Environment
Novell ZENworks 10 Configuration Management Patch Management
Novell ZENworks 11 Configuration Management Patch Management
Situation
Assuming that the vulnerabilities were cached, and that the zpm bundles content is available, and that the DAU was run and vulnerabilities were reported for a managed agent, and that the remediation bundle was assigned, how do you troubleshoot problems with remediation failing on the workstation?
Resolution
See TID 3418069 How to enable debug logging for ZENworks 10 and 11 Configuration Management at support.novell.com knowlegebase:
Component Name: Patch Management for information on which logs to collect from the managed device. Additionally look in zpm directory on the agent to find the result file *plp_results.txt and WSH events in Application events log.
This will show if the patch bundle itself had a problem (err=27, err=20, etc).
Additionally sometimes the Microsoft software update itself will refuse to install for some reason (wrong version of MSI, for example). In this case look in the Windows Event Viewer under the application log, where the exact command line used will be shown (msiexec /I xxxxxxxxxxxx.msp /qn for example) as well as any error code sent back by Windows Installer. Turn on msiexec debugging (see http://support.microsoft.com/kb/223300) to see more details about the MSI failure. Try running the msiexec command from the particular bundle MSI exec command line without the /s (silent mode) to see if the error appears.
Remediate logs also to %ZENWORKS_HOME%\zpm directory for each remediation attempted.
for example, as a test, run:
"C:\Program Files (x86)\Novell\ZENworks/zpm/Remediate.exe" "MS12-024 Security Update for Windows 7 for x64 (KB 2653956).pls" "5DBE7D3A-54D2-4ABA-BE66-A544655E94DA.plp" -d
To produce the output results of MS12-024 Security Update for Windows 7 for x64 (KB 2653956)_5DBE7D3A-54D2-4ABA-BE66-A544655E94DA_results.txt
To easily generate a text list of installed Windows updates run the following command:
wmic qfe list full >updateslist.txt
wmic qfe list full >updateslist.txt
Superseded patches: When a patch is superseded, Patch Management will automatically disable the patch (grey in ZCC). The patch will not be replaced automatically by superseding patch. In 11.3 and later, the patch details page will show the superseding patch. Prior to 11.3: To find which patch supersedes the disabled patch, Google example: MS12-050 superseded by site:microsoft.com
Cause
Typically remediate errors indicate any of:
-
Bad plp file.
-
Bad pls file.
-
Bad or out of date remediate.exe file.
Compare to known good the three files above to see if there are differences in checksums. If the plp is bad, recache the patch. If the pls file is bad do "update now" of zpm to bring down proper pls files to agents. If remediate.exe is bad, verify the patch agent files bundle. If necessary follow TID https://support.microfocus.com/kb/doc.php?id=7011751to bring down the patch agent files again.
Additional Information
Possible error codes returned in agent log files (including remediate.exe error codes):
| Error | Error Code |
Meaning |
| PPX_SUCCESS | 0 | |
| PPX_ERROR_VARIABLE_CACHE_EXHAUSTED | 1 | Patch signature expression was too complex to be evaluated |
| PPX_ERROR_ARCHIVE_EXTRACT | 2 | Patch .PLS / .PLP file could not be extracted |
| PPX_ERROR_PATCH_OPEN_FAILURE | 3 | Unable to open patch definition data |
| PPX_ERROR_PATCH_BAD_GUID | 4 | Patch signature data was corrupt within the .PLS file |
| PPX_ERROR_PATCH_MANY_APPLICABLE_SIGNATURES | 5 | Patch signature has more than one applicable signature |
| PPX_ERROR_PACKAGE_OPEN_FAILURE | 6 | Unable to open package definition data |
| PPX_ERROR_PACKAGE_BAD_GUID | 7 | Package data was corrupt within the .PLS file |
| PPX_ERROR_PACKAGE_ARCHIVE_INITIALIZE | 8 | Package file could not be used, may be corrupt or missing |
| PPX_ERROR_FILEINFO_OPEN_FAILURE | 9 | Unable to open file information definition data |
| PPX_ERROR_FILEINFO_BAD_GUID | 10 | File information data was corrupt within the .PLS file |
| PPX_ERROR_SIGNATURE_OPEN_FAILURE | 11 | Unable to open signature definition data |
| PPX_ERROR_SIGNATURE_BAD_GUID | 12 | Signature definition data was corrupt within the .PLS file |
| PPX_ERROR_SIGNATURE_PREREQ_CACHE_EXHAUSTED | 13 | Patch prerequisites were too complex to be evaluated |
| PPX_ERROR_FINGERPRINT_OPEN_FAILURE | 14 | Unable to open fingerprint definition data |
| PPX_ERROR_FINGERPRINT_BAD_GUID | 15 | Fingerprint definition data was corrupt within the .PLS file |
| PPX_ERROR_FINGERPRINT_EXPRESSION_SYNTAX | 16 | Expression fingerprint type contains a syntax error |
| PPX_ERROR_FINGERPRINT_FILEROOT_UNSUPPORTED | 17 | File fingerprint type does not support the <root> syntax |
| PPX_ERROR_FINGERPRINT_TYPE_UNSUPPORTED | 18 | Fingerprint type is not supported on this platform |
| PPX_ERROR_SCRIPT_BAD_FILEHANDLE | 19 | Patch installation script could not be run |
| PPX_ERROR_EXTRACT_FILE | 20 | Unable to extract package file(s) |
| PPX_ERROR_INVALID_ROOT_HKEY | 21 | The <root> key specified was invalid |
| PPX_ERROR_WMI_FINGERPRINT_UNSUPPORTED | 22 | WMI fingerprint type is not supported |
| PPX_ERROR_JAVASCRIPT_UNSUPPORTED | 23 | JavaScript installation script is not support on this platform |
| PPX_ERROR_OUT_OF_MEMORY | 24 | Out of memory |
| PPX_ERROR_MISSING_PREREQ_SIGNATURE | 25 | |
| PPX_ERROR_INVALID_PREREQ_LANGUAGE | 26 | |
| PPX_ERROR_EXPIRED_LICENSE_KEY | 27 | (Note the most likely cause for this is a missing or invalid, .PLK file) |
| PPX_ERROR_ENTITLED_FILE_MISSING | 28 | "Entitled" patch files were not provided to the Deploy method |
| PPX_ERROR_ENTITLED_FILE_BAD_CHECKSUM | 29 | "Entitled" files were not correct, may have been corrupted |
| PPX_ERROR_ENTITLED_FILE_WRONG_SIZE | 30 | |
| PPX_ERROR_FINGERPRINT_INVALID_SYSINFO | 31 | |
| PPX_ERROR_FINGERPRINT_EXPRESSION_MISSING_VARIABLE | 32 | |
| PPX_ERROR_PACKAGE_MKDIR_FAILURE | 33 | |
| PPX_ERROR_FINGERPRINT_FILESCAN_UNSUPPORTED | 34 | |
| PPX_ERROR_FINGERPRINT_WMI_ERROR | 35 | |
| PPX_ERROR_RELEVANCE_SCRIPT_SYNTAX | 36 | |
| PPX_ERROR_UNKNOWN | 37 | |
| PPX_ERROR_PACKAGE_REIMPORT | 40 | This means that cabarc could not unpackage the file - make sure cabarc is accessible |
| PPX_ERROR_ENTITLED_FILE_INVALID | 41 | |
| 144 |
remediate.exe is attempting to run a script from a deployed patch bundle and failing, or from an action inside the patch bundle that is running a script and failing. The error should be printed in the corresponding .txt file associated with this patch and in the Windows Application event logs. Also if present look for system temp folder patch-player* logs. | |
| 145 | same as error 144 except that it failed to open the registry to print the script error to the .txt file. | |
| 200 | another instance of remediate is running |