I am trying to set up patching for our newly imaged/scripted installations.  As a test I created a machine label called "New Win 7 Machine", and manually added the label to a freshly scripted installation of Windows 7x64 SP1.

We do a complete detect every day at 3:00am, and all the active Microsoft patches show as downloaded to the K1000.

Under the Patch listing, I have created a smart label that sees all critical MS patches for Windows 7x64 SP1.

Under Detect and Deploy, I created a Detect and Deploy patch schedule to apply the critical MS Patches for Windows 7 x64 SP1, and pointed that to the machine with the "New Win 7 Machine label."   I also created a label that lists all active Microsoft patches and set the Patch Schedule to apply those and got very similar results.

After running the patch schedule against the target machine for over two days, the results look like this:

PPLDPIK-NG0G834 completed Patched: 15, Not Patched: 215, Detect Failures: 15 , Deploy Failures: 0

Looking at the report "For each Patch, what machines have it installed" the listing for this machine shows 44 patches have been applied.  To check what still needs to be patched, I ran Windows Update, and it says there are still 116 important updates available. 

What am I missing, to cause such poor results?  I have searched ITNinja, but haven't seen any postings about similar issues.

If anyone can point me in the right direction, I would really appreciate it!

 (edit: spelling correction....)

(edit, removed Link)

0 Comments   [ - ] Hide Comments


Please log in to comment

Answer this question or Comment on this question for clarity



Do you have it set to auto reboot? Do you have anything under "Suspend Pending Tasks after "X" minutes" in your patch schedule?

215 is a lot of not patched to begin with. Have you thought about slipstreaming your updates into your media so it's a little more update out of the box?

I'm assuming on the deploy schedule you are not deploying the same patch labels as the ones you are detecting every day at 3:00? If you have nothing set to ever deploy those patches then it will continue to show 215 unpatched.

Answered 07/17/2013 by: dugullett
Red Belt

  • It is set to Force Reboot, but hasn't rebooted on its own since finishing the installation. I will try turning that off to test.

    Slipstreaming updates is definitely on our list of things to do because we are looking at a company wide upgrade to windows 7 this fall. At this point we will be happy just to get the patching to work.

    Thanks for your response!
    • I edited my answer. I believe the reason it is showing completed is because you are not using the same labels in both the detect, and the deploy schedule.

      So you are detecting say 300 patches every day at 3.

      On your deploy schedule you are only deploying MS Critical patches. In this case will probably be 15. So until you set a deploy schedule to deploy all of those other patches it will continue to show 215 unpatched. I'm betting it you looked at some of those 215 they are not MS Critical.
      • Another thing you might want to include is creating a smart label for newly imaged machines. Then create a detect/deploy schedule to patch these machines more frequently. I have this label below set to patch every hour. It detects machines that have been imaged in the past two hours.

        from ORG1.MACHINE
        where ((( MACHINE.NAME rlike 'CW|MW|UW') AND MACHINE.OS_INSTALLED_DATE > DATE_SUB(NOW(), INTERVAL 2 HOUR) AND OS_NAME = 'Microsoft Windows 7 Enterprise x64'))
  • Also, "Suspend Pending Tasks" is not enabled....
  • Alternatively you can create a post install task to install the wsusoffline-packages ( www.wsusoffline.net ) or a managed install to install them to keep a higher patching level. The KACE is great if only few patches need to be applied but needs a long time to catch up if you have old patching levels.
  • Thank you to both dugullett and Nicko-K! I am still working on the problem between interruptions, so it may be a little while before this gets resolved. I appreciate your sharing the wsusoffline link and the code for the smartlabel. Hopefully I will be able to continue looking at this later today.
  • Update: I found the Update Rollup patch for Win7 SP1, applied the label "w7rollup" to the patch, and to the machine. I created a patch schedule to apply this specific patch with the w7rollup label to the PC which is also labeled with the w7rollup patch.

    The settings are set to:
    Detect and deploy,
    Limit run to machines with the w7rollup label
    Limit to Win7 SP1 machines
    Limit detect and deploy to w7rollup
    Don't Alert User
    Show Patch progress
    Show Patch Completed message
    Force Reboot.
    The results are consistent with all the other patch scenarios I have been trying this week to push patches to this machine.

    PPLDPIK-NG0G834 completed Patched: 0, Not Patched: 1, Detect Failures: 0 , Deploy Failures: 0 2013-07-18T09:57:18-06:00

    I tried again with the settings set to Deploy Only and got similar results:

    PPLDPIK-NG0G834 completed Patched: 0, Not Patched: 0, Detect Failures: 0 , Deploy Failures: 0 2013-07-18T10:19:02-06:00

    Based on what I have documented here, does it look like I am missing any steps? This has become very frustrating.....
  • Update #2.
    Thinking the update rollup may not have been applicable to my system, I moved the w7rollup label to the "Cumulative Security Update for Internet Explorer 8 for Windows 7 x64 (KB2846071)" patch and immediately received the same results as above.

    PPLDPIK-NG0G834 completed Patched: 0, Not Patched: 1, Detect Failures: 0 , Deploy Failures: 0 2013-07-18T10:29:40-06:00
  • Update: Contacted KACE Support and Brian Arthur hooked us up with a patch that resolved the issue. It turns out there was a bug with version 5.4 sp1 that broke how KACE communicates with the version 5.3 and 5.4 versions of the Kace Agents. Brian said to contact Kace Support if you are experiencing the same issues after upgrading the K1000 to ver. 5.4 sp1.

    Thanks Brian!
Please log in to comment

Final Update: After applying the hotfix from Kace Support, I can verify the problem has been resolved. Thank you to everybody who responded, and provided ideas.

I consider this resolved.

Answered 07/18/2013 by: jgeorge
Senior Purple Belt

Please log in to comment
Nine Simple (but Critical) Tips for Effective Patch Management
This paper reviews nine simple tips that can make patch management simpler, more effective and less expensive.