Jump to content
BGags

How I got to 95% patch efficacy in Eight Easy(?) Steps

Recommended Posts

A gift from me to you!

 

Great analysis and thanks for the script! I have it implemented and it's implemented at least part of the patching issues we are facing.

 

Terry

Share this post


Link to post
Share on other sites
I'm not actually going to post my Windows Update Repair script since it references a lot of EDFs that won't exist for you, but...

 

Would I be an awful person if I asked you to share it anyway? It seems to me that building off of your work - even if I have to rearrange EDFs - is easier then reinventing the wheel here.

(I confess, I'm lazy, but isn't that the point of automation?)

 

If I make any improvements I'd be more than happy to share them with the collective in turn.

 

+1 for this. I'd love to see your script as well BGags. It's much easier to "sanitise" an existing script than to recreate from scratch. Just make a disclaimer that this script requires editing before it will work correctly on each LT installation.

 

Steve.

Share this post


Link to post
Share on other sites
Well here is a demo of what I have so far.

 

I neutered the Update so do not expect that to work in this release. I am looking at ways to make that better. I have included the autoplugin code so as I update the plugin you will get the new versions automatically.

 

http://lp.squidworks.net/index.php?PRODUCT=887F1867-86E4-48B9-95DC-EE79AC12E6F0

 

 

Have fun...

 

Remember to restart the LT DBagent and your console after adding DLL.

 

 

Cubert :ugeek:

 

BHey Cubert,

 

Maybe I'm having a "blond day" (no offence intended people), but I've installed this pugin, restarted the DB Agent, and restarted CC,l but I can't find the plugin anywhere... Plugin Manager says it's installed, but I can't find the UI anywhere...

 

Steve.

Share this post


Link to post
Share on other sites

You asked, I got the message. I've updated the main post to include the WindowsUpdateRepair.zip script, the main script that goes around and automatically fixes stuff.

 

I've replaced references to my scripts and EDFs with comments telling you what's supposed to happen and when. Also, pay attention to the Globals tab which is used to track which WUA version I want to shove at Windows 7 and 2008 R2 servers (because those are the WUA problem children right now).

 

Thread-followers take note: I've updated the main topic text with an additional numbered point (that I should have added originally) about how and when to generate tickets for manual patch remediation. It's a little technical, a little philosophical. Go read.

 

Also: Wow, guys. This topic got way more support than I thought it would. I'm glad I could help.

Share this post


Link to post
Share on other sites

Cubert, I have installed the Patch Remedy plug in and when I close it after opening all of the switches turn off. Is it going to be a requirement to keep the plug in open all of the time? I am very impressed with the plug in thus far. If it needs to be open all of the time I will install it on my labtech server as it wont be in the way on there. Thank you for your quick work as patching has been my biggest headache lately.

 

BGags, that was a fantastic write up and I intend to implement your processes on my system in hopes of achieving patch percentages like you are seeing. Thank you for the post as it is something we suffer with constantly, and based on the responses I am not the only one suffering.

Share this post


Link to post
Share on other sites

I really want to offer a disclaimer here: This is a process that has been in the slow works for about a year. It took me a very long time to make it all work for me. So, while I hope this all goes a long way in helping people raise their patch numbers, don't expect a couple scripts and custom EDFs to peg your efficacy stats overnight. You'll probably find a lot of holes to plug in your own deployments, and I hope you add your problems (and solutions!) to Geek here.

 

If you DO find overnight success, I think I might resent you a little. That hatred can be abated with a compensatory check in the mail, however...

Share this post


Link to post
Share on other sites
Cubert, I have installed the Patch Remedy plug in and when I close it after opening all of the switches turn off. Is it going to be a requirement to keep the plug in open all of the time? I am very impressed with the plug in thus far. If it needs to be open all of the time I will install it on my labtech server as it wont be in the way on there. Thank you for your quick work as patching has been my biggest headache lately.

 

BGags, that was a fantastic write up and I intend to implement your processes on my system in hopes of achieving patch percentages like you are seeing. Thank you for the post as it is something we suffer with constantly, and based on the responses I am not the only one suffering.

 

 

Did you restart the LT DBAgent? I bet your missing the tables so nothing is saving .

Share this post


Link to post
Share on other sites
Cubert, I have installed the Patch Remedy plug in and when I close it after opening all of the switches turn off. Is it going to be a requirement to keep the plug in open all of the time? I am very impressed with the plug in thus far. If it needs to be open all of the time I will install it on my labtech server as it wont be in the way on there. Thank you for your quick work as patching has been my biggest headache lately.

 

BGags, that was a fantastic write up and I intend to implement your processes on my system in hopes of achieving patch percentages like you are seeing. Thank you for the post as it is something we suffer with constantly, and based on the responses I am not the only one suffering.

 

 

Did you restart the LT DBAgent? I bet your missing the tables so nothing is saving .

 

I did restart the agent as well as the server. Same result either way. What tables are you referring to?

 

Sent from my Nexus 5 using Tapatalk

Share this post


Link to post
Share on other sites

I did restart the agent as well as the server. Same result either way. What tables are you referring to?

 

Sent from my Nexus 5 using Tapatalk

Share this post


Link to post
Share on other sites

You should have 2 tables in SQL

 

plugin_sw_patch_remedy_wua

and

plugin_sw_patch_remedy_config

 

plugin_sw_patch_remedy_config should have 1 row as Client 0

Share this post


Link to post
Share on other sites
You should have 2 tables in SQL

 

plugin_sw_patch_remedy_wua

and

plugin_sw_patch_remedy_config

 

plugin_sw_patch_remedy_config should have 1 row as Client 0

 

I am missing the plugin_sw_patch_remedy_config table in SQLyog. Any idea for how to get it in there easily?

Share this post


Link to post
Share on other sites

AHh.... We found a bug!!! Well more like a typo in the create table #2.

 

I am fixing that now and should have a release out today. Also added in the auto update WUA piece and am finishing up on Windows Update checker which will flag systems with possible issues.

Share this post


Link to post
Share on other sites
AHh.... We found a bug!!! Well more like a typo in the create table #2.

 

I am fixing that now and should have a release out today. Also added in the auto update WUA piece and am finishing up on Windows Update checker which will flag systems with possible issues.

 

Thank you so much Cubert!! You are the man! I will keep an eye out for the new version today.

Share this post


Link to post
Share on other sites

Ok released 1.0.0.2

 

What new?

 

We added in the Auto Update Windows 7 and 2008 feature in so that should now be working (loosely said), we also added in the nightly check for messed up systems. This check updates the database and will show you the problem systems in the systems issues tab of the plugin. You then can right click the troubled system and open console, try an update of WUA or try the repair as mentioned in previous posts.

 

Get it here, keep in mind this is hot off the presses and with little testing to things may not function perfectly. Please let me know if you find a bug or is a function seems not to work for you.

http://lp.squidworks.net/index.php?PRODUCT=887F1867-86E4-48B9-95DC-EE79AC12E6F0

 

systemIssues.PNG.a75a4808a2b5bd5e5cbe234b0ea0d38c.PNG

Share this post


Link to post
Share on other sites
Ok released 1.0.0.2

 

What new?

 

We added in the Auto Update Windows 7 and 2008 feature in so that should now be working (loosely said), we also added in the nightly check for messed up systems. This check updates the database and will show you the problem systems in the systems issues tab of the plugin. You then can right click the troubled system and open console, try an update of WUA or try the repair as mentioned in previous posts.

 

Get it here, keep in mind this is hot off the presses and with little testing to things may not function perfectly. Please let me know if you find a bug or is a function seems not to work for you.

http://lp.squidworks.net/index.php?PRODUCT=887F1867-86E4-48B9-95DC-EE79AC12E6F0

 

[attachment=0]systemIssues.PNG[/attachment]

 

That is working much much better. Thank you for the quick fix. Does the autoupdate switch automatically reboot after updating the agent?

Share this post


Link to post
Share on other sites

As expected I found server things wrong with Patch Remedy after release yesterday, Like I forgot to uncomment the function that actually does the auto updating, I also for got to disable the to exit script functions I placed in script to stop after MSI download. So just a few little Opps's I'll get that all fixed and some testing in today and get a new release out this afternoon.

 

Cubert :ugeek:

Share this post


Link to post
Share on other sites

Cubert that is a fantastic write up and explains to my coworkers why it is working much better than when I was trying to explain it. My only question left unanswered is when I have the auto update switch on for WUA will it allow the computer to reboot when it is finished with the update? I have not turned it on yet for fear of reboots happening while customers are working.

Share this post


Link to post
Share on other sites

Yes, these updates require reboots so automation may not be what you want. You can use the System Issues tab to select a system, launch a console to see if it is logged in and or idle, pushed the update at it and let it reboot if it so desires and lastly run the WUA reset as described in this post which does not reboot any thing.

 

Allow the nightly systems scans to complete again and you should see your main graph start to change.

 

Ideally you want to see only 1 WUA version per OS type. If that is achieved they you are up to date and everyone matches their WUA versions. When you see (9) in the bargraph like I have in pictures above that means you have 9 different versions of WUA deployed across Windows 7. And that sucks...

Share this post


Link to post
Share on other sites
Yes, these updates require reboots so automation may not be what you want. You can use the System Issues tab to select a system, launch a console to see if it is logged in and or idle, pushed the update at it and let it reboot if it so desires and lastly run the WUA reset as described in this post which does not reboot any thing.

 

Allow the nightly systems scans to complete again and you should see your main graph start to change.

 

Ideally you want to see only 1 WUA version per OS type. If that is achieved they you are up to date and everyone matches their WUA versions. When you see (9) in the bargraph like I have in pictures above that means you have 9 different versions of WUA deployed across Windows 7. And that sucks...

 

So 11 different versions is not healthy? HAHA For whatever reason after the new update to 1.0.0.3 my patches installed today is at 0. Before that I was at several thousand. That is a little concerning but not a big deal in the grand scheme of things. I know I dont have any companies below a 65% patched any longer and before this plug in I had several under 50% patched. Which I have been fighting unsuccessfully for over a month with no luck. Hats off to you and BGags!!

patchremedy.PNG.bbcf2e7982092f350193b0dd90dc0cae.PNG

Share this post


Link to post
Share on other sites

Massive +1 to BGags for his excellent patching rundown and advice, and to Cubert for his brilliant as always plugins...

 

It's people like both of you that make the LT community so great!

Share this post


Link to post
Share on other sites

Hi everyone,

 

I'm attempting to "tweak" the "Windows Update Repair Check" script and need a bit of a hand.

 

This is the line in the script that gets the SQLDataset

SELECT DateFinished FROM h_commands WHERE h_commands.`Command`='101' AND h_commands.`Status`='4' AND h_commands.`ComputerID`='%computerid%' ORDER BY h_commands.`DateFinished` DESC LIMIT 3

 

This just searches for systems that have had Hotfix scans with a status of "failed".

 

For our use, we also need to include systems that have generated an error during the update process, and these are NOT caught by the above SQL.

 

So, what I'd like to achieve is to also include in the returned dataset records where (h_commands.'Command' = '100' and h_commands.'OutPut' like '%error%'). This is regardless of the value for Status.

 

This will give a far more accurate search for systems that need patch remediation, so if anyone can assist with the SQL... :D

 

Thanks

 

Steve.

Share this post


Link to post
Share on other sites

 

This is the line in the script that gets the SQLDataset

SELECT DateFinished FROM h_commands WHERE h_commands.`Command`='101' AND h_commands.`Status`='4' AND h_commands.`ComputerID`='%computerid%' ORDER BY h_commands.`DateFinished` DESC LIMIT 3

(cut for brevity)

 

So, what I'd like to achieve is to also include in the returned dataset records where (h_commands.'Command' = '100' and h_commands.'OutPut' like '%error%'). This is regardless of the value for Status.

 

If you look carefully at the columns listed in the h_commands table above, the symbols surrounding the column names are NOT single quotes, they're the "grave" marker, or "reverse single quote". You can actually omit them and be okay; they're typically used for column names that contain spaces, like many in the v_extradatacomputers table.

 

h_commands.`Command` = '100' and h_commands.`OutPut` like '%error%'

This should give you what you're looking for, I think.

 

Also? What a good idea! I should absolutely be trapping for this as well. I LOVE COMMUNITY! Nice idea, Steve.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×