ZPM agent fresh installed

Hi,

On a new devices running Win 10 22h2 i installed ZCM agent 23.4. The device is correctly registered in my Zone, but my patch policy are not working immediately.

It seems to take like 1 or 2 hour in order to have them to work. the device is in a ZCM folder where patch should applied after a refresh

zac ps return ANALYZE_FAILED

the zpm\logs is empty

zac pdp return distribution failed

zac pdc return "the command is not applicable as advanced patch feed is not enabled

Looks like to me that the ZCM agent is build with legacy zpm and it evoves to advanced patch after a delay or an event that i don't know how to trigger.

Any idea ?

Stephane

PS: i have a SR also open on this behaviour

  • 0  

    What is the SR#?

    But FYI.....

    The ZCM Agent does not ship with ZPM files....they come down from a bundle.

    On the PC Run  "zac bv "Discover Applicable Updates WINDOWS-x64"

    Then try your commands.

    The DAU Bundle is what installs the ZPM components, which are independent of the Agent itself.

    Note: If you install the DAU bundle as part of any script that runs "ZAC PS" it will all work right away.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Thank you for the quick reply :

    SR :  02861206

    zac bv command works perfectly and installed as you mention the ZPM part of the ZCM agent.

    What i can see is that the folder where my devices are registered by default is not associated to the DAU bundle. So it is only launch on a different schedule.

    Is the best way for that si to launch "zac bv "Discover Applicable Updates WINDOWS-x64" using a bundle associated to my default folder ?

  • 0   in reply to 

    These are my settings.....

    For the DAU bundle and it seems to work well....

    There are not any actual Launch Actions so its really similar to install.  

    I can't recall if I edited the defaults but this would not cause any issue.

    --

    You may want to check to see what you have here as well...

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    This is what i have :

    I have that because i don't want to launch DAU at agent refresh but one time per day during lunch hour.

    On my particular folder where newly devices are registered i have this :

    I was pretty sure that it was working with previous version of ZPM because we have this settings his for quite a long time now.

    I try to modify it but nothing change for DAU relationship.

    Maybe a bug Slight smile

  • Verified Answer

    +1   in reply to 

    I'm not sure it's a bug  I would not expect changing the ZCC settings to change the DAU schedule.  I've always had to ensure the DAU has run before related commands such as "ZAC PS" would work.  

    Primarily DAU will

    #1 - Install the ZPM Agent Code on the PC via the a Bundle.  This will be a "One Time Event" unless the ZPM code itself is updated.  This is quite rare and may only happen a couple times a year.  This has nothing to do with ZENworks Agent version and is not installed as part of the ZENworks Agent.  So even if the Bundle is set to run on Refresh.....This action is skipped after the very first time the DAU bundle is run on the PC.

    #2 - The Clear and Update 3 XML files on the PC that are used as part of Patch Scanning.  These files are updated when the ZPM "Maintenance Schedule" runs daily and update the bundle.  This normally happens around 1am or 2am.  The bundle is set to "Install Once" per PC.  So of the bundle is launched multiple times....it will not do anything after the first call.

    --

    In my setup....I have the DAU set to run on Refresh.

    So any new PC that joins the zone will immediately get the ZPM code installed.  Regardless of the number of refreshes the code will not come down again unless the ZPM Agent  Bundle is updated....which only happens a couple times a year if that.

    Any existing PCs in the zone that refresh after 1am will get the 3 updated XMLs on first refresh with updated details about new patches.  These files are relatively small and mostly contain updated pointers if necessary.  If the PC refreshes multiple times, the XMLs will not come down again because it is install once.

    --

    In your setup, you have specifically told ZCM to run the DAU during lunch hour.  Hence, new PCs will not get the ZPM code until that time.   This is why you need to run the DAU bundle manually before it works.

    Depending on the other ZPM settings you showed, the devices may or may not properly detect new patches until lunch time.  These settings also tend to apply to scheduled processes and not when you directly run "ZAC PS".

    To me, it would make sense to just tell ZCM to immediately install the ZPM Agent files for new PCs and then the first time the PC checks in after 1am...to bring down 3 XML files.

    If you prefer to only update the 3 XML files during lunch.....You could create a 2nd bundle as "Run Once" so new devices would install the ZPM Agent files.  I 'm just not sure why you want to wait to lunch to update the 3 XML files on existing PCs. 

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Thank you for the clarification. This schedule was setup before advanced patch management. With legacy it was slowing down computers.

    I will change our schedule.

  • 0 in reply to 

    I say there is a bug, because if you change your settings in Security / Vulnerability Detection Schedule it does not change the DAU relationship

  • 0   in reply to 

    There is also a new "zac ps --complete" that will run DAU as part of the patch scan.

    This would work for newly imaged PCs before DAU comes down natively.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0   in reply to 

    Try Running the "Maintenance" manually after changing the Schedule.  It will probably be reflected when the DAU bundle is updated.  It does not update immediately when you make a change in the schedule.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0   in reply to   

    So if you use that command in your bundles....It should work on devices that never ran DAU w/o changing your other DAU schedules if you so choose.  In short....It just incorporates the "ZAV BV DAU" along with a number of other commands for simplicity.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks