Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SMS Problem with security updates

Status
Not open for further replies.
rschedin

rschedin

Technical User
Apr 27, 2005
5
US
I'm just getting started with SMS - quite challenging. We've pushed out some security updates (ms05-11, ms05-12, ms05-13 and ms05-15. Everything looks fine, clients show success however the updates are not showing as being installed. I've run the MS basline security analyser on the machines and it show the update have not been installed. SMS say's they have. What's going on?

Thanks,
 
Sort by date Sort by votes
what was the date it was set to run? Meaning if you advertisement it will send it there but it wont run it until it is scheduled. Are you having these run from the cache? If so is it in the cache...

 
Upvote 0 Downvote
It was set to run once available. It ran from the Distribution Point. According to the execmgr.log on the client it installed successfully. See below:

Executing program PatchInstall.exe /n /z:ws /q /c:5 /p /t:30 /m:"PatchAuthorize.xml" in Admin context execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Execution Request for program MBSA - ms05-011b state change from Ready to Running execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Checking content location \\DSHSAPEVR4201A\SMSPKGD$\DCS00029\ for use execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Successfully selected content location \\DSHSAPEVR4201A\SMSPKGD$\DCS00029 execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Executing program as a patch. execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Executing Patch Program execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Patch Installation started for the passed command line execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Raising event:
[SMS_CodePage(437), SMS_LocaleID(1033)]
instance of SoftDistProgramStartedEvent
{
AdvertisementId = "DCS20035";
ClientID = "GUID:F46F3F4E-27F8-4616-AED5-A99C50BE28BC";
CommandLine = "";
DateTime = "20050424183239.944000+000";
MachineName = "DSHSDCSCA515243";
PackageName = "DCS00029";
ProcessID = 284;
ProgramName = "MBSA - ms05-011b";
SiteCode = "DCS";
ThreadID = 3456;
UserContext = "NT AUTHORITY\\SYSTEM";
WorkingDirectory = "\\\\DSHSAPEVR4201A\\SMSPKGD$\\DCS00029\\";
};
execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Raised Program Started Event for Ad:DCS20035, Package:DCS00029, Program: MBSA - ms05-011b execmgr 4/24/2005 11:32:39 AM 3456 (0x0D80)
Looking for MIF file to get program status execmgr 4/24/2005 11:32:41 AM 3468 (0x0D8C)
A Matching MIF file PIAStat.mif was found execmgr 4/24/2005 11:32:41 AM 3468 (0x0D8C)
Raising event:
[SMS_CodePage(437), SMS_LocaleID(1033)]
instance of SoftDistProgramCompletedSuccessfulMIFEvent
{
AdvertisementId = "DCS20035";
ClientID = "GUID:F46F3F4E-27F8-4616-AED5-A99C50BE28BC";
DateTime = "20050424183241.851000+000";
MachineName = "DSHSDCSCA515243";
MIFDescription = "";
MIFDescription7 = "";
MIFDescription8 = "";
MIFDescription9 = "";
PackageName = "DCS00029";
ProcessID = 284;
ProgramName = "MBSA - ms05-011b";
SiteCode = "DCS";
ThreadID = 3468;
UserContext = "NT AUTHORITY\\SYSTEM";
};
execmgr 4/24/2005 11:32:41 AM 3468 (0x0D8C)
Raised Program MIF Success Event for Ad:DCS20035, Package:DCS00029, Program: MBSA - ms05-011b execmgr 4/24/2005 11:32:41 AM 3468 (0x0D8C)
Execution is complete for program MBSA - ms05-011b. The exit code is 0, the execution status is Success execmgr 4/24/2005 11:32:41 AM 3468 (0x0D8C)


However the update does not appear in Add/Remove Programs and if I run Microsoft Baseline Security Analyzer it shows the update as not installed.

Thanks!
 
Upvote 0 Downvote
the update sometimes may not show in Add/Remove Programs. Just go to the Software Updates Reports and see if they installed. In addition, the log that you need to look at is the patchinstall.log for the patch installation information. Are you sure that it was not just the scanner that showed as success? The scanner needs to run first before the installation takes place.

In addition, one problem that I have encountered with some of my clients is that they rename the scanner or the patchinstaller advertisements after they have gotten created with the Softtware Updates Wizard. If you do that, it breaks the association between the scanner and the wizard, so you may need to delete the scanner and patchinstaller advertisements and create new ones with the Wizard. Make sure the rename happens while the Wizard is running, instead of after everything has been completed.


Gladys Rodriguez
GlobalStrata Solutions
 
Upvote 0 Downvote
Well I think we'er getting closer. Looking at the patchinstall.log on my distribution point I see the following:


Service startup notification received UpdatesInstallMgr 4/20/2005 10:14:04 AM 4916 (0x1334)
PARAMETER: Persistent icon remind interval (/n option) supplied with default value = (180) minutes UpdatesInstallMgr 4/24/2005 11:21:30 AM 4852 (0x12F4)
PARAMETER: Suppress Reboot for WorkStation UpdatesInstallMgr 4/24/2005 11:21:30 AM 4852 (0x12F4)
PARAMETER: Suppress Reboot for Server UpdatesInstallMgr 4/24/2005 11:21:30 AM 4852 (0x12F4)
PARAMETER: Run in quiet (windowless - /q option) mode UpdatesInstallMgr 4/24/2005 11:21:30 AM 4852 (0x12F4)
PARAMETER: Countdown Period (/c option) supplied with value = (5) minutes UpdatesInstallMgr 4/24/2005 11:21:30 AM 4852 (0x12F4)
PARAMETER: Default to postpone instead of install (/p option) UpdatesInstallMgr 4/24/2005 11:21:30 AM 4852 (0x12F4)
PARAMETER: Failsafe Timeout Period (/t option) supplied with value = (30) minutes UpdatesInstallMgr 4/24/2005 11:21:30 AM 4852 (0x12F4)
PARAMETER: Authorization file name = (PatchAuthorize.xml). UpdatesInstallMgr 4/24/2005 11:21:30 AM 4852 (0x12F4)
Start processing of updates UpdatesInstallMgr 4/24/2005 11:21:30 AM 3960 (0x0F78)
Loading Authorization List \\DSHSAPEVR4201A\SMSPKGD$\DCS00027\PatchAuthorize.xml UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
ScanPackage = Security Update Inv Tool UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
ScanProgram = Security Update Inv Tool UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
ITOrganization = DCS SMS ADMIN UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Inside ScanUpdates(). UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Inside LaunchScanProgram(). UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Trying to get the Scan program path from the registry. UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Unable to get VP cache path, Error return (2) UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Error in getting the scan program name and command line, Scan will not be called
UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Unable to get path for scan program, Agent will not evaluate software updates. UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Unable to get path for scan program, Agent will not evaluate software updates. UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Raising event:
[SMS_CodePage(437), SMS_LocaleID(1033)]
instance of SMS_PatchMgmt_Event_No_Scan_Path
{
AdvertisementID = "DCS20033";
ClientID = "GUID:75850BD0-71BC-4CDB-B2FA-4AE85B13D35D";
DateTime = "20050424182131.038000+000";
MachineName = "DSHSAPEVR4201A";
ProcessID = 2284;
SiteCode = "DCS";
ThreadID = 3960;
TimeKey = "1114366890";
};
UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Failed to evaluate updates. hRes = 0x80040200 UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Software updates evaluation failed. Failed MIF will be generated. UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
InstallStatusMIFEx() Called with ProgramReboot = FALSE UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Successfully created Status MIF UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Sending completion status to execution manager UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)

Not sure what the "Unable to get VP cachepath, Error return (2)" means. It definitely looks like the patches were not installed.

Thanks
 
Upvote 0 Downvote
It seems you are having problems with the scanner because it says the following:

Trying to get the Scan program path from the registry. UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Unable to get VP cache path, Error return (2) UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Error in getting the scan program name and command line, Scan will not be called
UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Unable to get path for scan program, Agent will not evaluate software updates. UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)
Unable to get path for scan program, Agent will not evaluate software updates. UpdatesInstallMgr 4/24/2005 11:21:31 AM 3960 (0x0F78)

Can you look at the scanner log?


Gladys Rodriguez
GlobalStrata Solutions
 
Upvote 0 Downvote
I'll take a look. However what really concerns me is that per a report "All Packages", SMS shows packages are being installed successfully but the patch is not showing up on the client. Is SMS lying to me or am I reading the report wrong? Here is the status I get from report 108:

Status Message Details


Message Details
Timestamp: 5/1/2005 11:34:11 AM Message Type: Milestone
Site Code: DCS Message ID: 10009
System: DSHSDCSCA481146 Process ID: 1868
Source: SMS Client Thread ID: 364
Component: Software Distribution Severity: Informational

Description
The program for advertisement "DCS20037" completed successfully ("DCS0002B" - "MBSA - ms05-013b"). The success description was " ". User context: NT AUTHORITY\SYSTEM The program generated an installation status Management Information Format (MIF) file with a status value of Success. For more information, see the documentation for the program you are distributing.

Properties
Advertisement ID DCS20037
Client SMS Unique ID GUID:1AE79ADE-08A6-4849-85B5-0E9628A9B424

This is for patch MS05-013. However when I vist the machine there is no indication that the patch installed.
 
Upvote 0 Downvote
In order to tell you more about this, I need to know what file is the "DCS0002B" - "MBSA - ms05-013b" Advertisement running. Also, I need to know what the report says about this advertisement. Is the success showing in the "Success MIF" column or in the "Success" column? There is a difference between each and I have found that several of my customers, SMS does show as "Success MIF" but not as "Success" and the reason for this is that they have renamed some of the Advertisements or packages for the patch installation which brakes the relationship between the scanners and the patch installation process. When having normal Advertisements, you are allowed to rename the Advertisements, but when you rename the patch advertisements, there is no error shown and everything seems to work fine even though the relationship has been broken.

What I would try is doing the following (I am doing this by memory so I do not remember the exact menu options):
1. Right click in the collection that you want to advertise to
2. Select Software Updates
3. Go through the Scanner wizard, select the patch needed. (Go through the entire process as if it would be new. Make sure you save this in a different name and location than previously)
4. At the end of the Scanner wizard, it will ask you if you want to create a Patch Installation Advertisement, select No (I think you should uncheck a box)
5. Create an Advertisement manually as you would create any other Advertisement.
6. Schedule the scanner to run during the day, watch for the MIF success and then schedule the installation to run at night.

Hope this helps,


Gladys Rodriguez
GlobalStrata Solutions
 
Upvote 0 Downvote
Well you were correct in that when viewing the Advertisment status we were getting "Program Success (MIF)" and nothing in the "Program Success". I was able to push out the patch to a test machine successfully by rescanning and creating a new package for the update (I verified it was installed in Add/Remove Programs on the machine). However I still do not see "Program Success" when looking at the Advertisement Status!? How can I verify in SMS that a patch is actually installed. I know I can go to a particular machine in a collection and open Resource Explorer and get this info but there must be a report which will summerise a whole collections status. I don't seem to be able to find one.

Thans,
 
Upvote 0 Downvote
Usually, you would put /kick at the end of the patchinstall so it kicks a inventory at the end of the installation. Else, you can run a manual Hardware Inventory (Hardware Inventory reads the information from inside the Add/Remove Programs Window).

Hope this helps,


Gladys Rodriguez
GlobalStrata Solutions
 
Upvote 0 Downvote
Just in case, I was not too clear about my last step, just change the Advertisement for the patch package installation named expedite. This basically adds a /kick switch at the end of the patchinstall command prompt to kick an inventory of the machine once the installation is performed, in turn expediting the correct reporting. Else, you have to wait until the computer Inventory is performed.


Gladys Rodriguez
GlobalStrata Solutions
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JeannieLCFPD
  • Locked
  • Question
Does SCCM 2012 R2 have File Integrity Monitoring for compliance with PCI
Replies
0
Views
498
JeannieLCFPD
JeannieLCFPD
wmcalin
  • Locked
  • Question
SMS
Replies
0
Views
456
wmcalin
wmcalin
morefays
  • Locked
  • Question
SMS Server Slient Installation Issue
Replies
0
Views
412
morefays
morefays
joneed2nomo
  • Locked
  • Question
Can't load SMS client Software Update Point Client Installation
Replies
0
Views
404
joneed2nomo
joneed2nomo
MarkR800
  • Locked
  • Question
SMS cross-forest operation
Replies
0
Views
213
MarkR800
MarkR800

Part and Inventory Search

Sponsor

Back
Top