Systems Management Question
Kace not detecting 2018 Windows patches even when Meltdown/Spectre registry key present
02/21/2018 2607 views
I've already solved this, but since Quest support wasn't aware of the issue, I figured I'd post the symptoms and resolution here in hopes of saving someone else from the frustration that I went through this past week.
When running patch detection jobs after February updates were released from Microsoft, I noticed that my 64 bit Windows Servers were still reporting 0 missing updates.
It didn't take long to realize that our antivirus software was not setting the registry key Microsoft requires to enable detection of the updates that include Meltdown/Spectre remediation, so I created a script to push out that registry update. Unfortunately, it didn't change anything as far as Kace patch detection went.
Looking at the device details for a server after it had been scanned revealed that the 2018 updates from Microsoft didn't even appear in the patch list under Device Detail > Security > Patching Detect/Deploy Status > Deployment Status > All.
Reviewing the Kace ProgramData patch directory on a server showed that the .checksum and .pls files for the missing updates were present. The kagent.log files showed that those updates had a detect_status = 2, meaning Not Applicable.
Resolution to follow...
Answer Chosen by the Author
Please log in to answer
Here's the quick version of the fix -
1) Verify that HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat exists and contains a DWORD value of cadca5fe-87d3-4b96-b7fb-a231484277cc with data set to 0.
2) Delete the key HKLM\Software\Patchlink.com\cache
3) Rerun the patch detect job in Kace.
I've attached a screenshot of the Kace script I've been testing to automate the registry updates - use at your own risk and feel free to post improvements here.
For those interested in more details or how I found this, take a look at https://community.ivanti.com/docs/DOC-62968. That article includes a link to a script that sets the Microsoft QualityCompat registry entry and deletes the Patchlink cache. Quest doesn't seem to have this documented despite using the same patch engine.
Answered 02/21/2018 by: bwcarty