Troubleshooting Patch management Remediation Problems on managed agent

  • 7001089
  • 04-Aug-2008
  • 09-Nov-2017


Novell ZENworks 10 Configuration Management Patch Management
Novell ZENworks 11 Configuration Management Patch Management


Assuming that the vulnerabilities were cached, and that the zpm bundles content is available, and that the DAU was run and vulnerabilities were reported for a managed agent, and that the remediation bundle was assigned, how do you troubleshoot problems with remediation failing on the workstation?


Component Name: Patch Management for information on which logs to collect from the managed device.  Additionally look in zpm directory on the agent to find the result file *plp_results.txt and WSH events in Application events log.
This will show if the patch bundle itself had a problem (err=27, err=20, etc). 
Additionally sometimes the Microsoft software update itself will refuse to install for some reason (wrong version of MSI, for example).  In this case look in the Windows Event Viewer under the application log, where the exact command line used will be shown (msiexec /I xxxxxxxxxxxx.msp /qn for example) as well as any error code sent back by Windows Installer.  Turn on msiexec debugging (see to see  more details about the MSI failure.  Try running the msiexec command from the particular bundle MSI exec command line without the /s (silent mode) to see if the error appears.
Remediate logs also to %ZENWORKS_HOME%\zpm directory for each remediation attempted.
for example, as a test, run:
"C:\Program Files (x86)\Novell\ZENworks/zpm/Remediate.exe" "MS12-024 Security Update for Windows 7 for x64 (KB 2653956).pls" "5DBE7D3A-54D2-4ABA-BE66-A544655E94DA.plp" -d
To produce the output results of MS12-024 Security Update for Windows 7 for x64 (KB 2653956)_5DBE7D3A-54D2-4ABA-BE66-A544655E94DA_results.txt
To easily generate a text list of installed Windows updates run the following command: 
wmic qfe list full >updateslist.txt
Superseded patches:  When a patch is superseded, Patch Management will automatically disable the patch (grey in ZCC).  The patch will not be replaced automatically by superseding patch.  In 11.3 and later, the patch details page will show the superseding patch.  Prior to 11.3:  To find which patch supersedes the disabled patch,  Google example: MS12-050 superseded by


Typically remediate errors indicate any of:
  1. Bad plp file.
  2. Bad pls file.
  3. Bad or out of date remediate.exe file.

Compare to known good the three files above to see if there are differences in checksums.  If the plp is bad, recache the patch.  If the pls file is bad do "update now" of zpm to bring down proper pls files to agents.  If remediate.exe is bad, verify the patch agent files bundle.  If necessary follow TID bring down the patch agent files again.

Additional Information

 Possible error codes returned in agent log files (including remediate.exe error codes):
 Error  Error Code
 PPX_ERROR_VARIABLE_CACHE_EXHAUSTED  1  Patch signature expression was too complex to be evaluated
 PPX_ERROR_ARCHIVE_EXTRACT  2  Patch .PLS / .PLP file could not be extracted
 PPX_ERROR_PATCH_OPEN_FAILURE  3  Unable to open patch definition data
 PPX_ERROR_PATCH_BAD_GUID  4  Patch signature data was corrupt within the .PLS file
 PPX_ERROR_PATCH_MANY_APPLICABLE_SIGNATURES  5  Patch signature has more than one applicable signature
 PPX_ERROR_PACKAGE_OPEN_FAILURE  6  Unable to open package definition data
 PPX_ERROR_PACKAGE_BAD_GUID  7  Package data was corrupt within the .PLS file
 PPX_ERROR_PACKAGE_ARCHIVE_INITIALIZE  8  Package file could not be used, may be corrupt or missing
 PPX_ERROR_FILEINFO_OPEN_FAILURE  9  Unable to open file information definition data
 PPX_ERROR_FILEINFO_BAD_GUID  10  File information data was corrupt within the .PLS file
 PPX_ERROR_SIGNATURE_OPEN_FAILURE  11  Unable to open signature definition data
 PPX_ERROR_SIGNATURE_BAD_GUID  12  Signature definition data was corrupt within the .PLS file
 PPX_ERROR_SIGNATURE_PREREQ_CACHE_EXHAUSTED  13  Patch prerequisites were too complex to be evaluated
 PPX_ERROR_FINGERPRINT_OPEN_FAILURE  14  Unable to open fingerprint definition data
 PPX_ERROR_FINGERPRINT_BAD_GUID  15  Fingerprint definition data was corrupt within the .PLS file
 PPX_ERROR_FINGERPRINT_EXPRESSION_SYNTAX  16  Expression fingerprint type contains a syntax error
 PPX_ERROR_FINGERPRINT_FILEROOT_UNSUPPORTED  17  File fingerprint type does not support the <root> syntax
 PPX_ERROR_FINGERPRINT_TYPE_UNSUPPORTED  18  Fingerprint type is not supported on this platform
 PPX_ERROR_SCRIPT_BAD_FILEHANDLE  19  Patch installation script could not be run
 PPX_ERROR_EXTRACT_FILE  20  Unable to extract package file(s)
 PPX_ERROR_INVALID_ROOT_HKEY  21  The <root> key specified was invalid
 PPX_ERROR_WMI_FINGERPRINT_UNSUPPORTED  22  WMI fingerprint type is not supported
 PPX_ERROR_JAVASCRIPT_UNSUPPORTED  23  JavaScript installation script is not support on this platform
 PPX_ERROR_OUT_OF_MEMORY  24  Out of memory
PPX_ERROR_EXPIRED_LICENSE_KEY  27  (Note the most likely cause for this is a missing or invalid, .PLK file)
 PPX_ERROR_ENTITLED_FILE_MISSING  28  "Entitled" patch files were not provided to the Deploy method
 PPX_ERROR_ENTITLED_FILE_BAD_CHECKSUM  29  "Entitled" files were not correct, may have been corrupted
 PPX_ERROR_PACKAGE_REIMPORT  40  This means that cabarc could not unpackage the file - make sure cabarc is accessible
 remediate.exe is attempting to run a script from a deployed patch bundle and failing, or from an action inside the patch bundle that is running a script and failing. The error should be printed in the corresponding .txt file associated with this patch and in the Windows Application event logs.  Also if present look for system temp folder patch-player* logs.   

145 same as error 144 except that it failed to open the registry to print the script error to the .txt file.

200 another instance of remediate is running