Need some assistants with Debugger Fixlet Debugger. My case owner stated to post here to assist breaking Relevance Statements to determine failures.
Ok, go ahead and describe the problem
We are trying to Patch a 2008 R2 system and trying to determine why Patch is not relevant (KB5014742). Trying to load a PDF file but fails.
Ok…first thing would be that there are two Fixlets for this in the “ESU Patching Add-On for Windows 2008” Site. Are either of these relevant?
501474205 MS22-JUN: Security Only Quality Update - Security Only - Windows Server 2008 R2 - KB5014742 (x64)
501474255 MS22-JUN: Security Only Quality Update - Security Only - Windows Server 2008 R2 - KB5014742 (x64) (Unentitled)
Next step would be to test each relevance clause using the Fixlet Debugger or the WebUI Query App. Take each relevance clause from the Console and run those on the endpoint - once we know which clause is returning False, we can split up that query and determine why
Can not load my PDF at this time cause I’m new.
Appears Relevance 4, 5 & 6, are failing at the end point. My case worker suggested to post here so we could break the statements up to see what’s failing.
I don’t think PDF would help anyway, since we won’t be able to copy & paste the text out of it.
Which Fixlet ID are you using (of the two Fixlets)?
Relevance 4, 5, and 6 all return False?
I’m using 501474205 MS22-JUN: Security Only Quality Update - Security Only - Windows Server 2008 R2 - KB5014742 (x64)
Is the server pending a reboot? I can’t see the relevance of the fixlet right now but often they relate to build numbers which tend not to update unless the system has rebooted since the last patch was applied.
Relevance 4:
if exists setting "_BESClient_WinESU_MinimizeWMI" whose (exists value whose (it != "0") of it) of client then (exists setting "_BESClient_WinESU_Keys" whose (exists value whose (exists substrings separated by "|" whose ((it starts with "Year3:" or it starts with "PA:") and it ends with ":Active") of it) of it) of client) else (exists value "asset_tag_number" whose (it as string = "7783-7084-3265-9085-8269-3286-77") of structures of smbios OR exists select objects "PartialProductKey, Name, LicenseStatus from SoftwareLicensingProduct" whose (length of string value of property "PartialProductKey" of it = 5 AND (it contains "-ESU-Year3" or it contains "-ESU-PA") of string value of property "Name" of it AND integer value of property "LicenseStatus" of it = 1) of wmi)
This is a check that the machine has an active ESU license from Microsoft applied - that an ESU-Year3 or _ESU-PA license has been applied. Is the machine relevant to Fixlet 1 “ESU Key Managemetn: Install and Activate MAK” ? On the client, if you run ‘cscript slmgr.vbs /dlv’ to retrieve the detailed Microsoft license info, what’s displayed? (Edit:) What is displayed for this machine in the “ESU Key Information - Windows 2008” Analysis?
Relevance 5:
not exists keys (names of values whose ((it >= "7601.25984.1.11") of (following text of last "~" of name of it as version)) of keys "Package_for_RollupFix~31bf3856ad364e35~amd64~~0.0.0.0" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex" of native registry) whose ((it = 96 OR it = 112) of (value "CurrentState" of it as integer)) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry
This is a check that the relevant patch is not already installed (where I believe the “CurrentState” values of 96 and 112 are…I think…“Staged” and “Installed”). If you check the Registry on the system, looking beneath key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex\Package_for_RollupFix~31bf3856ad364e35~amd64~~0.0.0.0” - what’s the name of the value beneath this key? In relevance you could retrieve that as
names of values of keys whose (name of it starts with "Package_for_RollupFix~31bf3856ad364e35~amd64~~0.0.0.0") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex" of native registry
Relevance 6 is…well, huge. It’s a check of whether the rollup patch is needed based on any number of earlier-version components being installed. Let’s get through Relevance 4 and Relevance 5 before tackling this one.
Also, on this endpoint…what does this query return?
version of operating system
Ok, for Relevance 4 (checking the machine is entitled), can you run these queries on the client?
Q: setting "_BESClient_WinESU_MinimizeWMI" of client
Q: setting "_BESClient_WinESU_Keys" of client
Q: value "asset_tag_number" of structures of smbios
Q: selects "PartialProductKey, Name, LicenseStatus from SoftwareLicensingProduct" of wmi
If the first setting “_BESClient_WinESU_MinimizeWMI” is present, there is an optimization in place that allows the patches to evaluate more quickly, by caching the WMI query result into the _BESClient_WinESU_Keys setting instead of the fixlet having to re-run the WMI query on every evaluation cycle - but if the keys are changed (like adding a Year-3 key), you need to run the following task - usually we recommend running that as a Policy Action to reapply periodically, like once a day, so the cached MAK key stays up-to-date. Otherwise you can get into a situation where the cached MAK key in the client setting is not updated when you apply a new key to the machine - which will show up as setting "_BESClient_WinESU_Keys" of client not displaying the new Year-3 key even where it’s valid and displays in the WMI query.
10 ESU Key Management: Synchronize Client Setting to WMI - Windows Server 2008 SP2 and Windows Server 2008R2 SP1
For Relevance 5, checking the installed rollups, can you run this query? It should get the Installed state for all the rollup packages version 7601.25984.1.11 or higher…just based on the patch list in the registry, I suspect this machine has already been patched but this query should prove it out.
Q: (pathname of parent key of it, name of it, it) of values of keys (names of values whose ((it >= "7601.25984.1.11") of (following text of last "~" of name of it as version)) of keys "Package_for_RollupFix~31bf3856ad364e35~amd64~~0.0.0.0" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex" of native registry) whose ((it = 96 OR it = 112) of (value "CurrentState" of it as integer)) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry
Ok, yes that indicates the system is trying to used the cached WMI results, but the action to add the client setting with the keys values has not run. You should try taking action on Task 10.