Clients Not Taking Advertisement

[BradMcCuller]

I'm running SMS 2003 on a Windows 2003 standard edition box, mainly to simplify patch management for the office LAN. The problem is that the handful of test PCs I have set up with advanced clients aren't grabbing the advertisement for the security update. I've checked their collection, and the advertisement shows up, but they never run it. I also have the ability for the clients to run the advertisement manually enabled, but nothing shows up when you go to run advertised programs from the client.

 

[2tired2care]

Assumption: You are using the prepackaged advertisement that can with the MS Security Update Tool.

Step 1: DEJA VU ALL OVER AGAIN
You might want to verify what (if any) actions your client PC has already taken. Locate on the client PC the EXECMGR.LOG file. Just double-click on the file and read it using NOTEPAD or some other text editor. Can't figure it out because of all the "junk" in the log? Erase all the text and save the log file. Now you have a clean slate for your testing.

Step 2: PLAY IT AGAIN SAM
SMS 2003 has a specific way of handling advertisements. The short explaination - advertisements are only run once by a client PC. So you need to "reset" the advertisement's availability when you want a client PCs to "rerun" it. You can do this by: SYSTEM MANAGEMENT SERVER | SITE DATABASE | ADVERTISEMENTS; right-click on the advertisement you want to reset; click on ALL TASKS; click on RERUN ADVERTISEMENT <read the warning notice - it explains what effect this change will have and why we are doing this>; and click on the YES button.

Step 3: FIRE READY AIM
You now have two choices - wait up to 60 minutes (the default time) for your client PC to "pickup" the new advertisement. Or you can force your client PC to immediately look for and process any mandatory advertisements:
1. Go to client PC with SMS 2003 Advanced Client installed.
2. Start up CONTROL PANEL.
3. Under CONTROL PANEL, double-click SYSTEM MANAGEMENT.
4. Click on the ACTIONS tab.
5. Click on MACHINE POLICY RETRIEVAL & EVALUATION CYCLE
6. Click on the INITIATE ACTION button.
7. Wait - it can take "several minutes" to run
(Immediately is a relative term with SMS 2003).

Step 4: THE WAITING GAME
Check the SMS server to see what is happening with the advertisement: SYSTEM MANAGEMENT SERVER | SITE DATABASE | SYSTEM STATUS | ADVERTISEMENT STATUS | click on advertisement name | on right panel right-click on site entry | SHOW MESSAGES | ALL
Periodically press the F5 key to refresh the view.

On the client PC, check the EXECMGR.LOG file. It should have details on what "events" have been trigged. Just double-click on the file and read it using NOTEPAD or some other text editor.

Remember it can take some time before anything is recorded in the client PC or SMS event log.

 

[BradMcCuller]

Thanks for the info.

I emptied the EXECMGR.LOG file on the client PC and ran through your instructions, but a day later, nothing has happened. EXECMGR.LOG is still empty, and the Advertisement log only shows "User "****" modified the advertisement properties of an advertisement named "MS Security Patch" (***20009) advertising program "MS Security Patch"

I'm pretty sure it's not a connectivity issue, because the server and the test machine are in the same subnet, and even on the same switch, and I can ping both from each other and run remote tools on the test client from the admin console.

 

[2tired2care]

Step 3 should have taken only minutes (at the most 10) to complete with results show in the EXECMGR.LOG.

Can you see any advertisementson the client PC?
Have you been able to run any advertisements - mandatory or advertised on the client PC?

Uh.. not to sound stupid, but have you verified that the target client PC is included in the collection specified for the advertisement?

 

[BradMcCuller]

If I go to the Run Advertised Programs module in the Control Panel from the client PC, nothing shows up. The security update tool is the only advertisement I've tried to run.

Yes, the client PC is in the specified collection, and the advertisement does show up in the collection's properties.

 

[2tired2care]

OK - I would expect that a mandatory advertisement would not show up in the RUN ADVERTISED PROGRAMS module (for any length of time). As soon as it "hits" the client PC, it should popup with a message indicating that a mandatory update will be taking place in X minutes.

Have any of your test PCs run the advertisement?

Give me details about the client PC - IP addresss, Operating system, service pack, legacy or advanced client installed?

Give me details about the other client PCs that are also having problems not running the advertisement - IP addresss, Operating system, service pack, legacy or advanced client installed?

 

[BradMcCuller]

Right now, the two test PCs are a W2K SP3 box at *.*.60.150 and a WXP SP1 box at *.*.60.148. The SMS server is at *.*.60.81. They're all in the same subnet.

So far, the only PC to run the assignment has been the SMS box.

 

[2tired2care]

Step 1: Agents installed and enabled?
Need to check if the agents are installed and enabled on the client PCs.

START | CONTROL PANEL | SYSTEMS MANAGEMENT | click on the COMPONENTS tab

Next to SMS SOFTWARE DISTRIBUTION AGENT does it say ENABLED?
Next to SMS INVENTORY AGENT does it say ENABLED?


Step 2: Order counts
The process of using the security update tool requires that certain tasks be completed in order. An inventory needs to be run before the security update can determine what needs to be installed on the client PC.
1. For each client PC with SMS 2003 Advanced Client installed.
2. Start up CONTROL PANEL.
3. Under CONTROL PANEL, double-click SYSTEM MANAGEMENT.
4. Click on the ACTIONS tab.
5. Click on SMS INVENTORY AGENT
6. Click on the INITIATE ACTION button.
7. Wait - it can take "several minutes" to run
9. Reset the advertisement for the Security tool
(outlined in previous dialog)
10. Clear the log files
(outlined in previous dialog)
11. Click on MACHINE POLICY RETRIEVAL & EVALUATION CYCLE
12. Click on the INITIATE ACTION button.
13. Wait - it can take "several minutes" to run

Check the log files - see if the Security Update ran.

 

[BradMcCuller]

The software distribution agent and inventory agent are both enabled, however, there is no SMS Inventory Agent under actions on either PC.

 

[2tired2care]

Bingo! Think we found the problem.

Without an inventory the security update can't determine which updates are applicable.

On SMS 2003 server:
SYSTEM MANAGEMENT SERVER | SITE DATABASE | SITE HIERARCHY | <SITE > | SITE SETTINGS | CLIENT AGENT | on right panel right-click HARDWARE INVENTORY CLIENT AGENT | click on PROPERTIES | Check box on ENABLE HARDWARE INVENTORY ON CLIENTS | Radio box to select SIMPLE SCHEDULE and change to <whatever you want> | click the OK button

Next let's force your client PC to immediately look for and process the policy change (i.e. Inventory Agent):
1. Go to client PC with SMS 2003 Advanced Client installed.
2. Start up CONTROL PANEL.
3. Under CONTROL PANEL, double-click SYSTEM MANAGEMENT.
4. Click on the ACTIONS tab.
5. Click on MACHINE POLICY RETRIEVAL & EVALUATION CYCLE
6. Click on the INITIATE ACTION button.
7. Wait - it can take "several minutes" to run.
Impatient - reboot the client PC.
Regardless you should see the SMS INVENTORY AGENT show up on the SMS 2003 Advanced Client.
8. Now clear those log files on the client PCs and then rerun the Security Update Tool again.
9. Back to the client PC - click on SMS INVENTORY AGENT
10. Click on the INITIATE ACTION button.
11. Wait - it can take "several minutes" to run.


More background details...
On the SMS 2003 server - To check that a client picked up the advertisement and that the scan tools have run, you can use the RESOURCE EXPLORER to check the SOFTWARE UPDATES node under the HARDWARE node for an SMS client in the collection what the advertisement was made to.
SYSTEM MANAGEMENT SERVER | COLLETIONS | double-click SOFTWARE UPDATE TOOL FOR UPDATES (PRE-PRODUCTION) collection | in right panel right-click client PC you are testing | ALL TASKS | START RESOURCE EXPLORER | explode HARDWARE by clicking on plus sign (+) | double-click on SOFTWARE UPDATES
Software Updates listed under the Hardware node are the results of the scan performed by the Update Inventory Tools. Instances of this class are collected and propagated to the SMS site server using the Hardware Inventory Client Agent.

 

[BradMcCuller]

The client hardware inventory setting has been enabled almost from the start and there are completely accurate hardware inventories of both machines if you use the resource explorer. However, it's not on a simple schedule, I've got it set to run every day at 1:30am. Should the MIF settings be turned on?

 

[2tired2care]

Double-check your package and/or advertisements for Security Update Tool.
Verify which collection you are using.
Verify that the client PC are included in the collection.

After that - I'm out of suggestions.