Disabled patch still shows as needed by multiple systems
We have a number of patches (e.g., Java 1.6.0_27) that are Disabled (not "Inactive" but Disabled by KACE because it is superseded by a newer version) but are still showing a bunch of systems that need it. There is no way to clear the machines from the patch (or clear the patch from the machines that show it as needed). Even KACE tech support is baffled by this.
Has anyone else seen this?
Community Chosen Answer
Yes, I've seen it. In my experience it typically occurs in the following scenario:
- Detect is run against machines
- patch is current and marked as needed in the machines' Inventory listing
- patch does not get deployed (for whatever reason - in my situation, I had to redo my patch labels and re-download patches which took a while as I kept running into disk space issues
- the patch gets superseded, which causes it to be disabled in the patch listing, but it is still marked as missing by the machines, even if the patch that supersedes it has been installed
Although this seems like a bug to me, if you run a patch report for missing active patches, the superseded patch will not (in my experience) be listed in the report as missing. Therefore, it seems to be more of a cosmetics thing and so I typically just go by (and show management) the reports for current patching status.
Also, I've found a workaround, but it's not ideal:
1) Delete the Inventory item for any machines listing these superseded patches as missing
2) Uninstall the KACE agent from the affected machines
3) Delete the All Users (or ProgramData) \Dell\KACE folder which has a copy of the machine's Inventory file (XML I believe) on each affected machine
4) Reinstall the KACE agent, run Inventory against it, then run a patch scan - the "problem" patch will no longer be listed
Again, I wouldn't really call that a solution, so hopefully Support will create a bug listing on this and fix it directly so that superseded patches will no longer be listed/detected as missing even if they weren't deployed. Until then, I would just go by reports for truly missing patches.
If you need help with reports, please see part 11 (SQL Reports) of this post:
K1000 Patching - Setup, Tips & Things I Have Learned (LDAP, Smart Labels, SQL Reports)