Page 1 of 3
Patch remedy update loop
Posted: Fri Feb 08, 2019 12:21 pm
by ObeliskStreet
Hi,
We have patch remedy in use for many clients, mostly successfully we think.
We have one client however which seems to be in a constant bandwidth sucking loop of downloading the same files every time the maintenance script runs.
This seems to be the one which is running over and over again, it doesn't seem to be a valid patch for the machines it is trying to install on. Both Automate and Windows update locally on the machine are reporting 100% up-to-date.
It's bad enough that it uses a whole 50Mbit connection when happening, twice a day as that's how often the maintenance script runs.
I'm not sure where to troubleshoot next.
Has anyone seen this before or offer any assistance?
Code: Select all
http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/12/windows10.0-kb4483234-x64_1181c456953109fbd5b456a8a01c2815ef197e03.msu|!c:\windows\ltsvc\PatchRemedy\windows10.0-kb4483234.msu
Re: Patch remedy update loop
Posted: Mon Feb 11, 2019 3:16 pm
by ObeliskStreet
Have not yet got to the bottom of this but some further info.
On a test machine, Win10 Pro x64, 1809. Only recently setup, not on a domain, only software that didn't ship by Lenovo is Panda Antivirus.
These 3 patches have downloaded to LTSvc\PatchRemedy
1. kb4467682
2. kb4483234
3. kb4483535
None of them are relevant to this machine, 1.67GB in total. This is indicative of what's happening on the other problem machines. These are downloaded every time the maintenance script runs, so kill the bandwidth.
Can anyone help troubleshoot this? What makes Patch Remedy download these patches?
Some further info since writing this.
Seems to be when :UPDATECURRENT is used. I think turning off the Auto Update switch within Patch Remedy has stopped it happening for now but I would like to find out what is happening so we can fix properly.
Re: Patch remedy update loop
Posted: Fri Feb 15, 2019 4:55 pm
by Cubert
Let me have a review of the script and KBs to see whats going on for that version of OS.
Re: Patch remedy update loop
Posted: Fri Feb 15, 2019 7:46 pm
by Cubert
Can not say how this agent on Windows 1809 would get the following for November and then 1809 release for December.
KB-4467682 for Windows 10 1803
Release Date:November 27, 2018
Version:OS Build 17134.441
KB-4483235 for Windows 10 1809
Release Date:December 19, 2018
Version:OS Build 17763.195
The December release would seem to be accurate depending on version of plugin.
Give the following 2 cmds a try in Powershell windows on agent. See what numbers it returns
Windows 10 Build #
Code: Select all
(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name CurrentBuildNumber).CurrentBuildNumber
We are looking for
1809
Windows10 Release version
Code: Select all
(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId
We are looking to be equal or greater than
17763.195
If you are above the version number then no updates should download and the agent just skips any processing.
Re: Patch remedy update loop
Posted: Thu Feb 21, 2019 9:48 am
by ObeliskStreet
Hi Cubert,
I had to switch back on the automatic updating in Patch Remedy to get some recent data and I now have some new data. Same client, picked a machine which I know had the problem.
This machine is on 1809, 10.0.17763.289 is being reported when Patch Remedy script runs, but running ver from command line on the machine shows Microsoft Windows [Version 10.0.17763.316]
This time it's downloading the February update.
http://download.windowsupdate.com/c/msd ... 487044.msu
From Windows Updates and the build number reported by the machine directly, it already has that update.
So what I think is happening is:
1. Patch Remedy checks version number, 10.0.17763.289 is reported.
2. Patch Remedy downloads and tries to run the update above
3. The update to version 10.0.17763.316 is downloaded, it can't be installed because it's already installed, repeat every time script runs.
Things I think need answered:
1. Where is PR pulling the build info from? Is this something which is stale in the LT database?
2. KB4487044 is not yet approved by our LT patching policy, is PR working as designed here? If so, should we be disabling Auto Update completely as we don't want to bypass LT policy.
3. Even if the build number is reported wrong, can PR be stopped repeatedly downloading the same file over and over?
Re: Patch remedy update loop
Posted: Thu Feb 21, 2019 11:18 am
by ObeliskStreet
Here is another example, I can see in the script where it's pulling these from.
Maintenance script runs, the 3 powershell commands have reported the below, so at this point, Patch remedy knows that this machine is on build 17134.590.
17134
590
1803
It then proceeds to run this command:
Code: Select all
http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/02/windows10.0-kb4487017-x64_57e47ba6bfdbaf9ac023ee3f5663110e3262066a.msu|!c:\windows\ltsvc\PatchRemedy\windows10.0-kb4487017.msu
Which is
https://support.microsoft.com/en-gb/hel ... -kb4487017 and build 17134.590
So it looks like the powershell command is correctly reporting the version as 17134.590 but the update to 17134.590 is being downloaded anyway.
Re: Patch remedy update loop
Posted: Thu Feb 21, 2019 11:27 am
by ObeliskStreet
Sorry about the multiple posts but as I find the information and trying to keep each post as easy to make out as possible.
The commands are obfuscated in LT so I can't see exactly what has ran, but earlier in the script, directly after the Windows Update service has been started, the output given is 10.0.17134.466 which is different from what the 3 powershell commands output directly after this, could it be going wrong at this part?
Re: Patch remedy update loop
Posted: Thu Feb 21, 2019 4:30 pm
by Cubert
Hmmm... ok can you add a line to 158 of the else statement in the Patch Remedy maintenance script ?
- Capture.PNG (61.46 KiB) Viewed 18867 times
This should then log the versions info directly as it would be when we test the variable
Whats its output in agent script logs.
Re: Patch remedy update loop
Posted: Fri Feb 22, 2019 9:45 am
by ObeliskStreet
I have made the change to the script. I will allow it to run as normal again over one of these machines and let you know what the output is.
I'm unsure if I'm checking the correct place for logs but here is a screenshot of what I can see + copied and pasted the output.
Code: Select all
INSERT INTO plugin_sw_patch_remedy_wua (ComputerID,ClientID,WUAVersion,OS,MicrosoftUpdates) Values (5088, 73,replace('10.0.17763.289
','\r',''),replace('Microsoft Windows 10 Pro x64 1809
','\r',''),'1' ) ON DUPLICATE KEY UPDATE WUAVersion=Values(WUAVersion) , OS=Values(OS), MicrosoftUpdates=Values(MicrosoftUpdates)
The Script(6106) was successful in the Then section.
Code: Select all
Script: S6106 - Starting at Server Time: 20 February 2019 16:10:44
Script step logging has been disabled. Please set @ScriptEngineEnableLogger@ = True in your script to enable function logging.
The Script(6106) was successful in the Else section.
Code: Select all
Script: S6106 - Starting at Server Time: 20 February 2019 16:27:54
Script step logging has been disabled. Please set @ScriptEngineEnableLogger@ = True in your script to enable function logging.
Re: Patch remedy update loop
Posted: Fri Feb 22, 2019 1:23 pm
by ObeliskStreet
Script ran automatically over my test machine, same thing.
Output from the logging is
Code: Select all
build number = (17763
) UBRNUM = (316
) Version Num = (1809
)
Again downloaded file again
Code: Select all
http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/02/windows10.0-kb4487044-x64_6024f9853d489cf4eab66ce2145e91df45183de7.msu|!c:\windows\ltsvc\PatchRemedy\windows10.0-kb4487044.msu
- 1. File being downloaded based on incorrect version
2. File being downloaded even though it already exists
3. Why is this being downloaded outside of our LT patching policy? Is the only way to stop this to turn off the auto update switch?