We have a number of patches (e.g., Java 1.6.0_27) that are Disabled (not "Inactive" but Disabled by KACE because it is superseded by a newer version) but are still showing a bunch of systems that need it.  There is no way to clear the machines from the patch (or clear the patch from the machines that show it as needed).  Even KACE tech support is baffled by this.

Has anyone else seen this?


0 Comments   [ - ] Hide Comments


Please log in to comment

Community Chosen Answer



Yes, I've seen it.  In my experience it typically occurs in the following scenario:

- Detect is run against machines

- patch is current and marked as needed in the machines' Inventory listing

- patch does not get deployed (for whatever reason - in my situation, I had to redo my patch labels and re-download patches which took a while as I kept running into disk space issues

- the patch gets superseded, which causes it to be disabled in the patch listing, but it is still marked as missing by the machines, even if the patch that supersedes it has been installed

Although this seems like a bug to me, if you run a patch report for missing active patches, the superseded patch will not (in my experience) be listed in the report as missing.  Therefore, it seems to be more of a cosmetics thing and so I typically just go by (and show management) the reports for current patching status.

Also, I've found a workaround, but it's not ideal:

1) Delete the Inventory item for any machines listing these superseded patches as missing

2) Uninstall the KACE agent from the affected machines

3) Delete the All Users (or ProgramData) \Dell\KACE folder which has a copy of the machine's Inventory file (XML I believe) on each affected machine

4) Reinstall the KACE agent, run Inventory against it, then run a patch scan - the "problem" patch will no longer be listed

Again, I wouldn't really call that a solution, so hopefully Support will create a bug listing on this and fix it directly so that superseded patches will no longer be listed/detected as missing even if they weren't deployed.  Until then, I would just go by reports for truly missing patches.  

If you need help with reports, please see part 11 (SQL Reports) of this post:

K1000 Patching - Setup, Tips & Things I Have Learned (LDAP, Smart Labels, SQL Reports)



Answered 08/11/2012 by: jverbosk
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity


What's sad is that its 2018 and this is still a problem. When patches are detected on an endpoint, then the patch is disabled or inactivated, it will still show as needed. The only way we got rid of this (with help of support) was to delete the element and run a Detect schedule against it to get an accurate count.

This is in my opinion a very bad way to manage patches!
Answered 01/11/2018 by: pc2550
White Belt

Please log in to comment