5 Replies Latest reply on Mar 14, 2016 11:03 AM by fluxblocker

    Missing Patches or Updates


      I ran a repair job on a computer and then scanned it with Microsoft Baseline Security Analyzer.  I only ran MBSA to check for missing updates.  The MBSA scan results said the PC was missing 4 updates; all .NET Framework updates.  So I went to the LDMC and searched for these missing updates - I was trying to add the definitions to the repair group... but the definitions were not there.  I searched using several different criteria and the updates were just not there.


      So I searched the LANDesk Support Communities and found one conversation which was somewhat relevant.  It said that LANDesk uses a different method to determine what patches a computer needs, and that it is more reliable than Microsoft at determining which patches are needed, or something to that effect.  I was hoping I could find a way to download those specific patches into LANDesk and add them to the repair task, but there does not seem to be a way to download specific patches... only the task to download updates in selected categories.


      So the problem is... even if LANDesk knows more about a Windows PC than Microsoft does, (and that would not surprise me) . . . and even if the workstation(s) really don't need those updates (even though MBSA says it does), the computer might be secure, but it is still going to show up on a security audit.  We have a third-party company that performs quarterly security audits and they scan systems with MBSA to make sure the Microsoft patches are up to date.  So it looks like we will either have the security audits show missing updates, or I will need to run Windows Update in addition to using LANDesk to patch systems.  I wish there was a way to go to the core (or the LDMC) and ask it to download any update you want, provided it exists, but there is only the task to download updates based on the categories selected.  Does anyone know of a way to download specific updates and make them available to repair groups?


      Many thanks,

      Sam S.

        • 1. Re: Missing Patches or Updates
          masterpetz ITSMMVPGroup

          Hi Sam,


          the differences between LANDESK and Microsoft patching is the following. A Windows Update scan checks, if there is an entry for a special update in the registry. If yes, the computer is patched, if not, it's vulnerable.
          That means, if someone exports the patch registry hive from a full patched computer and imports it to a vulnerable one, Microsoft will see this device as fully patched in the next windows update scan even if this device never saw a patch.
          The LANDESK patch mechanism will not only check the registry but also the files and their version and the number of files. So if you patch a device with LANDESK and it repais successfully, the entry is written to the registry too.
          When you try to repeat the same test from above or replace a patched file with a older one, LANDESK will detect the vulnerability again because the old file doesn't match to the patched one so the computer is vulnerable again.


          Now to your more specific problem, when I mark All items and select "Vulnerabilities" as type in our patch sction and search for .NET, I get 187 results. Can you tell us what .NET patches you are missing? I would wonder if LANDESK wouldn't have a definition for your missing ones.

          If you find patches provided by microsoft and these are really not in LDMS, I would raise a support case and ask for a definition.


          And if there is be no definition in LANDESK and they won't create one for whatever reason, you always have the chance to create your own custom definitions. Here are some very good articles to start from:





          Hope it helps.


          Kind regards

          1 of 1 people found this helpful
          • 2. Re: Missing Patches or Updates

            Thanks for your post!  This is very helpful indeed.


            This is one of the patches that failed (attached).  I am trying to troubleshoot why a repair task is failing, so, on the job that failed, I go to the Security and Patch information, and it says, Install (patch download failure) in the Action column.  So then I go to the patch itself, and go to Properties.   It says, ID: 2904034_MSU_Manual.  Title: Error code 0x80070003 when a Group Policy preference is applied to Windows 7 clients  (2904034).  under detection rules, it says it is not downloadable.  I don't get why it is in the list of definitions, but it is not downloadable.  Seems it would not be in the list if it could not be downloaded.   So I am just trying to determine if the patch is needed or not, and why it is not downloadable.  There were a couple other patches that did the same thing.  I am removing them from the repair group for now, since they are causing the task to fail.  But I want to be sure that these patches are not needed - as opposed to just removing the patches from the repair group, every time this happens, going forward.


            I have a tech support ticket open, and I will update this post with any useful information I gather from that.


            Best,  Sam



            • 3. Re: Missing Patches or Updates
              masterpetz ITSMMVPGroup

              Hi Sam,


              that clarifies things...

              If the Definition has "_Manual" in the name, you have to get the patch directly from Microsoft and copy it to your patch folder. Some patches are not "free" to access even from Microsoft, you have to request them.

              From your screenshot, simple go to the description tab and you get all the infos how and where to get the patch.


              Kind regards


              • 4. Re: Missing Patches or Updates
                joe.denice Apprentice

                I was just about to say that. It's a hotifx patch that is not needed for everyone. I would suggest unless you need this patch to fix something in particular I would strongly recommend not pushing it out.

                • 5. Re: Missing Patches or Updates

                  Thanks!  That makes perfect sense.  I will do that for the patches that say Manual in the name from now on, or if it appears to be a patch that isn't needed, I can just remove it from the repair group.  I always wondered what that "Manual" meant.  Thanks again!