BLPatchCheck2 uses stPatchAssessment.dll to run the analysis against the hfnetchk6b.xml and generates results.xml
Hfcli is not used.
Hfcli = Shavlik wrapper around stpatchAssessment.dll
BlPatchCheck2 = BladeLogic wrapper around stPatchAssessment.dll
For more information and some troubelshooting tips, review my webinar on Windows Patching Troubleshooting in: ftp.bmc.com/pub/BLL1Training
I developed it targetting most common pain areas.
many thanks for your feedback and the very helpful material.
We are just reviewing it now.
Also the other product areas that are covered are very much appreciated !!
From the directory structure, i can see, that "Number 7" seems to be missing.
Would you be able to provide that material as well, in case if it covers another area of BBSA / BDSSA ?
Number 7 was supposed to be a Compliance Troubleshooting Guide that I never had time to finish .
It's still in the works along with more troubleshooting guides such as Deploy Job Troubelshooting. This is just the first batch of webinars that we released.
maybe you also can help with the current issue that we are facing when patching a Windows Server 2008 R2 SP1.
Following given facts:
BLAppserver 8.1 SP2 on W2k3x64
RSCDagent on target 8.1 SP2 P4
Offline-Patch-Catalogin BL containing the following filters all with language set to"English":
<product-category>Microsoft WindowsServer 2008</product-category>
The catalog was again updated this morning. hfnetchk6b.cml and pd5.xml are at the latest version.
The catalog uses "Agent Mounts Source For Direct Use At Deployment" and uses properties to identity the correct Network URL for Payload Deployment.
The according Patch-Analysis Job is set with the following options:
- Group option ticket
- Include SecurityPatches
- Include Security Tools
- Include Non-SecurityPatches
- Exclude Service Packs
- Create Remediation artifacts
- Deploy job options are set toignore item defined reboot settings (As we boot at the end of the PPBJ)
This Patch-Analysis/catalog combination identifies 52 missing patches (Please seeExported analysis result attached).
When deploying this generated Remediation-Job the overall Status of the Job is failed due to a single Patch beeing "not appicable".
As each entry in the generated Remediation-Blpackage is set to"Continue" for "Action on Failure" all other patches are installed successfully.
Following investigations have already been done:
The patch exiting with a "Non-Zero" exit code is the patch for MS11-A04 which gets installed in position 29.
The Exit code produced by that Patch is -2145124329. Which seems to match to "Not applicable" according to infos on the web.
To further track this down the following steps have already been done:
1.) After the Patch-Job finished with status "failed" we tried to install MS11-A04 manually, which is "Windows6.1-2008-R2-SP1-KB2533623-x64.msu-MS11-A04-en-WINDOWSSERVER 2008 R2 ENTERPRISE (X64)-SP1" in the depot.
This also gives us the following error: "The update is not applicable to your computer"
2.) We canceled the PPBJ directly before the patching-job started and the tried to install the described Patch manually. This time the installation finished successfully without any problem.
Due to this we believe that the patch for MS11-A04 is conflicting with one of the 28 Patches that gets installed just before that, it seems that one of these patches make it obsolete.
We now wonder where the problem lies:
- Should Shavlik not include MS11-A04 in it's analysis as it seems to be conflicting with one patch in between ?
- Should the BL deploy job ignore the "not applicable"error-code ?
When the Deloy job finished with status"failed" it has basically deployed 51 patches.
When we then reboot the server and run a patch-analysis with the same options as before, no patch is shown as missing, although MS11-A04 has not been deployed, but was marked as missing in the first run.
What we did in a next step was to execute the follwoing on the server:
blpatchchk2.exe 0 -pt 4 -s [hfnetcheck.xml] [results.xml]
According to Shavliks hfcli-Dcoumentation this will scan for "Security Tools" which is the category that MS11-A04 belongs to.
In the generated results.xml MS11-A04 is showing up as"EffectivlyInstalled".
Therefore it seems obvious to me, that the Patch is superceeded/included/conflicting with another patch that was included in thePatch-Analysis-Deployment.
Hmm - that issue should be resolved (QM001708015 addressed in 8.1SP2)
You should open a support issue.
There is a workaround, to prevents the job from failing:
On the console, click Configuration on the menu bar and select Patch Global Configuration
Select the Windows tab
In the "Patch deploy success return codes" edit box, enter -2145124329
Click the save icon
Test the patching job - the -2145124329 will still occur, but the patching job should be marked as successful
Thx for your feedback, the support issue has been already opened.
I just looked at the generated "Auto-Remediation"Package again and realized, that the patches-categories seem to be deployed in several blocks, that are related to the tick-boxes on the analysis-job.
The first blocks are the security Hotfixes, the secondary the Security Tools, followed by the "Other Updates " Block.
Is that the intended behaviour ?
We still think that MS11-A04 is somehow superceeded/conflicting by one of the Security Hotfixes deployed in the first block.
Yes, the return code is caused by trying to apply a non-applicable patch.
This was the problem scenario reported in the problem tracking record:
1.If Patch A is superceded by patch B and is on a target A and missing on target B, it shows both patches missing in the analysis result
2.During deploy, if it deploys patch B first and then tries to deploy patch A , it will no deploy since patch B is the newest
Historically, this has not caused any problem, but recent changes to the Microsoft code now produce this new return code.
As I understand it, the fix supplied by QM001708015 should correct the order of deploy (Patch A will get deployed first and then patch B)
The workaround supplied will prevent the return code from causing the patch job to fail.
as we are running on BL 8.1 SP2 i'm afraid this is not fixed completely.
Your Training Guides are great!
Did you ever produce the Compliance section or any others, please?
Lately we've been mainly focusing on cleaning up and releasing the Knowledge Base articles which were in our backlog. We made some great progress there, so this should allow us to dedicate more time to webinars. I hope to get this done sooner than later.
These guides are superb for the forum users , good to see this post of yours.
Hi Lazar, sorry if I'm a little bit out of topic...you wrote:
"For more information and some troubelshooting tips, review my webinar on Windows Patching Troubleshooting in: ftp.bmc.com/pub/BLL1Training "
At that link, number 7 is missing.
These guides are with me since a long but i never noticed that 7 is missing
Though i think it covers all.