1 Reply Latest reply on Jan 20, 2017 7:40 AM by rdavidson

    Need help on why Shavlik finds certain patches required when doing a patch scan

    MichaelR Rookie

      I have two examples / questions I need clarification on.

       

      We have some windows servers and are trying to patch them with Shavlik.

       

      Our My Patch Scan Template only is set to scan for Microsoft Patches and we exclude SQL and .Net.  See screen shot example

       

       

      Yet when we did a scan Shavlik found the following patch as missing, which is clearly a .Net Framework patch.

       

          

      Original Patch StatusCurrent Patch StatusProductService PackAffected Machine CountPatch TypeBulletin IDBulletin TitleVendor SeverityQNumberUninstallableDownloadedEOL
      Patch MissingPatch MissingWindows Server 2008 R2 Enterprise (x64)SP11Non-security patchMSWU-599FIX: .NET Framework 3.5 SP1 applicationNoneQ2637518YesYes#########

      Second

       

      We have some Windows Servers running Exchange 2010 and 2013.  Shavlik successfully found we needed KB3184730 on 2010. 

      https://support.microsoft.com/en-us/help/3184730/update-rollup-16-for-exchange-server-2010-service-pack-3

       

       

      It failed to find the similar patch for 2013 and it was not already installed, KB3197044.

       

      https://support.microsoft.com/en-us/help/3197044/cumulative-update-15-for-exchange-server-2013

       

       

       

       

      https://support.microsoft.com/en-us/kb/3184730

        • 1. Re: Need help on why Shavlik finds certain patches required when doing a patch scan
          rdavidson SupportEmployee

          Hello,

           

          So there's a few things going on here. The first patch, under MSWU-599, is being offered because the affected product is actually Windows Server 2008 R2, not .NET. There are some patches for various programs (often .NET, critical flash updates, IE) that are considered an OS patch, due to the particulars of that patch itself. Because filtering is per product, an OS patch that resolves a .NET vulnerability won't be excluded when you exclude .NET.

           

          For the second issue, KB3197044 isn't in our patch catalog, which is why it's not being offered. I can see it was released in December, so we may not have yet put it through our QA process. I'll see if it's already on the backlog of patches to support, and if we can add it if it's not.