Exactly how does the TEM Client detect which patches are needed? What does it mean to have a relevant "Corrupt Patch"?
Information on what makes a Fixlet relevant as well as Corrupt Patch Fixlets.
Resolving the problem
The TEM Client will check the registry, file versions, the language of the system, and much more to determine if a patch is needed.
There are two main classes of patch notification Fixlet messages for Microsoft patches:
- Fixlet messages that tell you the patch has not been installed
These Fixlet messages generally check the registry to determine if a patch is not currently installed.
- Fixlet messages that tell you that a patch has been installed, but is now corrupted because at least one file is out-of-date
These Fixlet messages generally check the registry and every file that is installed by the patch.
If any of the files have an older file version than the version installed by the patch, then you will get a Fixlet message that notifies you that the patch has been installed, but not all the files are up-to-date, so you may not be secured against the vulnerability. The Fixlet message will then allow you to re-apply the patch. This two-pronged approach works much better than a simple "you have not installed the patch" approach because you get more information about why a patch is needed. For instance, if you apply a patch to a group of computer, then later notice that TEM says that some computers have "corrupted patches", then you will know that something has overwritten some of the files (this usually occurs if you install another application or an older service pack, which overwrites the newer files).
Note: Both the registry and file versions are continuously being checked by the TEM Client, but the checks are done in a way that require extremely few computer resources. This way you get the benefit of continuous monitoring without paying a large CPU, memory, hard disk, or bandwidth cost.
Note: Corrupt patches can be difficult to correct in a baseline because of their requirement to reboot after application. If testing in your environment has established sequences of corrupt patches that can be safely applied without reboot, you may use the Corrupt Patch Deployment Wizard in the Patching Support site. This wizard allows creation of fixlet copies or baselines without reboot required flags.