Description
- After deploying patches, one or more patches still show as missing.
- While deploying, the deployment tracker lists an error.
Cause
The cause of a failed deployment can vary greatly. This document will serve as a way to troubleshoot and identify common issues that can cause a failed deployment.
Do Patches Download?
When initiating a deployment, Shavlik Protect will initiate the deployment process by downloading the Patches from the vendor to a local repository.
To identify if the patch was downloaded, examine the Patch Download column within the scan results.
- If the icon is a Green Arrow that says 'Yes', it indicates it is currently downloaded and saved in your patch repository.
- If the icon is a Gray Arrow and says 'No', this indicates the patch is not downloaded.
- If there is no icon, this indicates the patch is not available to be downloaded through Protect and is only available for reporting purposes.
If you are in an offline environment (i.e. the Protect console has no internet connectivity), and your patch is in the Patch Repository, but the download icon is Gray and says 'No', it may need to be renamed to the Shavlik Name.
Related Document: Patches' Shavlik Name
YES - Patches Did Download
If the patch(es) downloaded successfully, and show as downloaded in Protect (green download icon that says 'Yes'), proceed on to the next step.
NO - Patches Did Not Download / Patch is not in repository
If the patch is not located in the Patch Repository, the issue may be a failure attempting to download the patch.To test the potential cause of the issue, navigate to the logs directory, and open the ST.Protect.Managed...Log file. This will contain the attempted download information.Identify the entry in your log related to the patch in question.Example:This is the entry in the ST.Protect.Managed...Log file indicating a download of 7-Zip patch: Q7ZIP920N, 7ZIP-001, Software Distribution2013-12-17T23:49:47.4748336Z 0001 V SingleFileDownload.cs:481|Downloading from 'http://surfnet.dl.sourceforge.net/project/sevenzip/7-Zip/9.20/7z920.msi' to 'C:\Users\Nevans\AppData\Local\Temp\stb537e574-5adb-4efa-8e7d-b2a962290085.tmp'.
Troubleshooting Possible Download Issues
- Firewall, proxy, or anti-virus settings prohibiting downloads
Try copying the URL directly into a browser to download it. Make note of any warnings or prompts that indicate a file has been blocked by firewalls, proxies, or anti-virus. If any warnings occur regarding the download being blocked, identify what in your environment issued the prompt and whitelist (allow) the patch.
Try copying the URL directly into a browser to download it. If you are unable to connect to the Internet, you will not be able to download any externally hosted patches.
- Downloads are set to a Distribution Server/Share that does not have the file available
When viewing the download entry in the ST.Protect.Managed...Log it lists the source as a local/network share. If your download source is set to a Distribution Server, the patch must exist on the specified Distribution Server to be able to download from it. If it does not exist on that share, there will be nothing to download, and it will fail.Example:2013-12-18T22:08:56.5798742Z 0001 V SingleFileDownload.cs:563|Download Error 'file://nevans-pc/DistributionServer/7z920.msi'.2013-12-18T22:08:56.5803742Z 0001 V DownloadItem.DownloadFileCompleted|7z920.msi not downloaded: Connection lost: Could not find file '\\nevans-pc\DistributionServer\7z920.msi'.To correct this, download the patch to the share, or change the download source to the vendor.You can switch the download source by going to Tools> Operations> Downloads> Patch and Service Pack download source> select Vendor web sites to download the patches directly from the vendor.![1-download source.png]()
- Vendor removed the patch from the specific url
Try copying the URL directly into a browser to download it. If you receive an error from the vendor site such as a "404 Not Found", this may indicate the patch has been moved or removed by the vendor. Verify you are using the latest Patch data by performing a Help > Refresh Files. If you are using the most up-to-date Patch data and the issue persists, please open a case with Shavlik support identifying the Patches Q#, the URL you are seeing have an issue, and the version of Patch deployment (file on disk) as found under Help > About > Version Info.
Did Patches Copy To The Target?
After the patches are downloaded, they are copied to the target machine to the directory C:\Windows\ProPatches\Patches\
YES - Patches Did Copy to C:\Windows\ProPatches\Patches\
If the patch(es) did copy to the target machine, proceed to the next step.
NO - Patches Did Not Copy to C:\Windows\ProPatches\Patches\
If the patches fail to copy to this directory they cannot be called to install. ***pushing vs target calling
Troubleshooting Possible Copy Issues
- Does the Target have Anti Virus Software?
- Anti Virus software may delete patches that get copied to the target based on their settings. Try disabling any Anti Virus on the target to see if the patches will copy to the target machine for installation.
- Is the Deployment Template using a Distribution Server?
- This can be verified by opening the Deployment Template and going into the Distribution Server tab. If 'Use Distribution Server by IP Range' is selected, verify the patch exists on the appropriate DS.
- Alternatively, choose to use 'Console Push'. This will cause Protect to copy the patch from the Console itself, as opposed to having the target initiate a copy form the Distribution Server.
![2-deployment template copy from ds.png]()
Did The Batch File Run?
After the patches are Copied to the Target machine, a batch file that contains the necessary installation switches is also copied to the target. This file is located under C:\Windows\ProPatches\Install\. The last thing the Batch file will do after it runs, is rename itself from a .BAT extension to a .HIS extension. If the extension has changed, that indicates the patches should have all been executed (thought not necessarily successfully).
YES - Batch File Ran and Has .HIS Extension
If the Batch file has a .HIS extension, proceed to the next step.
NO - Batch File Did Not Run and Has .BAT Extension
If the Batch file still has a .BAT extension, this indicates the patches have not all finished running. There are a few reasons this might happen.
- One of the patches is still running.
- If a patch is still in the process of running, the batch file will not have received the return information to rename itself. This can be caused by a patch taking a long time to install (which is may not actually be a failed install, but may still be in progress). It is also possible for a patch to get hung up if the machines resources are being heavily utilized, or if the patch has received incorrect silent switches. To troubleshoot these:
- Patch is still installing- Look for the patch in the list of active processes. End the process if found to continue to the next patch in the deployment.
- Alternatively reboot the target, and re-deploy.
- Patch is frozen while installing - Look for the patch in the list of active processes. End the process if found to continue to the next patch in the deployment. If the patch continues to have this behavior it may have an incorrect switch being passed to it. Ensure you are on the latest xml data by performing a Help > Refresh Files, and try deploying again. If the issue persists, contact Technical Support with the Q# of the patch, your Assessment Version and Deployment Version (located under Help > About > Version Info) and the OS of the target machine.
Are There Errors In The CL5.log?
When patches are executed on the target machine, they log their exit codes in the file: C:\Windows\ProPatches\Cl5.log
Open the Cl5.log file and search for the patches name. There should be an entry that looks similar to this:
2013-12-19T17:20:57.4472656Z 0e88 I CommandLine.cpp:2157 Patch Install returned 0: Patchname.exe
If the patch is installed successfully, it returns '0'.
If the patch requires a reboot, it returns '3010'.
If the patch returns any other code, it is an error and the code needs to be troubleshot. The error will typically be searchable online for what it corresponds with. Alternatively, trying to run the patch manually should give you a prompt indicating the error.
Example:
This is a successful install of the patch 7z920-x64.msi
2013-12-19T17:20:57.4472656Z 0e88 I CommandLine.cpp:2157 Patch Install returned 0: 7z920-x64.msi
NO - CL5.Log Has No Errors
If the CL5.Log file has no errors, proceed to the next step.
Yes - CL5.Log Has Errors
After finding the Patch Install Returned line and the exit code that was returned, search the error code online. Common phrasing to search the error code include 'Patch install exit code [exit code value]'
Once you have located the error associated with the exit code, troubleshoot the specifics of the error accordingly.
Example: The patch install returned a value besides '0' or' 3010', so we suspect an error.013-09-25T20:15:52.8975412Z 16e4 I CommandLine.cpp:2157 Patch Install returned 17025:oart2010-kb2553157-fullfile-x86-glb.exe An online search for 'Patch install exit code 17025' locates a Microsoft article with the error message that corresponds to the error code:17025 = Patch Already Installed Note:
If unable to locate an associated error with the exit code found, running the patch manually will typically present a pop up with the error message. See Next Section for more information.
Do You See Errors When Installing The Patches Manually?
When a patch finishes executing it will return an 'exit code' that is logged into the file C:\Windows\ProPatches\Cl5.log (covered in previous section).
If the Cl5.log shows an exit code other than 0 or 3010, this typically indicates an error occurred. If searching online does not yield an answer to what the exit code means, running the patch manually will usually provide an error message to troubleshoot from.
To run the patch manually, on the target machine navigate to C:\Windows\ProPatches\Patches\ and find the patch to be tested. Double click the file to run it. Often times the error will be immediate upon running, where some patches require clicking through several steps before the error occurs.
Note:If the patch does not return an error, the may install successfully. If this occurs, in order to troubleshoot why it failed to install from Protect, the patch must first be uninstalled so a reinstall of the patch via Protect can occur for testing purposes.
YES - Running the Patch Manually Returns Error/Fails
If the patch returns an error when running, get a screenshot of the exact error message (this will be needed by support in the event a ticket is opened).
Often times the error message presented offers enough information to troubleshoot from.
Example: Looking up the exit code located indicates the cause is a full hard drive, the solution would be to clear hard drive space to allow the patch to install.
NO - Running the Patch Manually Installs Without Issue
Most patch install failures will meet one of the listed criteria. If you are not finding this to be true in your situation, it is recommended to open a ticket with Technical Support. When opening the ticket please provide the Q# of the affected patch, the Operating System of the target machine, the Patch Assessment and Patch Deployment versions located under help > about > version info, the logs from the console, and the logs from the target machine.
Related Document: Gathering Console, Client Side (agentless), and Agent logs for Protect
Products
Shavlik Protect 9.x
