Patch Mgmt > Patch Update

Show me an explanation of the items on this page.


Patch management automates the process of keeping all your machines up to date with the latest patches. You decide how and when updates are applied on a per machine basis. For each machine ID you can:

Schedule a daily scan of each machine with the Scan Machine function. The patch status for each machine is reported up to the VSA server and used to determine which machines need a new patch.

Patch Update provides a concise view of all the patches that need to be applied across all the machines matching the Machine ID/Group ID filter. Use this function to quickly determine which patches are missing.

Note: If you have a credential set (using the Set Credential function), that all patches are installed using the rights of that credential.

Note: Patches missing from machines set for automatic update are NOT listed here. These patches are automatically applied at the Automatic Update scheduled time for each machine.

What does it mean when a patch is listed on this page?

One of more of the machines matching the Machine ID/Group ID filter needs this patch applied. To learn the details about the patch click Q number link next to the Patch ID. If, after reviewing the knowledge base article, you decide all your machines need this patch schedule the patch to be installed. It gets installed on all machines that need the patch, at the scheduled time.

Why did the patch installation fail?

Patches are downloaded (or copied from a file share) to the local machine's hard disk. Several patches, especially service packs, also may require significant additional local disk space to completely install.  Verify the machine in question has plenty of available disk space on the same drive as the agent is installed.

What does "Bad Patch File" indicate?

This message indicates that the patch file failed to execute for some reason. If you scheduled multiple patches to install as a batch, all the patches will be marked at "Bad Patch File" even if only one of them failed. The system is reporting a script failure and can not distinguish which patch in the script caused the failure.

Note: You can determine which patch failed by looking at the Script Log for this machine. The log will indicate which patches successfully installed prior to the script failure.

Possible causes are:

What does "Missing patch location" indicate?

The patches that show up as missing are typically ones where each language requires a separate download. For these, you can enter the patch yourself for the language you are using. You can manually enter the location of the patch on Patch Location page.

What does "Install Failed" indicate?

After the patch install attempt completes (including the reboot if requested) the system re-scans the target machine. If the patch still shows missing after the re-scan, failure is reported. There are three possible reasons for patch installation to fail.

  1. No Reboot - Several patches require a system reboot before they take effect. If your Reboot Action settings did not allow a reboot, the patch may be installed but is not effective yet (until after the reboot).

  2. Command Line Failed -  If the command line parameters set in the Command Line function are incorrect, the patch executable will typically display a dialog box on the remote machine stating there is a command line problem. This error causes patch installation to halt and the patch deployment script to terminate. The patch file remains on the remote machine and Install Failed is displayed. Enter the correct command line parameters for the patch and try again.

MS Office Command Line Failed – The only command line parameter permitted for use with Microsoft Office related patches (Patch ID starts with "ODT-") is "/Q". Because MS Office patches may require the Office installation CD(s), the use of the “/Q” command line parameter might cause the patch install to fail.  If an Office related patch fails, remove the “/Q” command line parameter and try again.

NOTE: If "/Q" is not specified, Microsoft Office 2000 command line parameter will be automatically reset to blank (no command line parameter), and Microsoft Office XP and 2003 command line parameters will be automatically reset to " /INSTALL-AS-USER /DELAY-AFTER=60". These settings are enforced by the application.

Note: Command line parameters for each patch apply globally and can only be changed by a Master administrator

  1. Patch Download Blocked - The patch file was never delivered to the machine. The system downloads the patch directly from the internet to either the server, or directly to the remote machine, depending on your File Source settings. Your firewall may be blocking these downloads.  The patch file delivered to the agent having a size of only 1k or 2k bytes is an indication of this problem.

  2. Patch Location Not Correct – The patch specified in Patch Location is not correct.

What does "User not logged in" indicate?

For the patch to be installed, a user on the machine being patched must be logged in to respond to dialogs presented to the user by the patch. The patch script automatically detects whether a user is currently logged in and will not continue if a user is not logged in. Reschedule the installation of the patch when a user is available and logged in to the machine.

What does "User not ready to install" indicate?

For the Office patch to be installed, a user on the machine being patched must be logged in to respond to dialogs presented to the user by the patch. Since Office patches occasionally require the user to insert the Office installation CD(s) during the patching process, the user is presented with the following dialog box:

Why does the IE5-IE6-EN patch still show missing after a patch update?

IE5-IE6-EN upgrades older installations of Internet Explorer to the latest version. IE does not complete its installation until after the next time a user logs onto that machine. Patch scans will continue to show the patch missing until someone logs onto that machine.

What does "Manual install only" indicate?

Some patches and service packs require passwords or knowledge of a customized setup that the VSA can not know. These updates must be installed manually on each machine.

The patch was scheduled to run but now it shows as unscheduled and still needs to be installed. Why?

After the patch installation completes, the machine must reboot in order for the patch to take effect. After the reboot, the machine is re-scanned and the results processed by the VSA. This entire process can take several minutes. After you apply a patch to a machine, please wait several minutes before checking the patch state again.

Explanation of items on this page

Schedule

Select a time and click Schedule to install the selected patch on all machines. When you schedule a patch with Apply Update the following occurs.

  1. The agent on the remote machine is told to start the update process at the scheduled time.

  2. The patch executable is downloaded to the remote machine (from where ever "File Source" is set for that machine ID).

  3. The patch file is executed on the remote machine using the parameters specified in "Command Line". You should never have to set these switches yourself, but just in case, this capability is there.

  4. After all the patches have been installed the remote machine is reboot by what ever method is specified in "Reboot Action"

  5. The remote machine is rescanned automatically. It takes 2 to 3 minutes after the reboot is complete for this data to show up on the VSA.

Note: All patches are installed for each machine as a patch. If you schedule multiple patches for installation on the same machine, all the patches are installed at the same time. After all the patches have been installed the machine reboots once. This technique saves time and reboots.

Note: Service packs are always installed separately. If you are installing a service pack with other patches you will see a reboot after the service pack install and than another single reboot after all the other patches are installed.

Cancel

Cancel any pending installations of the selected patches.

Stagger By

You can distribute the load on your network by staggering the installation of patches. If you set the stagger for 5 minutes, then patch installation to each machine ID is staggered by 5 minutes. For example, machine 1 runs at 10:00, machine 2 runs at 10:05, machine 3 runs at 10:10, ...

Skip if machine offline

Check to only install the update at the scheduled time.   If machine is offline, skip and reschedule for next day at the same time. Uncheck to install the update as soon as the machine connects after the scheduled time.