After deploying patches, the Deployment Tracker shows a status of 'Unable to Verify' or 'Complete (not verified)'.
After deploying a patch, the rescan was unable to successfully scan the target machine and verify that the patch was installed.
The common causes of this are:
- Non Admin Credentials Used for Target Machine
- Network interference prevented a successful rescan.
Non Admin Credentials Used for Target Machine
When scanning a machine, Protect needs credentials to authenticate against the target. These credentials are typically setup in the Credential Manager, and assigned per machine/machine group. In the event the credentials assigned do not have Local Admin Rights, have the wrong password, or are just not provided, Protect will fail-over to use the Currently Logged On User Credentials (CLOUC). This is seen in the hf.log file:
|NetworkLogon.cpp:117 Failed to check administrative access to '10.16.231.35', attempt 1, error: 5.|
MachineSelector.cpp:80 Credentials passed in were not admin - using clouc
When initiaing a scan from the Protect Console it will try in order:
- Credentials specifically set to the machine.
- Default credentials defined in the Credentials Manager.
- Currently logged on user credentials (clouc).
Note: If there are no credentials in the Credential Manager set to 'Default', and no credentials are assigned to a machine specifically, it will only try to use the Currently logged on user credentials (clouc). In this instance, there is no mention of the fail-over in the hf.log.
After deploying patches, Protect initiates a re-scan of the target machine to specifically check if the deployed patches are shown as missing still.
Unlike the initial scan that took place, a re-scan will not fail over to a Currently logged on user credential (Clouc). The rescan is performed by the Console Service, and the failover would be to the System Account which would not work.What this means is that if the machine does not have functioning Local Admin Credentials, it will try to do a rescan with invalid credentials, and fail. After it fails, it will eventually stop trying and return the status of 'Unable to verify'.
To fix this, the machine needs to have credentials assigned to it that have Local Admin Rights. This can be assigned within a Machine Group if initiating a new set of scans, or on the Machine Record under Machine View (Right click > Machine Properties). Once the machine has had Local Admin Credentials assigned to it, it should be able to re-authenticate against the target machine after a deployment to verify the patches status.
More Info on Managing Credentials Here.
Network interference prevented a successful rescan.
This is typically caused when a machine loses network connectivity before a re-scan can occur. This is usually random and will not recreate in the event you rescan, redeploy any missing patches.
Shavlik Protect 9.x
vCenter Prtoect 8.x