Knowledge Document: How to troubleshoot download or install of ZENworks Patch or Policy contents on the Windows endpoint

0 Likes

Environment

ZENworks 23.4 or higher 

Situation

Troubleshooting steps for ZENworks Patch or Patch Policy content download or installation on the Windows Agent using the available zac commands on  Advanced Patch Management 

Resolution 

ZENworks 23.3 and later version provides new zac commands to perform the manual download and installation of specific patch or patch policy contents on the ZENworks Patch Agent. 
This article mostly covers patch management zac commands along with relevant information recorded in corresponding logs for troubleshooting or isolating any particular patch download, detection, or installation issues on the Windows Patch Agent. 

Similar to bundles, you can use "zac bl" command to view all assigned Patch Policy or deployment remediation bundles along with their versions and identify which patches would be installed. 


zac plp : 

To check for the required or missing patches on the device. It performs analyze, and downloads the latest patch Catalog WindowsPatchData.zip under the "zpm" folder, to report all the required Patches with Status as Missing. 
 
Logs: %zenworks_home%\zpm

PatchAnalyze_<timestamp>.log 
Additionally, see - PatchscanSDK_<timestamp>.log, PatchScanTrace_<timestamp>.log 

Once the missing patches are installed on the device using patch deployment or manual remediation or using patch policies, they will not be listed using zac plp. 

To view all patches with status as Missing or Installed, run the command:

zac plp --all 


zac pdp "Policy_Name"    

 Distributing patch policies to device
 All patch policies have been distributed

It distributes the specified patch policy to the managed device.  
Patch policy payload is only patchesXXXXX.json file with PatchIds list, which gets downloaded to %zenworks_home%\zpm folder and the applicable patch contents get downloaded to zpm\content folder.
If the applicable patch contents already exist in the content folder or if the patch is already applied, associated contents will not be downloaded again.

For one or more policies to distribute, see the help page under Additional Information below. Separate logs are created for each downloaded Patch.  

 Log: %zenworks_home%\zpm
PatchDownloader_<timestamp>.log

[2024-04-11 14:13:16,105] [DEBUG] [9776] [download] [] [SYSTEM] [] [Total patches recieved for the download 1.Filtering them after the scan.] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:25,136] [DEBUG] [9776] [download] [] [SYSTEM] [] [Starting Download of the patch : Firefox Setup 124.0.2_x64.msi having ID: 000420f2-0000-0000-0000-000000000000] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:25,136] [DEBUG] [9776] [download] [] [SYSTEM] [] [using region 1033 for patch 000420f2-0000-0000-0000-000000000000] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:27,339] [DEBUG] [9776] [download] [] [SYSTEM] [] [Downloading C:\Program Files (x86)\Novell\ZENworks\zpm\content\Firefox Setup 124.0.2_x64.msi from https://server5.provo.novell.com:443/zenworks-content/patch/pub/firefox/releases/124.0.2/win64/en-US/Firefox Setup 124.0.2.msi] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:27,339] [DEBUG] [9776] [download] [] [SYSTEM] [] [File Firefox Setup 124.0.2_x64.msi doesn't exist locally has to be downloaded again] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:28,012] [DEBUG] [9776] [download] [] [SYSTEM] [] [Downloading to temp path: C:\Program Files (x86)\Novell\ZENworks\zpm\content\Firefox Setup 124.0.2_x64-638484416080120805.msi] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:30,715] [DEBUG] [9776] [download] [] [SYSTEM] [] [Got content length from the response as 63954432 bytes] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:30,730] [DEBUG] [9776] [download] [] [SYSTEM] [] [Downloaded file C:\Program Files (x86)\Novell\ZENworks\zpm\content\Firefox Setup 124.0.2_x64-638484416080120805.msi successfully] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:30,730] [DEBUG] [9776] [download] [] [SYSTEM] [] [Successfully moved temp file C:\Program Files (x86)\Novell\ZENworks\zpm\content\Firefox Setup 124.0.2_x64-638484416080120805.msi to destination] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:13:30,730] [DEBUG] [9776] [download] [] [SYSTEM] [] [Successfully downloaded the patch : 000420f2-0000-0000-0000-000000000000] [DEBUG] [] [] [] 


zac pd --patch "Patch_Name"

 Starting patch download ...
 The patch has been downloaded.

It downloads the contents for the applicable patch on the device. The specified patch should be required/missing on the device. If the patch content already exists under zpm\content folder or the patch is already applied, the associated contents will not be downloaded. 

Log: 
PatchDownloader_<timestamp>.log

[2024-04-11 14:38:59,714] [DEBUG] [7308] [download] [] [SYSTEM] [] [Starting Download of the patch: windows10.0-kb5019180-x64.msu having ID: 0003ed1c-0000-0000-0000-000000000000] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:38:59,730] [DEBUG] [7308] [download] [] [SYSTEM] [] [using region 1033 for patch 0003ed1c-0000-0000-0000-000000000000] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:39:01,824] [DEBUG] [7308] [download] [] [SYSTEM] [] [Downloading C:\Program Files (x86)\Novell\ZENworks\zpm\content\windows10.0-kb5019180-x64.msu from https://server5.provo.novell.com:443/zenworks-content/patch/d/msdownload/update/software/updt/2023/02/windows10.0-kb5019180-x64_90a066b0e5fca50d9c75d990fdb89c0e12b987ac.msu] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:39:01,839] [DEBUG] [7308] [download] [] [SYSTEM] [] [File windows10.0-kb5019180-x64.msu doesn't exist locally has to be downloaded again] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:39:02,261] [DEBUG] [7308] [download] [] [SYSTEM] [] [Downloading to temp path: C:\Program Files (x86)\Novell\ZENworks\zpm\content\windows10.0-kb5019180-x64-638484431422618343.msu] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:39:02,293] [DEBUG] [7308] [download] [] [SYSTEM] [] [Got content length from the response as 4113081 bytes] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:39:02,293] [DEBUG] [7308] [download] [] [SYSTEM] [] [Downloaded file C:\Program Files (x86)\Novell\ZENworks\zpm\content\windows10.0-kb5019180-x64-638484431422618343.msu successfully] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:39:02,293] [DEBUG] [7308] [download] [] [SYSTEM] [] [Successfully moved temp file C:\Program Files (x86)\Novell\ZENworks\zpm\content\windows10.0-kb5019180-x64-638484431422618343.msu to destination] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 14:39:02,293] [DEBUG] [7308] [download] [] [SYSTEM] [] [Successfully downloaded the patch : 0003ed1c-0000-0000-0000-000000000000] [DEBUG] [] [] [

 
zac pi --patch  "Patch_Name"

 Installing patch Patch_Name
 The patch has been successfully installed

It downloads the applicable patch contents to zpm\content folder, latest  Patch Catalog WindowsPatchData.zip if missing, and installs the specified patch by calling remediate.exe.
The patch remediation is skipped if the patch is already installed or remediated.
If the patch is NOT_APPLICABLE, then it will not be remediated using the above command. 

If the patch is already remediated, it will perform a scan and report the status as DETECT_PATCHED or REBOOT

Logs:
PatchRemediate_<timestamp>.log.

[2024-04-11 16:32:55,230] [INFO] [9424] [remediate] [] [SYSTEM] [] [ Adding patch  '0003ed1c-0000-0000-0000-000000000000' '2023-03 KB5019180: Security vulnerabilities exist in Memory Mapped I/O for some Intel processors for Windows 10, version 20H2, 21H2, and 22H2: March 2, 2023(KB5019180)_x64' for remediation] [INFO] [] [] [] [ZENworks]  
[2024-04-11 16:32:59,433] [DEBUG] [9424] [remediate] [] [SYSTEM] [] [ Installing patch 0003ed1c-0000-0000-0000-000000000000 ] [DEBUG] [] [] [] 
[2024-04-11 16:34:09,777] [INFO] [9424] [remediate] [] [SYSTEM] [] [Remediation result of 0003ed1c-0000-0000-0000-000000000000-2023-03 KB5019180: Security vulnerabilities exist in Memory Mapped I/O for some Intel processors for Windows 10, version 20H2, 21H2, and 22H2: March 2, 2023(KB5019180)_x64 was 3010 ] [INFO] [] [] [] [ZENworks] 
[2024-04-11 16:34:09,777] [DEBUG] [9424] [remediate] [] [SYSTEM] [] [Reboot registry key created successfully] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 16:34:09,793] [INFO] [9424] [remediate] [] [SYSTEM] [] [Persisting remediate results {"0003ed1c-0000-0000-0000-000000000000":"2023-03 KB5019180: Security vulnerabilities exist in Memory Mapped I/O for some Intel processors for Windows 10, version 20H2, 21H2, and 22H2: March 2, 2023(KB5019180)_x64"}] [INFO] [] [] [] [ZENworks] 
[2024-04-11 16:34:18,355] [DEBUG] [9424] [remediate] [] [SYSTEM] [] [PatchStatus : Key = 0003ed1c-0000-0000-0000-000000000000:2023-03 KB5019180: Security vulnerabilities exist in Memory Mapped I/O for some Intel processors for Windows 10, version 20H2, 21H2, and 22H2: March 2, 2023(KB5019180)_x64, Value = REBOOT] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 16:34:18,355] [DEBUG] [9424] [remediate] [] [SYSTEM] [] [Creating reboot required file] [DEBUG] [] [] [] [ZENworks] 


zac pap "Policy_Name"

   Applying patch policies to device
   Applying policy: Policy_Name
   At least one patch was applied.  Running patch scan to update system status.
   PATCH_POLICY_REBOOT_NEEDED   // Seen If any reboot required patches are installed  
   All patch policies have been updated
   
It distributes specified patch policy and associated contents for the applicable patches to the Patch Agents, installs one or more applicable patches using remediate.exe, and performs a patch scan(analyze.exe) to report the latest patched status. You can also specify more than one patch policy name, see the below documentation or zac help for more details. 

Any already remediated patches are skipped during zac pap and the status is detected as DETECT_PATCHED in PatchRemediate_<timestamp>.log 

For patches that are already applied, or whose contents already exist on the patch agent locally, no new patch contents are downloaded. See below PatchDownloader_<timestamp>.log 

[2024-04-11 18:03:55,208] [DEBUG] [8604] [download] [] [SYSTEM] [] [Patch with id 000420f2-0000-0000-0000-000000000000 is already patched, hence not downloading the patch content again] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 18:03:55,208] [DEBUG] [8604] [download] [] [SYSTEM] [] [Total patches filtered  in the list 0] [DEBUG] [] [] [] [ZENworks] 


Example: PatchRemediate_<timestamp>.log shows the below details during new successful patch remediation

[2024-04-11 17:06:36,074] [INFO] [6732] [remediate] [] [SYSTEM] [] [ Adding patch  '000420f2-0000-0000-0000-000000000000' 'Firefox 124.0.2(KBFF12402)_x64' for remediation] [INFO] [] [] [] [ZENworks] 
[2024-04-11 17:06:40,277] [DEBUG] [6732] [remediate] [] [SYSTEM] [] [C:\Program Files (x86)\Novell\ZENworks\zpm\content\Firefox Setup 124.0.2_x64.msi  exists already , not downloading again] [DEBUG] [] [] [] [ZENworks] 
[2024-04-11 17:06:40,277] [DEBUG] [6732] [remediate] [] [SYSTEM] [] [ Installing patch 000420f2-0000-0000-0000-000000000000 ] [DEBUG] [] [] [] 
[2024-04-11 17:09:39,855] [INFO] [6732] [remediate] [] [SYSTEM] [] [Remediation result of 000420f2-0000-0000-0000-000000000000-Firefox 124.0.2(KBFF12402)_x64 was 0 ] [INFO] [] [] [] [ZENworks] 
[2024-04-11 17:09:48,386] [DEBUG] [6732] [remediate] [] [SYSTEM] [] [PatchStatus : Key = 000420f2-0000-0000-0000-000000000000:Firefox 124.0.2(KBFF12402)_x64, Value = SUCCESS] [DEBUG] [] [] [] [ZENworks] 


Logs: 
PatchDownloader_<timestamp>.log
PatchRemediate_<timestamp>.log and remediate_results-<policy_guid>.txt for any Patch Remediation
PatchAnalyze_<timestamp>.log

Patch Policy Reboot Behavior for Pending Reboot from an installed patches

If the patch remediation returns status code success and requires a reboot (code 3010):
- Patch remediation will also create dummy file patch_needs_reboot, and reboot_pending_patches_XXXX.json file containing the names of the patches located under the zpm folder.
- The reboot required patch installation information also gets captured into PatchRemediate_<timestamp>.log
- PATCH_POLICY_REBOOT_NEEDED message can be also seen on stdout during command: zac pap 

Once the required reboot operation is performed as per the configured interval - "Reboot Within", then the subsequent patch analyze should report the status as Patched (DETECT_PATCHED) as captured into
zpm\<guid>.state file

Also, see https://portal.microfocus.com/s/article/KM000026272 to identify any reboot-required patches installation.

If ZCC > Security > Patch Policy Settings | Patch Policy Reboot Behavior has Reboot notification enabled by admin, then the below Reboot message is seen on every snooze interval in the device's tray notification after the successful remediation of the reboot required patches.



Additionally, zpm\snoozeList.xml with NotifyItem entry is present which results in the above message on a configured interval 

<GUID>RebootPatchPolicy</GUID>
<BeginTime>-8584887298958719089</BeginTime>
<Message>To complete the installation of mandatory patches on your computer, it is now necessary to reboot. If you require any additional information, please contact your ZENworks Patch Management administrator.</Message>
<PopupMessage>Important patches have been installed. In order for these patches to be applied a reboot is required. Please click here to reboot now.</PopupMessage>

Debug zmd-messages.log: 

[TRACE] [04/11/2024 17:09:49.605] [2804] [ZenworksWindowsService] [62] [] [PatchModule] [] [Rebooting System from Reboot - Patch Policy] [] [] [] [ZENworks Agent] 
[DEBUG] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [87] [] [Patch] [] [Element.Name: GUID] [] [] [] [ZENworks Agent] 
[DEBUG] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [87] [] [Patch] [] [Element.Value: RebootPatchPolicy] [] [] [] [ZENworks Agent] 
[DEBUG] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [87] [] [Patch] [] [Element.Name: BeginTime] [] [] [] [ZENworks Agent] 
[DEBUG] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [87] [] [Patch] [] [Element.Value: -8584887298958719089] [] [] [] [ZENworks Agent] 
[INFO] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [62] [] [Patch Module] [Device reboot is pending so the patch status might not be accurate.] [] [] [] [] [ZENworks Agent] 
[DEBUG] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [87] [] [Patch] [] [Element.Name: Message] [] [] [] [ZENworks Agent] 
[DEBUG] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [87] [] [Patch] [] [Element.Value: To complete the installation of mandatory patches on your computer, it is now necessary to reboot. If you require any additional information, please contact your ZENworks Patch Management administrator.] [] [] [] [ZENworks Agent] 
[DEBUG] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [87] [] [Patch] [] [Element.Name: PopupMessage] [] [] [] [ZENworks Agent] 
[DEBUG] [04/11/2024 17:09:49.621] [2804] [ZenworksWindowsService] [87] [] [Patch] [] [Element.Value: Important patches have been installed. In order for these patches to be applied a reboot is required. Please click here to reboot now.] [] [] [] [ZENworks Agent] 

[DEBUG] [04/11/2024 17:10:11.574] [2804] [ZenworksWindowsService] [87] [User] [ZMD] [] [User daemon call Lumension.Zenworks.PatchModule.SnoozeDialog.ShowSnoozePopup(True, 7200, Important patches have been installed. In order for these patches to be applied a reboot is required. Please click here to reboot now., 20) to session 15331591 succeeded after 21.940 seconds] [] [] [] [ZENworks Agent] 



zac ps 

Patch Scan (zac ps --complete) can be executed on the endpoints to detect any applicable patches using an updated Windows Patch Catalog (WindowsPatchData.zip) downloaded locally from the ZENworks Primary (OCM).

On the successful patch analyze, the results containing patch metadata for newly installed patches and patch statuses are uploaded to the Primary server. It can be also executed to ensure the remediated patch status is reported as installed after reboot. 

Logs:
PatchAnalyze_<timestamp>.log
Additionally, see PatchscanSDK_<timestamp>.log, PatchScanTrace_<timestamp>.log 
<deviceguid>.state (It contains all applicable patches and statuses in JSON format id:patchguid,patched:true or false) 


Additional Information 

For more information on the commands, see https://www.novell.com/documentation/zenworks-23.4/zen_utils/data/bb15p2z.html#pqr 

Access article on support portal

 

Labels:

Configuration Management
Endpoint SM
Support Tips/Knowledge Docs
Patch Management
Comment List
Related
Recommended