Eval of Patch Management in ZCM 11.2

Similar Messages

• ZCM Patch Management Dashboard blank

  I'm using ZCM 10.2 RC1 and am trying to test Patch Management. I have patch management working, patches have downloaded and DAU is running. One thing that is not working is the dashboard. I have flash installed but the dashboard is blank. Are there any special requirements for the dashboard? Has anyone else got it working?
  BTW, I'm running ZCM under Windows Server 2003 Standard x64 SP2.
  Jim Webb

  Originally Posted by jwebb
  I'm using ZCM 10.2 RC1 and am trying to test Patch Management. I have patch management working, patches have downloaded and DAU is running. One thing that is not working is the dashboard. I have flash installed but the dashboard is blank. Are there any special requirements for the dashboard? Has anyone else got it working?
  BTW, I'm running ZCM under Windows Server 2003 Standard x64 SP2.
  Jim Webb
  Which browser are you running? There is a known bug affecting IE...

• ZCM Patch Management Patch Status Inaccuracies

  We currently have issues with ZCM Patch Management incorrectly reporting the status of a couple of Microsoft updates. Specifically, we have firm evidence of this for the following patches (but suspect there may be more):
  Microsoft Office 2007 SP3 - Microsoft Baseline Security Analyzer shows it as required, ZCM says its already applied.
  MS11-049 InfoPatch 2007 - Microsoft Baseline Security Analyzer shows it as required, ZCM says it's not applicable.
  We are checking the ZCM status in both the {guid}.state file on the device (which has today's date stamp) and in ZCC - both of these places show the same, incorrect, status.
  We see this issue on multiple managed devices. The zone is 10.3.3. Devices have 10.3.3 with Patch Management Agent Update 2.
  This isn't a timing issue, as we have left things several days before checking the status again.
  I am raising a call with our Novell reseller, but am interested to find out if anyone else is seeing similar issues.
  Thanks,
  Martin

  metheridge,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Are patches for the adobe suites included in ZCM patch managment?

  I see all the acrobat reader updates, but no updates for Acrobat pro or the
  other components of the creative suites.
  Are these included in patch managment or do we still hve to rely on the
  Adobe update system?

  Originally Posted by spond
  Kevin,
  > So I wonder then if the ZPM in ZCM still uses
  > fingerprinting for its bundles.
  >
  yes it does, the logic's still the same, deep-down, it's just that at
  the moment, there doesn't seem to be enough of a business case to
  recode the PDK for the ZCM-style architecture. For those of us still
  running standalone ZPM, the PDK still works, and since the patch logic
  is the same, i can use it to see what's in the ZCM patches...
  Shaun Pond
  thanks Shaun. Makes me feel better.
  I'll submit an RMS request for the Adobe products. Given that Adobe now surpassed MS in terms of vulnerabilities I think it's a poor decision on Novell's part to NOT patch the "paid for" Adobe stuff like Acrobat Standard, Pro, etc.
  Especially when Adobe 9 incorporated Flash and "Acrobat" together.

• ZCM 11.2.4 - 11.3.1FRU1 Patch Management Agent Update 1

  Tried the "updated" exe files, patch management now says all of our win7 machines with Office 2007 are missing SP3 (KB2526086) which is completely wrong.
  https://download.novell.com/Download...d=G072RdrX4b0~

  dtemple-sgi,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• Disable Patch Management temporarily on clients?

  I've just noticed now that we've got ZPM enabled it seems to get a bit overexcited and start trying to patch machines while they're still being configured during our imaging process. For example our scripts go:
  Image > drivers Novell Client > ZCM Agent > pre-load Bundles > AV = finish
  Seems like ZPM kicks in as soon as the Agent registers into the zone. In theory it shouldn't do anything as I have the DAU set to 30 minutes after refresh (with ZCM auto refresh disabled) but yet I still see a Novell patch manager popup slide in from the corner (then disappears as quickly as it arrived)
  Is there a command that can be used to temporarily disable all ZPM activity on a client? Might also be important for us for any online exams that could fall in the overall patching window.

  gshaw0,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Zenworks patch management and databases

  Are there any known issues of Zenworks patch management deployment and corruption of Zenworks database? What would be best practices of Patch Managment and the Zenworks database?

  Originally Posted by craig_wilson
  Keep the Data Retention for Dashboard data low.
  (No more than 30-60 days.)
  Otherwise this table can grow very large and cause issues.
  I believe 11.3 will have some redesign that will reduce the overhead
  with that table and perhaps allow for longer retentions.
  On 8/22/2013 10:46 AM, sflegnc wrote:
  >
  > Are there any known issues of Zenworks patch management deployment and
  > corruption of Zenworks database? What would be best practices of Patch
  > Managment and the Zenworks database?
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Knowledge Partner
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.
  And if you have say, 4,000 devices or more, I'd suggest even setting it down to 1 day or 7 days at the max. And set it WHEN you setup ZCM, not afterwards, because the database purge/changing isn't optimized properly (at least for Oracle).
  Even with 7 days for us, it takes forever to delete a workstation/device along with a slew of other things. But Novell is aware of these things, and hopefully 11.3 will address most of the speed/performance issues.

• Anybody have a truly functional Patch Management Component?

  Does anyone have a flawless Patch Management component? One that updates caches, distributes patches, completes a daily subscription download, and just works the way it's designed to? If so, what's your setup? ZCM and agent version, Windows, SLES, Internal DB, etc? I'm just curious if switching our configuration would help our situation. We've had issues with Patch Management for as long as we've had the product. I have two SRs in and nothing is happening. :-(
  We're running the ZCM 11.2.1/SLES 11 virtual appliance. Single primary and an internal Sybase DB.

  Originally Posted by jdkoerner
  The forceful update is due to bad setup of the patch bundles. Usually you
  can look in your application or setup event log and see the switches that
  are being used by patch management. On a lot of non MS critical patches
  they are wrong or the logic of the bundle ignores if you have set to no
  reboot. For example a number of Lync patches don't end up with the
  /norestart switch even if you set the deployment to no reboot.
  Getting individual patches fixed is a real pain. I have one SR from March
  that still has not got anywhere and it actually the second one for the same
  problem. I stopped doing new SRs for individual patches after I got Acrobat
  reader 10.1.2 and then 10.1.3 fixed so they would install correctly on 64
  bit machines. Now 10.1.4 is wrong with the same problem but I am sick of
  going through the hassle when nothing was learned or carried forward from
  the 2 previous patches. I think problems with individual patches obviously
  don't get much priority but if they don't work then what is the point of
  using patch management.
  I am sure most of us here could generate a list of patches that do the
  forceful no warning reboot but not sure if we would have to SR each one or
  could do it as a bundle. If we dumped in a number of them the may get
  looked at with a little more urgency.
  Jim Koerner
  Server - ZCM 11.2.1 w/MU2 and Internal Database on Win2008R2x64
  Client - ZCM 11.2.1 w/MU2 on Win7SP1x64 and WinXPx32
  "baarsd" <[email protected]> wrote in message
  news:[email protected]...
  >
  > I can't say we have either! We are running ZCM 11.2.1 as well (Windows
  > server 2008 R2 x64) with an Oracle 11g backend database (on Windows
  > server 2008 R2 x64) and have just started using ZPM - I have an SR
  > (#10794524091) open because all the patches I've tried deploying have
  > varying levels of failure -
  >
  > - tried deploying Adobe Reader 10.1.4 update as a baseline, machines
  > started rebooting VERY forcefully (no chance to save anything, just
  > *bang* it's rebooting)
  > - Skype update failing to install (that's posted here
  > http://forums.novell.com/novell-prod...h-failing.html)
  > - Java updates reporting errors;
  > "Action "Failed to launch C:\Program Files
  > (x86)\Novell\ZENworks/zpm/Remediate.exe. Exit code: 144" of the child
  > bundle "Oracle Java JRE 1.6.0_35 for Windows (Update) (All-)195861068"
  > failed."
  > In "Programs and Features" it appears to be installed but if I try and
  > verify java ('Verify Java Version'
  > (Verify Java Version)) it says it isn't
  > installed
  >
  > So I'm not very impressed with the product at the moment
  >
  >
  > --
  > baarsd
  > ------------------------------------------------------------------------
  > baarsd's Profile: View Profile: baarsd - Novell Forums
  > View this thread: Anybody have a truly functional Patch Management Component?
  >
  If you're getting slow responses on your SR's, you can post on the Product Neutral -> Talk to a technical services manager and post your SR # and they should be able to prod things along for you, hopefully.

• Adobe Reader and Acrobat Pro updates for 11.0.10 being pushed out through SolarWinds Patch Manager are not being recognized as applicable.

  I am trying to update our Adobe Reader and Acrobat Pro to 11.0.10 using the default MSP packages with SolarWinds Patch Manager.  All of the systems keep reporting as 'NOT APPLICABLE'.  All of the workstations have Reader11.0.09, with about 10% still on 11.0.08 (due to the fact that the reader 11.0.09 package only patched about 2/3 of the systems).  All systems that have Acrobat Pro are 11.0.09.
  In SolarWinds I am using the "Adobe Systems, Inc. Packages" node.
  Adobe Systems Acrobat 11 Catalog
  Adobe Systems Reader 11 Catalog
  and the SW Patch Manager downloads the msp's straight from Adobe.
  I have checked the msp's manually and they will update at least back to 11.0.07 in Reader, and 11.0.0 in Acrobat Pro. (I had an old stand alone system that still had Reader 11.0.07, and I did a new install of Pro and went straight to update 11.0.10)
  The SolarWinds Tech said, "Okay. That content is produced by Adobe. Any questions concerning applicability logic or diagnosing why a package reports as NotApplicable when that's not expected would need to be directed to Adobe, as they are solely responsible for that content and its behavior".
  I am new to SolarWinds Patch Manager, and any help or advice would be greatly appreciated.

  It sounds like you are attempting to use the SCUP catalogs outside of the MS solution.  I can almost guarantee you that Adobe didn't test it if it's not referenced in the ETK:  11   SCCM-SCUP — Enterprise Administration Guide
  That being said there "should" be logging available in any deployment solution.   Since I am not familiar with Solar-Winds particular solution I can't say if it logs errors and how verbose those logs might be.    If you have logs then post the output and the forum members "might" be able to assist you.

• Solaris 8 Patch Manager Error

  Anyone have any idea what this error is or how to resolve it? I'm trying to run smpatch on a Solaris 8 Sun Blade 100 box and getting the following error:
  /usr/sadm/bin/smpatch download -i 112438-01
  Requested patches:
  112438-01
  Downloading the requested patches
  Error: PatchPro failed: StateMachine.start(): State machine failed.
  State.getActionResult(): No valid result.
  com.sun.patchpro.util.NoResultException: State.getActionResult(): No valid result.
  at com.sun.patchpro.util.State.getActionResult(State.java:405)
  at com.sun.patchpro.util.StateMachine.getActionResult(StateMachine.java:490)
  at com.sun.patchpro.model.PatchProModel.getPatchAccumulator(PatchProModel.java:1041)
  at com.sun.patchpro.cli.SMPatchServices.downloadPatches(SMPatchServices.java:1724)
  at com.sun.patchpro.cli.SMPatchServices.main(SMPatchServices.java:709)

  Hi,
  I've just found the following in another thread:
  The workaround for the bugID 6221832 (java being in another path than the default /usr/j2se/bin/ for Patch Manager 2.0 on Solaris 8) is to edit the pprosetup and pprosvc scripts
  from /usr/sbin/pprosvc :
  JAVACMD=/usr/j2se/bin/java
  edit pprosetup and pprosvc scripts file and set JAVACMD locale variable to newly java installed path and launch smpatch get command again
  Thank you. I've editted both scripts and changed the JAVACMD variable to be ${JAVA_HOME}/bin/java and now everything is working.
  Thanks.

• Sun update manager with patch manager

  I need to use both products since I have systems running Solaris 10, 9 and 8. Is there a way to get them to work together?
  Ideally, I would like to have 1 system talk to SUN to manage the application and downloads. I would want the system to distribute the patches to all the other systems.

  Yes, this is possible. We would recommend setting up Sun Update Manager on Solaris 10 as your patch proxy (with a connection to Sun). Both Update Manager on Solaris 10 and Patch Manager on Solaris 8 and 9 can then be configured as clients.

• What is Sun's answer about PCA  patch manager free tool ?

  Hi all,
  this post aims on echoing customers'feedback.
  from customers'experience it seems that smpatch from patch manager tool is suffering of a lack of reliability.
  One of them moved to a new freeware called PCA-Patch Check Advanced
  http://www.par.univie.ac.at/solaris/pca/
  From PCA Web Site we can read:
  Sun has offered various tools in the past to analyze Sun/Solaris systems for patches which are installed or missing, e.g. PatchDiag, PatchCheck, PatchPro, smpatch (see the Sun Patch Portal for details). Some of them are not actively maintained, some are huge and opaque, some don't run on older Solaris releases or stripped-down machines. None of them really made me happy. Based on PatchCheck source I implemented PCA, which gets rid of the disadvantages of Sun's own tools.
  I would like to know what is Sun's position and could it be possible to integrate such a tool ?
  Thanks.
  Malek.

  - Sun is always interested in customer feedback, and is interested in
  the concerns expressed here.I'd also very muck like Sun to be interested in fixing the customers problems, which has not been done in my cases. No solution or explanation has been given to my many cases opened on smpatch, and this, even though in some cases, patches were made (months later): I was never told about them. Which makes me wonder about the point of having paid support contracts in the first place.
  But since UM was developed by interns, it's no wonder there's trouble maintaining it (how do I know? I've been an intern doing Java development, and I made the exact same beginner's mistakes, not knowing to handle exceptions, leaving debug output on stdout, being unable to make proper localisation).
  It's obviously not the work of experienced Java programmers. Hard to trust it...
  - We do understand that opaque is bad, but one of Sun's goals is to
  provide complex analysis beyond matching patches with installed
  packages. This analysis and its support processes will necessarily
  be somewhat opaque.What analysis are you talking about? smpatch is not even able to tell me that security fixes are available for NSS, which has been part of Solaris for years. PCA does.
  And what about Studio? Why can't smpatch tell me there are patches for that, too? And why aren't free patches, that are neither recommended nor security (such as the man patches) shown by smpatch when running without a contract?
  - We are interested in the concerns surrounding stripped-dow
  systems, and are considering a "light" version of our tools that would
  support minimal systems. However at this time there are no plans to
  release a light version.And what about systems without a network?
  And what about not forcing me to read and agreeing to a, abusive license agreement, which can't even be printed, nor shown full screen (5 lines at a time!)?
  And, please, can you explain me why I should agree to respect Reuters so-called intellectual property? What does it have to do to with keeping my systems up to date reliably and easily? Is it a competition between Sun and Microsoft to put the most ludicrous licenses on line?
  Anyway, I'm sure Solaris 11 will introduce some new bloated offspring of the PatchProManagerUpdateConnection family, so I'm not holding my breath. Rather than repeat this experience again and again, I'll stick with PCA.
  Laurent

• Patch manager

  Can someone help me run the patch manager? I have downloaded and installed the patch manager from the sun website. I have found the help files, which are not very helpful, but where do you run it from? the help file says use the browser, been there but have not been able to find out where it put the files I''m supposed look at. when I do look at some HTMl pages I do find I get the code not the web page.
  Frustrating!!!
  Where's a little icon or menu that says "Patch manager here Dummy!"
  Thanks
  Bill

  Hello Thiago,
  if the patching procedure is empty, then one important post installation step has to be executed. It is about "defining a software library path". This step will not only define a path, but will also populate data into it. After a while the missing patching procedures shall come up automatically.
  Please inspect the installation guide for ACMP for further details and advice.
  Kr
  Volker

• Handling of pending reboot, exclusive updates for patch management with SCCM 2012

  Hello,
  Planning to use SCCM 2012, I would like to understand how smart is SCCM 2012 when dealing with specific patch management situation.
  Assuming I have the following:
  - A given server to be patched is missing a lot of updates, several being mutually exclusive. This typical case will require several reboot / patching to properly obtain a server fully up to date.
  - A given server to be patched is in pending reboot state because the local admin installed new software and has not restarted the server yet as requested
  - Those servers have configured maintenance windows of 2 hours during each night. I scheduled a deployment of missing patches authorizing restart.
  --> when the maintenance window will be reached:
  - will the server first be restarted to clean the pending reboot ?
  - will the the server be patched / restarted several times as required to fully meet the updates to be deployed.
  Another scenario on workstation side:
  - can I enforce deployment of updates at a given time, do not automatically restart the workstation during patch deployment, but after deployment schedule a mandatory restart with a countdown if there is a pending reboot... From end-user perspective, it
  would have the following behavior. For instance:
  - patches are automatically installed on Monday at 10 AM
  - as soon as deployment is done, warning message is displayed to ask users to reboot
  - then user has up to 48h to restart his computer by himself. If he does not do it, it will be automatically done after countdown expires.
  --> Can such a scenario be managed by SCCM 2012 ?
  Regards.

  Hi,
  I have a related question about deploying Microsoft Security Updates to workstations via SCCM 2012.  Is there a way to deploy the MS updates to workstations and only suppress reboots for machines with users logged on or locked?  There seems to
  be only 2 different options for reboots, Suppress them all or don't suppress them at all.  We would like SCCM to reboot the machines that are logged off, but suppress the reboot for those that are logged on, while at the same time, provide the user with
  a notification that their machine needs to be rebooted (at their convenience). 
  We've tried applying the Domain GPO "No auto-restart with logged on users for scheduled automatic updates installations" (Enabled) and "Configure Automatic Updates" (Disabled), but the logged on/locked machines still receive the restart countdown with no
  option to postpone or delay.
  This is a show stopper for us since we have an environment where we are absolutely not allowed to reboot a logged on machine.
  For a little background, we are coming from SMS 2003 and the Distribute Software Updates (ITMU) way of deploying MS Updates, where we could always set the program to run "Only when no user is logged on".
  Please tell me there is a way to achieve our desired result.
  Thanks,
  Dan 

• What is the best approach for patch management

  Hi,
  I'm new about patch management. I would like to ask you how manage patch on few Solaris 10 servers using command line.
  I would like to know:
  1. Using only command line how to download latest patches
  2. There are some dependencies how to check this and install only those patches which meets dependecy requirements?
  3. Is there possiblity to atomate this?
  4. Is it possible to have one patch server and others servers will download and install this patches?
  5. What if some patches are not installed?
  6. How to find out which patches are necessary and which patches don't have to be installed? Or maybe or patches to be installed?
  7. Could you please describe your approach for managing patches? Or maybe you can recommend some books/web page/articles that can help me to understand patch management.
  Thanks in advance,
  Daniel

  smpatch is the command line tool to manage solaris patching. first you need to register yours system - this can be done using sconadm, detailed here:
  http://sunsolve.sun.com/search/document.do?assetkey=1-9-82688-1
  smpatch analyze will list all required patches and resolve dependencies. smpatch download will download all the required patches, and smpatch update will apply them. You can set up a Local Patch Server to download patches, then your clients will download the patches they require from it. This is detailed in chapter 6 of the update connection admin guide