MS Patch is relevant, deploy it and action reports back NOT relevant

Usage and Config Patch
1

(imported topic written by SystemAdmin)

I have some MS patches (in this case I’m referring to MS07-042) that show relevant under the fixlet for this patch. So I deploy the patch to the listed computers. The subsequent action reports back that the patch is not relevant. I reboot the system for good measure and go back to that fixlet and of course it still shows up under applicable computers. MBSA scan also shows it’s needed as well.

How is it possible to report under the fixlet that it’s needed on a system, then when you deploy it the system reports it’s not relevant? It uses the same relevance statement both times… Could it actually be getting to the action part of the deploy and the patch it self is failing? I would expect the action info to show failed not “Not Relevant”

Action:

Not Relevant MS07-042: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution - XML Core Services 4.0 SP2

Relevance of that fixlet:

Relevance 1

(

(

(

(

(

(

name of operating system as lowercase starts with “win”

)

AND

(

(

language of version block of file “kernel32.dll” of system folder contains “English”

)

OR

(

exists value of key “HKLM\System\CurrentControlSet\Control\Nls\MUILanguages” of registry

)

)

)

AND

(

not exists key “HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion”

whose

(

exists value “ProductId” of it

OR

exists value “CommonFilesDir” of it

)

of registry

AND

not exists values “PROCESSOR_ARCHITECTURE”

whose

(

it as string as lowercase = “ia64”

)

of keys “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry

)

)

AND

(

(

(

name of it = “Win2000”

AND

csd version of it = “Service Pack 4”

)

OR

(

name of it = “WinXP”

AND

csd version of it = “Service Pack 2”

)

OR

(

name of it = “Win2003”

AND

(

csd version of it = “Service Pack 1”

OR

csd version of it = “Service Pack 2”

)

)

OR

(

name of it = “WinVista”

)

)

of operating system

)

)

AND

(

(

exists file “msxml4.dll”

whose

(

version of it < "

)

of it

)

of system folder

)

)

AND

(

exists file “msiexec.exe”

whose

(

version of it >= “3.1”

)

of system folder

)

)

AND

(

not pending restart

)

AND

computer name != “NFAX001PDV”

((((((name of operating system as lowercase starts with “win”) AND ((language of version block of file “kernel32.dll” of system folder contains “English”) OR (exists value of key “HKLM\System\CurrentControlSet\Control\Nls\MUILanguages” of registry))) AND (not exists key “HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion” whose (exists value “ProductId” of it OR exists value “CommonFilesDir” of it) of registry AND not exists values “PROCESSOR_ARCHITECTURE” whose (it as string as lowercase = “ia64”) of keys “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry)) AND (((name of it = “Win2000” AND csd version of it = “Service Pack 4”) OR (name of it = “WinXP” AND csd version of it = “Service Pack 2”) OR (name of it = “Win2003” AND (csd version of it = “Service Pack 1” OR csd version of it = “Service Pack 2”)) OR (name of it = “WinVista”)) of operating system)) AND ((exists file “msxml4.dll” whose (version of it < ") of it) of system folder)) AND (exists file “msiexec.exe” whose (version of it >= “3.1”) of system folder)) AND (not pending restart) AND computer name !=“SERVER01”

2

(imported comment written by BenKus)

Hey Brian,

The trick with this particular Fixlet is that the relevance “(not pending restart)” is included in the Fixlet. So I imagine that when you deploy the action, something is first setting the system into a restart. Are you deploying this Fixlet in a group of Fixlets? If so, the previous actions are probably setting the computer into “restart needed” state.

Usually we add “not pending restart” if we are unable to check the status of the patch until restart… you can make a custom copy and remove the “(not pending restart)” if you want to ignore the restart state of the system.

Ben

3

(imported comment written by Anuj_Attree91)

For MS07-042, the Bigfix console is showing applicable computers whereas when pushed the computers report back as Non relevant action…

Please help on urgent basis how this can be installed in targetted computers…

4

(imported comment written by BenKus)

Hi Anuj,

I think the answer provided before (exactly 1 year ago today it turns out…) is applicable… Restart the computer and then try to deploy the patch by itself and it should work…

Alternately, just edit the relevance in the action you send out and remove the “AND (not pending restart)” from the action.

Ben

5

(imported comment written by Anuj_Attree91)

Hi Ben,

The Systems details in use are:

  1. Windows XP SP2

  2. Word, Excel, Powerpoint viewer 2003

Following troubleshooting has been done to rectify the issue:

  1. tried to manually install the patch MS07-042 (KB936048). But the process exits saying that the patch or the functionality of this patch already in the system. However Bigfix console still shows MS07-042 missing.

  2. updated the system using windows update and mbsa report shows all green for windows as well as office patches. However Bigfix console still shows this patch missing.

  3. This has been tested on 5-6 systems and the results are same (negative). Also around 1300 systems are showing NON Compliance due this missing patch in Bigfix.

But, i got success in on 4-5 systems yesterday which were earlier showing MS07-042 patch missing in Bigfix. I went to office patches site http://office.microsoft.com/officeupdate/. The site requires 2 addons before proceeding for patches installation:

  1. Office Genuine Advantage Validation Tool

  2. Office Update Installation Engine

After installing these 2 add ons the systems were not showing MS07-042 patch missing in Bigfix.

Now the problem is we can’t connect each desktop to the internet and do this task manually. So i’m looking for a solution to do this automatically from Bigfix/some other way…

Need your help in this on urgent basis…

6

(imported comment written by BenKus)

Anuj,

The forum is not a good place to get urgent support… Please contact support and they can help you through this.

In general if BigFix is showing a patch is needed and it is not, then it will likely be one of two reasons:

  1. The relevance for the patch isn’t working and needs to be looked into (normally you would evaluate the relevance in QnA and see if it is true/false)

  2. The BigFix Agent or Console isn’t reporting or reflecting the data (normally we would ask you to clear the cache and send the agent a refresh to make sure something wasn’t corrupted.

As support person can lead you through this process to identify the issue and fix it.

Ben