After the patch installation attempt completes—including the reboot if requested—the system re-scans the target machine. If a patch still shows missing after the re-scan, failure is reported. Patches can fail for several reasons:
- Insufficient Disk Space - Patches are downloaded, or copied from a file share, to the local machine's hard disk. Several patches, especially service packs, may require significant additional local disk space to completely install. Verify the target machine has plenty of disk space available.
- Bad Patch File - The phrase
Bad Patch File in the Comments column indicates the patch file failed to execute for some reason. If you schedule multiple patches to install as a batch and even one of them fails, all the patches are marked as
Bad Patch File. The system is reporting a procedure failure and can not distinguish which patch in the procedure caused the failure.
- Corrupted Patch File - The downloaded patch file is corrupt.
- Missing Patch Location - The phrase
Missing patch location in the Comments column means the URL used to download patches from the Microsoft website is missing. You can manually enter the correct location using the Patch Location page.
- No Reboot - Several patches require a system reboot before they take effect. If your Reboot Action settings did not allow a reboot, the patch may be installed but will not be effective until after the reboot.
- Command Line Failed - If the command line parameters set in the Command Line function are incorrect, the patch executable typically displays a dialog box on the managed machine stating there is a command line problem. This error causes patch installation to halt and the patch installation procedure to terminate. The patch file remains on the managed machine and
Install Failed is displayed. Enter the correct command line parameters for the patch and try again.
Note: Command line parameters for each patch apply globally and can only be changed by a master role user.
- MS Office Command Line Failed - The only command line parameter permitted for use with Microsoft Office (prior to Office 2007) related patches is
/Q. Because MS Office (prior to Office 2007) patches may require the Office installation CD(s), the use of the
/Q command line parameter might cause the patch install to fail. If an Office related patch fails, remove the
/Q command line parameter and try again.
Warning: The only switch permitted for use with Microsoft Office 2000, XP, and 2003 related patches (marked as Office) is
/Q is not specified, Microsoft Office 2000, XP, and 2003 switches will be reset to
/INSTALL-AS-USER. Microsoft Office 2003 patches may also include the
/MSOCACHE switch used to attempt a silent install if the MSOCache exists on the machine and the
/INSTALL-AS-USER switch is set.
- Patch Download Blocked - The patch file was never delivered to the machine. The system downloads the patch directly from the internet to either the KServer, a file share, or directly to the managed machine, depending on the machine ID's File Source settings. The machine ID's firewall may be blocking these downloads. A patch file delivered to the agent with a size of only 1k or 2k bytes is an indication of this problem.
- User not logged in - In some cases a user on the machine being patched must be logged in to respond to dialogs presented by the install during the patch. The patch procedure automatically detects whether a user is currently logged in and will not continue if a user is not logged in. Reschedule the installation of the patch when a user is available and logged in to the machine.
- Credential does not have administrator rights - If a credential is defined for a machine ID, then Patch Management installs all new patches using this credential. Therefore, Set Credential should always be a user with administrator rights.
- Manual install only - Not a patch failure, but a requirement. Some patches and service packs require passwords or knowledge of a customized setup that the VSA can not know. The VSA does not automatically install patches having the following warnings:
Manual install only
Patch only available from Windows Update web site
No patch available; must be upgraded to latest version
These updates must be installed manually on each machine.
Troubleshooting Patch Installation Failures
When patch scan processing reports patch installations have failed, a
KBxxxxxx.log (if available) and the
WindowsUpdate.log are uploaded to the KServer. Additionally, for those patches that required an "Internet based install", a
ptchdlin.xml file will be uploaded to the KServer. These files can be reviewed using Agent Procedures > Get File for a specific machine and can help you troubleshoot patch installation failures. Info Center > Reports > Logs > Agent Procedure Log contains entries indicating these log files have been uploaded to the KServer for each machine.