Client reporting no missing patches but machine has not been patched

I have 6 servers that were built out and I am having a major problem. The machine is reporting no patches missing but the windows box has not been patched for over a year. Has anyone run into this problem?

Is the client gathering and reporting?

If it hasn’t reported in a day then it may have an issue. Send a Refresh to one of the clients and see if it clears up the states?

The machine is successfully reporting in and checks in. This looks to have been a problem for more then. Half a year and patches missing should be over 200

And you’re certain this system hasn’t been patching using an alternate product like Windows Update, WSUS, or SCCM? Or maybe you don’t have visibility to see other Operators’ actions in BigFix, and they patched the system?

Check in the Control Panel, “Programs and Features”, “Show installed Updates”, then sort by Installation Date. When was the most recent Update installed?

The last time it was patched was 06/15/2014. That was when the box was imaged.

I would open a PMR as we’re going to need to see logs and such. When was the last time the client or system was restarted as well?

Well I think that rules out my line of thinking. Looks like you have a real problem. I think you’ll need to take the PMR route to submit a problem report.

…is the machine appearing in the BigFix Console at all, and is the “Last Report Time” current?

checks in every 45 min without any problems. As i mentioned its not just one machine but 6 machines. They were all imaged from the same template. I think i will remote IEM off the machine and reinstall to see if it helps.

We’ve seen this same behavior. The first thing we usually do (where network access allows it) is run Windows Update to compare it to what BigFix is reporting.

We have seen where WU does not find the patches that should be applied until AFTER we apply a couple of the patches that do show up. Then, there is a flood of additional patches that show up in both WU and BigFix.

1 Like

Hmm; are the affected machines showing up as Relevant for any content? How about for New content?

One thing that comes to mind, is that very nearly all of the “Patches for Windows (English)” fixlets are written to require that the Windows Update service is enabled. If that service is disabled or corrupted, I suppose that might make a lot of the Fixlets non-relevant.

Many of them also have a disk space requirement in their Relevance. For that matter if the client’s out of disk space, then all bets are off for any kind of evaluation.

Try running the Fixlet Debugger on one of the clients, copy each of the Relevance clauses for a patch that is missing, and see whether all of the Relevance statements return True. Or, if you cannot run the Debugger, create a new Custom Analysis, configure its relevance to be relevant only to the clients in question, and create a new Property for each of the Relevance Statements for one of the missing patch fixlets. If any of the properties return a False, then you’ll have some idea of what to look for.

One more thing, can you verify the clients are actually subscribed to the Patches for Windows (English) site? If you create a Custom Copy of one of the missing fixlets into your own operator site, does that appear to be Relevant to the client?

1 Like