5 Replies Latest reply on Jul 12, 2013 8:56 AM by mpendleton

    Unable to install ALL patches.


      We seem to be unable to get any of the machines we patch using Protect to install ALL of the detected missing patches.

      The best we can get it down to is 5 to 7 Patches Missing.

      If a machine is detected as having 27 patches to install, it will install 20 or so without an issue, but no matter how many times we rescan and redeploy, we cannot get the final few patches installed.


      As an example, after a fresh VM build of Server 2008 R2, I patch the machine but no matter how many times I scan, deploy and reboot I am still left with the following five patches listed - MSST-001 (Custom Action Patch), MSIE-002 (QIE9001U Toolkit to disable IE9 install), MS13-A02 (Q2847140), MS12-A10 (Q2794220) & MS12-A04 (Q2719615).


      The above is just an example. it appears to occur on most if not all machines, virtual or physical, regardless of O/S.

      I am currently using Protect 8.02 (build 4027), however I have just tested with Protect 9.0 (build 1182) and the issue is still present there.


      Is this a common issue? Can anyone explain to me why this may be occurring?

        • 1. Re: Unable to install ALL patches.



          The problem is that the patches you are mentioning will always show as missing.


          The exact purpose of the "MSST-001 (Custom Action Patch)" is to always show as missing. You should remove this from normal scans.


          The other patches you mentioned are all of the "Security Tool" patch filter type, and they are patches that always show missing because they work like an on/off or enable/disable switch for the patch. You may want to use a patch group to filter these out if you no longer want them to show up.


          I hope that helps.

          1 of 1 people found this helpful
          • 2. Re: Unable to install ALL patches.

            Hi adamg23,


            Thanks for your response. I've excluded the Custom Action Patch which tidies things up a little.


            So I guess the issue is, I could exclude "Security Tools" in the "Patch type filter settings" and get a "Clean" scan after deploying any other patches, however that would leave the system vulnerable to whatever the security tools were designed to fix.

            As an example, the Malicious Software Removal MSRT-001 (Q890830), which is updated every month by Microsoft fits into this category and would never get deployed if I exclude "Security Tools" from the scans.

            As far as I know, this isn't just an on/off, disable/enable type of patch and (bad example maybe) it doesn't appear as missing after my scans...

            So how can you tell, from a scan after deployment of patches including Security Tools, whether or not the Security Tool type patches have been successfully deployed?



            • 3. Re: Unable to install ALL patches.

              Well MSRT-001 isn't one of the patches that has the enable/disable function so once it's installed it should no longer show as missing - the only thing with this one is that it's updated fairly often so it could seem like it's always missing depending how often you run your scans.


              Are you performing a reboot after applying patches?


              If you are having trouble with patches that continuously show missing other than the enable/disable type patches it might even be a good idea to open a case with support directly.

              • 4. Re: Unable to install ALL patches.

                Thanks again for your quick response.


                With the Security Tools patches, is it possible to tell whether or not it has been applied if it is an enable/disable type patch?

                • 5. Re: Unable to install ALL patches.
                  mpendleton Rookie

                  The security Tools that have a U beside them in the Patch Q number are the ones that uninstall the security Tool.   I personally exclude those patches so i ensure that those are installed.   I dont like how they do those beucase you have no indication that is what is going on. You keep installing and installing and they never stop installing, Maybe if the patch name said install or uninstall that would help, but instead you get caught in a loop until you check that Q number, and unless you see the U after it, you have no idea because the identical patch without the U looks identical. Very bad way of doing these because they will flash in the console so fast that you have a hard time finding the U ones.