After running BSA Windows Patch Analysis a patch is determind to be missing and a BSA Deploy/Remediation job is executed to install the missing patch. Although the remediation job appears to complete successfully, a subsequent run of the analysis job shows the patch is still listed as missing.

 

Legacy ID:KA377574

1. Confirm that the patch(es) in question was part of the Deploy Job - locate the BlDeploy Job and the associated BlPackage for the target server(s) and open the BlPackage and confirm the missing patch(es) is in the BlPackage.
2. On the target server(s) find the bldeploy log in the <rscd install>/Transactions/log directory for the patch deploy and confirm that you see the patch(es) in question being installed.
3. If the patch does not show up in either of the above, then review the Remediation Job (the job that generates the BlPackage and Deploy Job from the analysis results) and see if there are any errors or any indication that the patch in question was added to the BlPackage.
4. If the patch was deployed to the target server then check if the server rebooted - some patches will require a reboot to show as installed.  Check the following registry keys to see if there are any files listed in there associated with the patch.  That confirms a reboot is needed.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

       5. In the bldeploy log look for an exit code of 3010 for the particular patch install.  3010 indicates a reboot is needed. Confirm in the Patch Global Confirguration in the BSA GUI that 3010 is listed as a reboot code on the Windows tab.

       6. If a reboot happened during the Deploy Job then in the bldeploy log you should see messages such as:

WARN     bldeploy - Reboot in progress
...
DEBUG    bldeploy - Successfully paused the agent before shutting down the system
INFO     bldeploy - Attempting shutdown REBOOT=true TIMEOUT=0 MSG=System is rebooting

 

The Deploy Job may have been configured to ignore reboots and therefore completed successfully with exit code -4002. In the bldeploy log, you would see something like this:

DEBUG    bldeploy - -jr1

jr1 means the Deploy Job was configured to ignore reboots. More information about the bldeploy arguments is in the bldeploy –h (help) output.
 

WARN     bldeploy - Reboot required but did not occur. Manual reboot needed to complete operation.
DEBUG    bldeploy - Bldeploy done - nRet = 1 (Apply successful; Reboot required to complete) exitCode = -4002 (Deployment succeeded, but requires manual reboot)

 
7. It is possible that the patch was installed but is incorrectly being reported as missing (VMware/Shavlik issue). Then the Deploy Job, upon trying to install this patch, returned a successful exit code when the patch was found not applicable. In this case, rerun the Patch Analysis to confirm whether the patch is still listed as missing. If it is, but it is confirmed the Patch is installed, follow the troubleshooting steps in KA 000099904

Please see the following video for tips on troubleshooting issues where a patch is listed as Missing but appears to be installed: