Patch Management Troubleshooting

Postato il Aggiornato il

Updating operating systems has come a long way since SUS 1.0 was released back in the day.  From HOTFIXES in Windows (NT) 3.x that were released “as is” with some times catastrophic results, to Windows Update Service being on and non-configurable in Windows 10.

You’ve come a long way baby… 

Of course now we need to be able to patch systems without disturbing those pesky end-users…  How to do that?  How to not waste time doing that?

At MAX we’ve seen our fair share of patching go ‘sideways’ – it’s no surprise as there are so many possible situations that could present themselves.  Honestly, with literally thousands of patches being released every year, there are bound to be some problems.  So how do you make this system move as smoothly as possible?  With enhancements in our Patch Management feature coming later this year and into next, we want to make sure you can have the best experience possible with the product.  Sometimes this requires a little sleuthing outside the product.  There have been several patches that haven’t behaved as they were supposed to, but may not have caused a directly observable problem.

Take for instance KB3013455 – this patch was a supposed kernel update and it had the fun side effect of making some text unreadable. For the most part something like that won’t go unnoticed because the evidence is literally in your face.  But what about  KB3004394 for better support on urgent Trusted Root updates?  It was discovered that the patch caused serious issues on devices with Windows 7 SP1 or Windows 2008 SR2 SP1. This led to breakage in the Windows Updates Service & subsequent failure of the system to apply many or all following Windows patches.

PM- Tab

 

Check that Windows Update works first.Since the MAX Patch Management feature leverages the Windows Update Service, patches would appear to Fail as a result.  Patch Management pulled the patch from its database within 48 hours, and  Microsoft released a fix to the issue if you experienced the error.  However, they subsequently re-released KB3004394 as a patch that no longer has the problem.  Because two patches now exist with the same ID, patch management systems everywhere have had trouble identifying devices that may truly be effected by the issue.

So how do we avoid pitfalls?  There are few things you need to look for on systems you’re thinking of bringing into the PM system.

This sounds like a no-brainer, but items like 3004394 caused unseen stoppages that are below the radar.  Or below the normal end-user’s radar at least.  The service is still running, but when updates are attempted, the connection is rejected and Patch Management halts before it begins.  From our dashboard, you won’t see that glaring at you.  So run Windows Update one time on a device to make sure it goes out there and can do the proper download.  From there, you can configure the service any way you like.

See how many outstanding patches are available

Ever come into an office that has NEVER patched a computer?  It happens.  Or, the new computer with Windows 7 pre-installed.  Well, that OS came out a while ago, didn’t it? There have been a few releases since then … they’ll all show up the first time you open Windows Updates.  The good thing about Windows Update is that it will “stop” on patches that are prerequesites to others, do the reboot then list the subsequent patches after reboot.  OR, some of our partners have already thought about things like that and have built their own packages with that in mind.  You can use those – we’re not hurt by it.  We’ve always said we’ll sit side by side any other patching system if you want us to.

Look for manual updates or uninstall bad patches

Continuing with the example above, if the first 4394 is installed on a machine, the above steps won’t work. Windows Update will be FUBAR.  Well, in this case there was another patch release (KB3024777) to take care of it.  Or, if you’re smarter than your average bear, you could uninstall the offending patch.  (Because that’s what 3024777 does.)  In this case, you’ll be able to let the second4394 install and life will be roses.

 

Do a Windows Update Cleanup

    If systems are patched, there will be a lot of “leftovers” on the machine.  Removal of the rollbacks may help the system perform better.  It got rolled into2008R2 and Win7 Disk Cleanup routines a while ago, so the interface can do it for you.  and Win8 & 2012 have some automatic settings for it, but there still other options to increase what and when these OS’s are cleaned.

These are just a couple of things to do outside your dashboard Patch Management settings that will alleviate a lot of headaches.  Of course, if you have a favorite routine you like to do, feel free to leave it as a comment below to share with others. 

Rispondi

Effettua il login con uno di questi metodi per inviare il tuo commento:

Logo WordPress.com

Stai commentando usando il tuo account WordPress.com. Chiudi sessione /  Modifica )

Google+ photo

Stai commentando usando il tuo account Google+. Chiudi sessione /  Modifica )

Foto Twitter

Stai commentando usando il tuo account Twitter. Chiudi sessione /  Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione /  Modifica )

Connessione a %s...