Jump to content
BGags

How I got to 95% patch efficacy in Eight Easy(?) Steps

Recommended Posts

Hi Rami, is it possible to re-upload this? I think the link's expired.

Thanks!

 

Sure, I uploaded it into another site, but unfortunately it will be deleted after 7 days.

I will try to find better site, or if anyone can provide me with better solution avoid continuing uploading it forever :)

please find the txt file attached

 

 

Edit*: I deleted the attachment here because Microsoft released new Windows Update Client for Windows 7 x32 and x64, and Windows Server 2008 R2 x64

I'm updating the script & will upload it in other post.

Edited by Guest

Share this post


Link to post
Share on other sites
I'm sorry I uploaded it to free upload site because I think it is too big to be attached here (24 MB)

the download link is in attached txt file

 

Hi Rami, is it possible to re-upload this? I think the link's expired.

 

Thanks!

 

Also, is anyone interested in a script that pushes the update for Windows 7 32-bit machines that fixes the issue with "Out of Memory Errors"? I had to put one together because the LT KB's suggested method (https://docs.labtechsoftware.com/knowledgebase/article/10097) wasn't working.

 

+1 for the script to fix the Win7 32-bit out of memory errors!

Share this post


Link to post
Share on other sites

Hi kalin and SteveTeece,

I have this script, but not only for Win7 x32. It's also for Win7 x64 as Microsoft says here:

https://support.microsoft.com/en-us/kb/3050265

I think this error happens in all Windows OS (I don't have any idea about Windows 10), so I will cut my script into 2 parts, and you choose what ever you like to do:

 

- For Win7 x32\x64 exactly as LT Doc preferences on your link, downloading KB3050265 to solve Out Of Memory error

https://docs.labtechsoftware.com/knowledgebase/article/10097

Hexadecimal Error Code is: 8007000E , E_OUTOFMEMORY

But the script will download the KB from Microsoft not through LT KB URL, then installing it using WUSA.EXE

Please find the Script: "Out Of Memory Errors.xml" in the attached zip file.(not tested yet)

 

- For Windows 8.1, Windows 8 (or even Windows 7 x64 i think as bellow link) the script should do different things to fix this error as the following link:

https://support.microsoft.com/en-us/kb/836941

Hexadecimal Error Code is: 0x80070008 , ERROR_NOT_ENOUGH_MEMORY

The FixIt that you see on this link does the same as BGags already explained in his topic (his script) to Reset Windows Update components. Actually, small differences I have in my script, but you can use either one.

Here are the steps:

https://support.microsoft.com/en-us/kb/971058

Please find the script "Reset Windows Update components.xml" in the same attached zip file. (Tested)

Noted that you have to change line 46 and navigate to the script that I uploaded in prior post "Check and Update WUA". as the last step before reboot in resetting windows update components.

Anyways, I mentioned that for you as a note in script.

Also note please that there is Force Reboot at the end of this script as MS prefers, change it if you want!

 

 

If you want to marge the 2 parts in 1 script you just have to keep the steps for Win7 in 1-st script, and add (run script "Reset Windows Update components") instead of exiting script if non Win7.

 

Again, the attached ZIP file should contain:

Out Of Memory Errors.xml

Copy of Reset Windows Update components.xml

 

Feel free if you have any question (or maybe issue) about them.

 

Thank you

Out Of Memory Error.zip

Edited by Guest

Share this post


Link to post
Share on other sites

Sorry guys, I've been so busy these past few days I haven't had the time to post my version of the out-of-memory for 32-bit Win machines ...

Share this post


Link to post
Share on other sites

Hi all,

I've been traveling down the patching rabbit hole and this thread has been very helpful so thanks.

 

If any of you use LogMeIn as well as Labtech (we are phasing LMI out), you should know that LMI has the ability to go and check for Windows Updates/Health status. If this happens during a patch window it will stop your current Windows Update and break, usually giving the error of 0x8024001E

 

These are the registry keys needed to change and create to stop this from happening

[HKEY_LOCAL_MACHINE\SOFTWARE\LogMeIn\V5\PatchMgmt]

Set----"DisableWUAUpdate"=dword:00000001

Set----"WUAStatus"=dword:00000000

Set----"MicrosoftUpdate"=dword:00000000

Create----"PatchMgmtEnabled"=dword:00000000

 

Hope this helps someone!

Share this post


Link to post
Share on other sites

Windows Update Client for Windows 7 and Windows Server 2008 R2: December 2015

https://support.microsoft.com/en-us/kb/3112343

 

The WUA has updated from 7.6.7601.19046 to 7.6.7601.19077 for Windows 7 (x32\x64) and Server 2008 R2 (x64)

so I changed today the steps for these OS only in script. now it will download KB3112343

Attached TXT file with 2 links for downloading the script.

 

Thank you.

 

Edit* :

I Deleted the attached file after MS released new update for Win 7 and 2008 R2 in March 2016 V. 7.6.7601.19161: https://support.microsoft.com/en-us/kb/3138612

you can download the new script from here >>> viewtopic.php?f=21&t=2498#p15589

Edited by Guest

Share this post


Link to post
Share on other sites

I really love this plugin so far and have learned a lot from this post. Any chance that a feature could be added to the plugin that would allow you to filter by the service plan assigned instead of looking at all agents?

Share this post


Link to post
Share on other sites

Hello,

 

All of this sounds amazing and this is exactly what we seem to be up against. Our patching sees to be woefully inadequate and the resolution steps here seem great. Unfortunately I have no understanding of how to achieve most of this. I was looking in the search functions and do not see the obvious way of searching by missing approved patches. It looks like this would be key to begin the build the auto join group for daily remediation. Then my assumption is this could apply the template for daily patching so they try and catch up? Again sorry for the noobish understanding of this all but pretty new to the whole thing and have not done much deeper in LT over what it comes with.

Share this post


Link to post
Share on other sites

This information is extremely useful if someone didn't start utilizing patching on LT yet. I just started testing patching on LT and it has been going good so far. My only concern is, I am testing patching for one client currently. I can see what patches were installed, and what patches are missing.

 

If I compare the list of missing patches from one particular agent to the global missing patches list for the same filter based on OS and such, obviously the number of missing patches is different. In my case, the agent i was looking had 37 missing patches and the global list had 150 missing patches for the same filter. Since, I am not doing patches across the board for all the clients, I do not want to touch any other patches other than the 37 missing ones.

 

To make this happen, I literally search for each KB number on the global list and set them to install. I know I can just approve them all and only those 37 on that agent will be installed since Ignite patching is set only for that specific client but knowing how sensitive LT is, I wouldn't surprised if something major happens without my intervention. Is there a better and faster way to do this especially when you have only a handful of clients who gave you the permission to patch their servers? Any help is much appreciated !!

Share this post


Link to post
Share on other sites

Hey, NetOps: How are you approving your updates? Are you using the Patch Manager to approve updates to the "Windows Updates.Approved" group? Also, which "Global Missing Patches" list are you referring to?

 

Here's one of the things about KB articles: Each unique update delivery package has its own GUID, and there can be multiple GUIDs for each KB + Operating System combination. Especially if Microsoft supersedes an older one with a newer one, because the original deployment of a KB-based patch had some sort of bug. Also, sometimes KB articles are deprecated entirely in favor of newer update combinations.

 

The point is, when you're "filtering" your patches, you might not be seeing everything under the hood if you're just browsing by dataview or whatever.

 

The whole reason the Windows Update Agent on each individual endpoint must be up-to-date is because you're basically relying on its input to determine which patch GUIDs are needed and relevant for that endpoint. LabTech reads the hotfix inventory information, compares it with the patch GUIDs that have been approved in the database, and then installs those patches. If the WUA doesn't think the agent needs it, they won't be installed. Trust the WUA's judgment on this!

 

Does that answer you questions?

Share this post


Link to post
Share on other sites

Hello BGags,

 

Thank you so much for the detailed response !

 

Currently, only 1 client of ours signed up for Patching through LT. They would like to see how it goes and how reliable it is. Since its only one client, I use the dataview to see what the missing patches are for that specific client, and compare the list with the Global Patch Manager list filtered by Operating system. Once I have these 2 views on 2 screens, I get each KB number from the client missing patches dataview, search for that KB on the Global list, and APPROVE it or set it to INSTALL.

 

The reason why I am doing this is because, I don't want to risk it by approving everything under that Operationg System on the Global patch manager. I only want to touch what's missing for that ONE client. At the same time, perform the job as I am doing it for multiple clients to get practice. I hope this information clears how I am performing patches. This process works just fine but it's very labor intensive since I am doing manual work.

 

I was just trying to find out how every one else is performing the "Approve Patches" process out there when it comes to ONE client Vs 500 clients.

 

From your feedback above, I learned something new :) We can't survive without LT Geek !

Share this post


Link to post
Share on other sites

If you're just getting started, what I propose might be a little detailed for you. But you can define a custom group as a "Patch Testbed" group, approve patches directly on that using the Patch Manager, and then create an auto-join search bound to the group that includes your "Test" client. Then you can get used to using the Patch Manager.

 

Ideally, you want to approve most patches once in just one place, then approve (or deny) additional patches based on group memberships as needed for occasions where additional updates are desired, or a certain patch is known to blow stuff up for one company. But you're still going to need to approve all patches.

 

I suppose one thing you could do is Disable Patch Approval (Ignite tab) for all your agents BUT those that belong in your test client. With any complex system like LabTech, there are a hundred ways to go about resolving configuration issues, and I guess I don't want to make that decision for you. :-)

 

Group membership, auto-join searches, and other stuff of that nature are really beyond the scope of this thread I think. But you should totally drop in on the ##labtech IRC channel. I and other weirdos like me hang out there quite often and are willing to answer questions.

Share this post


Link to post
Share on other sites

That's awesome ! This plugin makes the patching job so much easier ! If I can make the payments for my company, I would so do it right now :) But, have to go through the finance for this :( Will put it on their list right away ! Thank you !!

Share this post


Link to post
Share on other sites

We we started this project we had almost 600 systems out of date with WUA. Many systems were stuck on 76.7600.320 which is really old, we pondered the number of patches just one machine was missing using such an old WUA that it could be several hundred per PC, we figured patching had pretty much stopped as far back as 14 months ago for many of these systems. During the last 30 days using the product we were developing we managed to get that number down to 54.

 

Capture.PNG.57ebd18a74450260aabe36dd33763eef.PNG

Share this post


Link to post
Share on other sites

We are now 97% Up to date across our MSP for WUA and patching is accurate and consistent.

 

 

 

We do weekly metrics meeting here at my MSP and over the last month my boss has been following our success as we explored and probed the problem and solutions. Our Admin team and CIOs are ecstatic with the results , so much so dinner on them tonight!

 

if anything it insures you know where you stand day to day.

 

Cubert :ugeek:

Captureq.PNG.8419b5837a6ef033d611cd8bd1d2c916.PNG

Share this post


Link to post
Share on other sites

Hey Cubert,

 

Is this plugin available at client / location / agent level for granularity purposes? Or its one central management screen where we need to configure the settings. The reason why I am asking this is because, we are a global company and it will be easier to configure the time frames based on the regions. For example, if there is a client in HK and SG, we can configure them to update & reboot during US business hours, and the same goes for other regions as well so we don't load up the LT server as there are other tasks scheduled.

 

Also, I haven't tried this plugin yet. Do we have a trial version of this available before we purchase it? It seems very promising !

Share this post


Link to post
Share on other sites

Just in case this helps with Win7 machines.

We found the presence of KB3004394 was causing serious issues so removed it and it sorted quite a number of Win7 machines.

We then installed (Dec 2015) WUA Patch KB3112343 and things are working well.

 

Still a few machines that need work though.

Share this post


Link to post
Share on other sites

Is anyone using an LT Patch Cache directory?

 

I'm wondering if this isn't the source of some of our issues with patching. Patches are being cached, the directory is accessible and Ninite uses the cache directory as well.

Share this post


Link to post
Share on other sites

Great article and thread.

 

When I go to upload the .dll into our sandbox, I get "There was an error uploading the new plugin". Anyone else run into this issue and found a remedy?

 

I may simply recreate these ideas, but the plugin could save a ton of time and really appreciate it. Would love to at least test it.

Share this post


Link to post
Share on other sites

Hey Seth - this is just a wild guess, but I think when I've run into that problem the solution was to look at the properties of the downloaded file (in Windows), and click the 'Unblock' button.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...