Respected Contributor.. Pablo Bazan Respected Contributor..
Respected Contributor..
1023 views

Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Hi,

 

Out WINTEL TEAM has notified us that the 'Report' of patch installed on windows machine by HPSA (version 9.14) doesn't match with the patches in server.

 

In Server Automation we obtain the patches report open a 'device explorer', and then in Inventory-->Patches, and used Patches Installed.

 

An example:

In a machine (called WNJPSP101.esseat10) with system Windows Server 2008 R2 x64 (x86_64), SP1, we obtain a list with 116 elements (102 distinct element)
The patches listed on the machine are 202.

 

Which is the reason for these differences?

 

Thanks a lot

 

Pablo Bazán

 

PS: In the attachment, the red cells are the Patched missmatched in the Report

0 Likes
1 Solution

Accepted Solutions
Respected Contributor.. Pablo Bazan Respected Contributor..
Respected Contributor..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Ok, thanks

 

I thinks is better if I open a Support case.

The windows administrator said that they see this missmatch information in a lot of machines.

 

Thanks a lot

 

Pablo

0 Likes
9 Replies
Frequent Contributor.. lyubo_ Frequent Contributor..
Frequent Contributor..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Hi Pablo,

 

Could you tell us the way you are getting the installed patches directly on the server ?

Also do you have Windows Update Agent imported recently?

 

Thanks,

Lyubo


Lyubomir MInchev
SA Support

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution. Also, if you liked this post please consider providing Kudos at the left-hand side.
0 Likes
Highlighted
Respected Contributor.. Pablo Bazan Respected Contributor..
Respected Contributor..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Hi,

 

The Wintel Administrator said that obtein the report of patches on the machine use the command line: 'SystemInfo'

 

If you need more information, please ask for it.

 

Thanks a lot

 

Pablo

0 Likes
Frequent Contributor.. lyubo_ Frequent Contributor..
Frequent Contributor..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Hi Pablo,

 

Thank you for the provided info.

You should also have recently imported Windows Update Agent.

 

 

Thanks

Lyubo


Lyubomir MInchev
SA Support

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution. Also, if you liked this post please consider providing Kudos at the left-hand side.
0 Likes
Absent Member.. Gonzo_SA Absent Member..
Absent Member..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Pablo,

 

This sounds like it needs to be opened as a support case for further research. But in the meantime, what is the version of the SA agent on this managed host and what type of Windows server is it, SQL Server, Domain controller, etc?

 

Rob Adams

0 Likes
Respected Contributor.. Pablo Bazan Respected Contributor..
Respected Contributor..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Ok, thanks

 

I thinks is better if I open a Support case.

The windows administrator said that they see this missmatch information in a lot of machines.

 

Thanks a lot

 

Pablo

0 Likes
Outstanding Contributor.. csaunderson Outstanding Contributor..
Outstanding Contributor..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Windows patching can be a bit tricky, but here's some questions I would ask;

 

1) are you using a custom policy or the Vendor Recommended Patch Policy to apply patches on the server?

2) when was the last time you updated the wsusscn2.cab into the HPSA core?

3) when you look on the server in the opsware agent directories at scanpatchoutput.txt, and compare that to what the sysadmin is saying, is there a difference?

 

 

--Chris

0 Likes
Absent Member.. Tony_G Absent Member..
Absent Member..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Windows patching can be a bit tricky, but here's some questions I would ask;

 

1) are you using a custom policy or the Vendor Recommended Patch Policy to apply patches on the server?

2) when was the last time you updated the wsusscn2.cab into the HPSA core?

3) when you look on the server in the opsware agent directories at scanpatchoutput.txt, and compare that to what the sysadmin is saying, is there a difference?

 

Chris,

 

I have a few questions related to your questions...

 

1.  Are you finding that a lot of cutomers use the "Vendor Recommended" policies? Seems dangerous.

2. How often does HP suggest we update the wsusscn2.cab?

 

Thanks in advance.

 

Regards,

 

Tony

0 Likes
Absent Member.. Gonzo_SA Absent Member..
Absent Member..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Tony,

 

I find it fair split on who uses the vendor recommended policies and who creates their own policies. It is what ever fits your need.

 

Also, it is a good idea to update the wsusscn2.cab on patch Tuesdays or when Microsoft issues an out of band patch release.

 

Rob Adams

0 Likes
Outstanding Contributor.. csaunderson Outstanding Contributor..
Outstanding Contributor..

Re: Report of patch installed on windows machine by HPSA doesn't match with patches in server

Jump to solution

Funny thing is, I don't work for HP 😄 I'm an actual customer, I just like giving my opinions based on my experiences.

 

We implemented with custom patch policies to patch 1600 servers (mix of 03/08/08r2), but found that we were generating much XML for the fact that servers didn't need patches but need to insert that into the Truth DB as a part of patch compliance jobs. This resulted in exceedingly slow response time and a vault/truth combination that was choking on the long running inserts into the DB.  By moving to VRPP we simplified that down to what the server says is needed, but with some caveats.

 

First, you MUST control the .cab file import, or else you will be installing patches that you don't know about (or worse, not having patches in the repo that you need and fail to install) and therefore won't be compliant to your policies ever. The real tl;dr there is: if you're adhering to Patch Tuesday, then at some point prior to you wanting to patch, you'll need to update the .cab and import any additional patches.

 

Second, if you go the VRPP route, you should really look into exceptions for patches so that you're not applying patches yu don't want, or worse, patches you know you shouldn't apply.

 

Third, you have to take into account that during the analysis phase of any Windows patching job, you will now be touching every server to have their run their analysis and then generate the list of patches that should be applied. This can be considerable, and will factor into the number of systems you put into any one job and the number of jobs you expect to run at any one time.

 

Fourth, and finally, you need to have a robust process in place for looking at patches Microsoft releases in order to assess whether this is an out-of-band critical that you need to apply, or whether it can be rolled into your next patching window. We do that very robustly: every patch tuesday is a review day and either a "must deploy now" or "into next patch window" decision for every patch that is released, that then drives the updates/imports to HPSA and the testing of the patches and the reporting of compliance.

 

I talk to a few peer customers, and there is a reasonable split between VRPP and Custom Patch policies.

 

Hope that helps.

 

--Chris

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.