IBM Support

Collecting Data: Patches for Windows - Issues with fixlet relevance

Technote (troubleshooting)


Problem(Abstract)

Patches for Windows - Issues with fixlet relevance

Cause

Incorrect relevance. Or relevance does not take into account specific differences on certain endpoint machines.

Resolving the problem

A Patches for Windows fixlet my not properly reflect applicability on an endpoint. It might be possible that the patch has been applied already, however the fixlet relevance still evaluates as true (false positive). Or an endpoint needs a patch and the fixlet that should show as applicable does not (false negative). This issue is fixed by our content development team determining what needs to be changed in the the fixlet relevance, making the changes in the fixlet(s), and publishing a new version of the site with the changes.

Ahead of collecting this data, first perform the following steps to ensure there is no issue on the endpoint machine.

Preliminary Steps

Step 1:

Check to see if the endpoint machine(s) is/are in a state of Pending Restart. You can do this by checking one of the following fixlets in the BES Support site:

    177 Restart Needed
    390 Restart Needed - Triggered by a BES Action
    391 Restart Needed - Not Triggered by a BES Action
Take actions to reboot the endpoint computer as many times as needed until the endpoint machine is no longer in a state of Pending Restart.

Wait an hour after resolving the endpoint away from a Pending Restart state to allow for enough time for the client to report its current patch level state. Then take another action on the patch fixlet (if applicable) to see if a secondary action is successful.

Step 2:

Attempt a manual installation of the patch update. In the fixlet, there is the URL to download the patch update executable. Remote into the problematic endpoint machine as an Administrator and download this patch update executable and attempt to install it. Note and screenshot any error message that pops up

Content False Positive

There are 2 types of false positive:
  • Patch has been installed successfully (action exit code = 0 and can be seen from control panel) but the content still shows relevant again after reboot.
  • Patch cannot be installed (action exit code <> 0 and cannot be found in control panel) but IEM shows it as relevant.
  1. Fixlet ID(s), Name(s), and Site(s) of problematic fixlets
  2. Operating system's name, service pack major version, language and site subscribed.
  3. MBSA or WUA report (if running either of these fails, please provide error message screenshots)
  4. On the endpoint, capture the output to the following commands from the command line:
    • systeminfo > sysinfo.txt (send this sysinfo.txt file to the PMR)
    • wmic qfe list > qfe_list.txt (send this qfe_list.txt file to the PMR)
  5. Client diagnostics
  6. Manually install the patch again to see whether it can be installed. If there is any error message prompting up, get the screenshot o or the text of the message.
  7. If the patch is for windows kernel, export the following keys of native registry:
      "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing"
      "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide"
      "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer"
      "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" (For .Net fixlet only)
    7. If the patch is for Microsoft Applications, such as Office or Sharepoint server, export the following keys of native registry:
        "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer"

    Content False Negative

    If a content is reported as false negative, the following data will be helpful for verifying and identifying the issue:
      1. Fixlet ID(s), Name(s), and Site(s) of problematic fixlets
      2. QnA results of the problematic fixlet's relevance statements using the Fixlet Debugger
      3. Operating system's name, service pack major version, language and site subscribed.
      4. MBSA or WUA scan report, if any.
        • systeminfo > sysinfo.txt (send this sysinfo.txt file to the PMR)
        • wmic qfe list > qfe_list.txt (send this qfe_list.txt file to the PMR)
      5. Client diagnostics
      6. Try to manually install the patch to see whether it can be installed. No need to complete the installation process since we just need to know the applicability. Report the error message that results (if any).
      7. Export the following keys of native registry from the endpoint:
        • "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing"
          "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide"
          "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer"
          "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" (For .Net fixlet only)

      Cross reference information
      Segment Product Component Platform Version Edition
      Security IBM BigFix Patch Patches for Windows

      Document information

      More support for: IBM Endpoint Manager for Patch Management
      Patches for Windows

      Software version: Version Independent

      Operating system(s): Windows

      Reference #: 1984964

      Modified date: 03 May 2017


      Translate this page: