for let’s say critical patches for all IE versions then it will detect and list a patch is needed for the system. Currently there is no way to purge the dBase and the only fix action is to limit patch listing as specific as possible to eliminate this error. This will also reduce the amount of patches to your K1000 and save on disk space as an added benefit."
Does anyone have any feedback on this? I tried setting up the patching in our heterogenous environment by following the "Patching Strategies for the K1000" manual, but maybe I missed something.
I have it setup in this manner...
All OS patches are labeled by OS. (e.g., XP patches are in one label, Vista patches are in another label). Each OS label has its own detect and deploy schedule, and it only applies to systems with the corresponding OS.
Application patches (IE, Firefox, Flash, Shockwave, dot Net framework, etc.) are deployed using a single patch label to all systems.
MS Office patches are deployed using a specific label for those patches, and only to machines that have Office software installed.
What do you think? Should I segregate the application patches as well somehow? If so, using what schema?
Thanks. Hopefully someone is reading this and will have some good ideas to share with everyone.
djz
KACE says "Our engineers have said that your patch lists are checking for certain programs and patches on your systems, such as MS Internet Explorer. If you are searching for it broadly like this the K1000 will reply with all patches needed for MS Internet Explorer that the system has had, even in the past. So since you once had IE 7 and your patch list is searching for let’s say critical patches for all IE versions then it will detect and list a patch is needed for the system. Currently there is no way to purge the dBase and the only fix action is to limit patch listing as specific as possible to eliminate this error. This will also reduce the amount of patches to your K1000 and save on disk space as an added benefit."
Does anyone have any feedback on this? I tried setting up the patching in our heterogenous environment by following the "Patching Strategies for the K1000" manual, but maybe I missed something.
I have it setup in this manner...
All OS patches are labeled by OS. (e.g., XP patches are in one label, Vista patches are in another label). Each OS label has its own detect and deploy schedule, and it only applies to systems with the corresponding OS.
Application patches (IE, Firefox, Flash, Shockwave, dot Net framework, etc.) are deployed using a single patch label to all systems.
MS Office patches are deployed using a specific label for those patches, and only to machines that have Office software installed.
What do you think? Should I segregate the application patches as well somehow? If so, using what schema?
Thanks. Hopefully someone is reading this and will have some good ideas to share with everyone.
djz
Posted by:
zookdj
12 years ago
This is great... I just realized that the ticket I submitted to KACE support has an impact of "Severity 4: Working as designed. System usage help required." If this is how it is supposed to work, I would love to hear an explanation from someone at KACE, particularly since the other 130+ systems managed by the KBox *are* working properly (i.e., they are only detecting patches that are needed.)
Normally KACE's tech support is excellent. This time I'm very disappointed with the "support" they are attempting to provide.
If anyone is reading this, please just reply to let me know...
djz
Normally KACE's tech support is excellent. This time I'm very disappointed with the "support" they are attempting to provide.
If anyone is reading this, please just reply to let me know...
djz
Posted by:
Llee
12 years ago
Hi djz,
This is Luis here who deals with these situation and I usually check to see why the Kace application is saying is needed by running a detection of those patches that are an issue with client debugging turned on. Lumension has extra file that Windows Update / MBSA 2.2 doesn't do. The issue could be a defect on those set of patches, without seeing the kpatch.log with debugging on I won't be able to tell you.
Thanks,
Luis Lee
This is Luis here who deals with these situation and I usually check to see why the Kace application is saying is needed by running a detection of those patches that are an issue with client debugging turned on. Lumension has extra file that Windows Update / MBSA 2.2 doesn't do. The issue could be a defect on those set of patches, without seeing the kpatch.log with debugging on I won't be able to tell you.
Thanks,
Luis Lee
Posted by:
zookdj
12 years ago
I actually submitted the kpatch.log file (among other log files) with debugging enabled to the ticket when I was on the phone with a tech yesterday. Would you like to see the file(s) too?
Here is what I ended up doing to clean up one system...
- Stop WUAUServ
- Delete SoftwareDistribution folder
- start wuauserv
- uninstall KBox agent
- delete machine inventory record (after saving a copy)
- install KBox agent
- make sure it is communicating
- run detect again
So far those steps seem to take care of it. Hopefully this will be helpful to anyone else experiencing this issue in the future.
Again, let me know if you still want to see the kpatch.log file. If you want to see the ticket it is # 129073
Here is what I ended up doing to clean up one system...
- Stop WUAUServ
- Delete SoftwareDistribution folder
- start wuauserv
- uninstall KBox agent
- delete machine inventory record (after saving a copy)
- install KBox agent
- make sure it is communicating
- run detect again
So far those steps seem to take care of it. Hopefully this will be helpful to anyone else experiencing this issue in the future.
Again, let me know if you still want to see the kpatch.log file. If you want to see the ticket it is # 129073
Posted by:
dchristian
12 years ago
zookdj,
If you want to erase all the patch history, just delete the machine from inventory.
Nice part is, asset history stays when the machine gets re-added.
If you want to erase all the patch history, just delete the machine from inventory.
Nice part is, asset history stays when the machine gets re-added.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.