/build/static/layout/Breadcrumb_cap_w.png
06/02/2017 3401 views
Good morning,

I've noticed that on a PC that has May's security monthly quality rollup for windows (4019264) KACE is reporting that it doesnt have the older rollups installed however, I believe that when the latest rollup is installed on a PC it removes references to the older rollup from a previous update.

Why is KACE not automatically superseding older rollups?

Example, following patches are listed as missing;

1    Cumulative Security Update for Internet Explorer 11 for Windows 7 x64 (KB4018271)    NOTPATCHED
2    April, 2017 Security Only Quality Update for Windows 7 x64 (KB4015546)            NOTPATCHED
3    November, 2016 Security Only Quality Update for Windows 7 x64 (KB3197867)        NOTPATCHED
4    2017-05 Security Only Quality Update for Windows 7 x64 (KB4019263)            NOTPATCHED
5    Microsoft Silverlight 4.0.60129.0 for Windows (See Note) (Rev 2)            NOTPATCHED
6    October, 2016 Security Only Quality Update for Windows 7 x64 (KB3192391)        NOTPATCHED
7    December, 2016 Security Only Quality Update for Windows 7 x64 (KB3205394)        NOTPATCHED
8    March, 2017 Security Only Quality Update for Windows 7 x64 (KB4012212)            NOTPATCHED
9    MS15-124 Enable the User32 exception handler hardening feature in Internet Explorer    NOTPATCHED
    (KB3125869) for Windows (See Notes)   

When I manually check the PC in question KB4019264 is listed as installed, its my understanding that that should remove the need for the following to be installed;

2    April, 2017 Security Only Quality Update for Windows 7 x64 (KB4015546)            NOTPATCHED
3    November, 2016 Security Only Quality Update for Windows 7 x64 (KB3197867)        NOTPATCHED
4    2017-05 Security Only Quality Update for Windows 7 x64 (KB4019263)            NOTPATCHED
6    October, 2016 Security Only Quality Update for Windows 7 x64 (KB3192391)        NOTPATCHED
7    December, 2016 Security Only Quality Update for Windows 7 x64 (KB3205394)        NOTPATCHED
8    March, 2017 Security Only Quality Update for Windows 7 x64 (KB4012212)            NOTPATCHED

Yet they are still being shown as missing in the patching status, this is across approx 800 machines. We are not using KACE to push patches to the PCs (which are installed over 850 stores all connected via ADSL or via a private ADSL/MPLS solution, as I believe that KACE pushing patches to all our store level PCs would kill our network .. as it is I think using KACE to report patch install status is potentially causing traffic problems as it is).

Note: we are running an old version of KACE Appliance, 6.2.109330 we are planning to upgrade to the latest soon.

Regards


7 Comments   [ + ] Show comments

Comments

  • Are Windows 10 machines having the same issue? We don't use KACE for Windows OS patches so I can't compare my environment.
    • Will find out soon .. already upgraded to 6.4 but intend to goto 7.1 by next week.
  • Maybe this article has something to do with it? I would definitely update your server version and see if the issue persists.
    https://support.quest.com/kace-systems-management-appliance/kb/211378
  • We are observing exactly the same type of behaviour. Security only quality updates are not marked as superseded, and previous months' updates are being pushed to KACE clients
  • Confirmed this is still an issue with 7.1.149, i.e.

    machine name, OS, release date, is superceded, title, vendor
    '<machine name>', 'Microsoft Windows 7 Professional x64', '2017-03-14 00:00:00', '0', 'March, 2017 Security Only Quality Update for Windows 7 x64 (KB4012212)', 'Microsoft Corp.'

    surely is_superceded should be set to 1 (or at least not 0) for a roll-up from march?

    Query is (cribbed from another query found on this site :) ;

    SELECT
    M.NAME AS MACHINE_NAME,
    OS_NAME AS WINDOWS_VERSION,
    PP.RELEASEDATE,
    PP.IS_SUPERCEDED,
    PP.TITLE,
    PP.VENDOR
    FROM
    PATCHLINK_MACHINE_STATUS MS
    JOIN KBSYS.PATCHLINK_PATCH PP ON (PP.UID = MS.PATCHUID)
    JOIN PATCHLINK_PATCH_STATUS PPS ON (PPS.PATCHUID = PP.UID)
    JOIN MACHINE M ON (M.ID = MS.MACHINE_ID)
    JOIN MACHINE_LABEL_JT ML ON (M.ID = ML.MACHINE_ID)
    JOIN LABEL L ON (ML.LABEL_ID = L.ID)
    WHERE
    PP.IMPACTID = 'Critical'
    AND PP.IS_SUPERCEDED = 0
    AND PP.RELEASEDATE >= DATE_SUB(NOW(), INTERVAL 1 YEAR)
    AND MS.STATUS='NOTPATCHED'
    GROUP BY M.NAME
    ORDER BY M.NAME
  • I am having the same issue and running 7.2.10 now. I ran a Report and was shocked to see what wasn't installed. Kace report lists 14 critical updates missing though windows update only shows 3 (+3 optional) pending. Bulk of the ones kace report stating is missing are Security Only Quality Updates.
  • I've logged this up with support as was hoping 7.1.149 would resolve when I originally opened this topic. Will provide an update if they find anything useful
  • Did anybody ever get this resolved? I just opened a ticket for this today and waiting a call back.
    • The response I got was due to MS not marking the updates as superseded. I never found a work around but to be honest didnt really have the time.

There are no answers at this time