Update Task Disabled

I need a solution

If there’s a problem in Windows that’s preventing a patch from installing, once the source of the problem is resolved, should the agent retry deployment at my preset patch times?  There was a cryptography issue with installing KB4489885 that affected a few of our desktops so checking on whether I need to take any kind of action in my SMC.

0

Related:

  • No Related Posts

Vulnerabilities Tool Seems Very Off

I do not need a solution (just sharing information)

I think it’s looking only for specific windows patches as resolution for vulnerabilities, particularly on our Server 2012 machine, which has gotten a lot of rollup patches.  Windows Update tells me we are current but the CWP tool is tell me we have a number of vulnerabilities.  There is just too much noise here to be useful.  It would also be fantastic if you could triage them in some way in the tool and either assign them to users or mark them as handled in some way.  Otherwise it all has to come out of the tool.

0

Related:

  • No Related Posts

WITHDRAWN: Hotfix XS70E067 – For XenServer 7.0

This hotfix introduces an issue that prevents newer versions of XenCenter from connecting to XenServer hosts that have XS70E067 applied. As a result, the hotfix was withdrawn on Jun 7, 2019.

Important: If you have already downloaded XS70E067, do not install it on your XenServer 7.0 hosts.

If you have already installed XS70E067, you will experience the following issues:

  • XenCenter 7.1 and later does not connect to XenServer 7.0 hosts that have XS70E067 applied and reports the following error: “This pool contains servers earlier than Citrix Hypervisor 7.0. Please use an earlier version of XenCenter to manage this pool.” To work around this issue, use XenCenter 7.0.1 to connect to these hosts.
  • XenServer 7.0 hosts with XS70E067 applied cannot be upgraded to XenServer 7.1. Do not attempt to upgrade these hosts to a later version of XenServer.

Citrix is working on a hotfix to supersede XS70E067 that will include a fix for the issues introduced by XS70E067.

Related:

  • No Related Posts

Deployment and Patch Don’t Always Play Well Together

I need a solution

I’m running 8.5 RU2 with persistent connection, and I love how real time many things are.

I have noticed, though, if I’m deploying an image with many software installs that install as post image tasks, often patch will begin installing titles and this creates a conflict causing my software installs to fail.

For example, we have a technology lab with several adobe titles, several autocad titles, etc.  It can take these image jobs 80+ minutes to complete.

The agent should somehow be smart enough to not allow these install conflicts to happen.  Please don’t suggest I start building fat images building the titles into the image, that’s just bad practice.  If I need to update Photoshop on 3 labs, I don’t want to rebuild 3 images, I just want to update 1 post image task used in the 3 lab imaging jobs.

For now, I’m just disabling all my patch policies when we image those lab machines, but that’s not ideal and a little bit of a security risk as someone needs to re-enable them.

I don’t want to not put the patch plugin on the base image because as soon as it attempts to install, it kills the agent mid whatever it’s doing.  I thought about having a dummy file placed at end of image time and then scope the patch plugin to only install on computers with that dummy file, but again I think this would also a timing issue because existing machines in the console being reimaged would fall into the filter and attempt to install the agent as soon as they come up.

Thoughts?  I am sure I posted this issue before, and I looked through my post history, but couldn’t find it, so I apologize if I’m repeating myself to some.

I’ll put a ticket in as well.

0

Related:

  • No Related Posts

Recommended Hotfixes for XenServer 7.x

Citrix Hypervisor, formerly XenServer, is powered by the Xen Project hypervisor.

This article contains the complete set of recommended updates/hotfixes for XenServer 7.x .

For List of XenServer Tools/Management Agent/Windows Driver Updates refer toCTX235403-Updates to Management Agent – For XenServer 7.0 and later​

For XenServer 6.x hotfixes, refer to CTX138115 – Recommended Hotfixes for XenServer 6.x

XenServer 7.6 XenServer 7.5 XenServer 7.1 CU2 XenServer 7.0

For more information, refer to the following Knowledge Center articles

Note: Citrix recommends updating the XenServer Console before updating any new hotfixes. All XenServer hotfixes can be applied at the same time and the hotfixes in the article are not relevant to the installation order

Hotfix XS76E003 –

For XenServer 7.6
All customers who are affected by the issues described in CTX246572 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No
Hotfix XS75E003 –

For XenServer 7.5
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable** No
Hotfix XS75E005 –

For XenServer 7.5
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable** No
Hotfix XS75E008 –

For XenServer 7.5
All customers who are affected by the issues described in CTX246572 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No

XenServer 7.1 Cumulative Update 2 (XS71ECU2) must be installed by all customers running XenServer 7.1 CU1 as , since March 12 2019 no further hotfixes will be produced for XenServer 7.1 CU1.

XenServer 7.1 Cumulative Update 2 and its subsequent hotfixes are available only to customers on the Customer Success Services program.

For more information about XenServer 7.1 CU2, see the Citrix XenServer 7.1 Cumulative Update 2 Release Notes.

XenCenter 7.1.3

This release of XenCenter is for customers who use XenCenter as the management console for XenServer 7.1 LTSR. XenCenter 7.1 CU2 is released as part of XenServer 7.1 Cumulative Update 2 and is available only to customers on the Customer Success Services program.

We recommend that you install this version of XenCenter before using XenCenter to update XenServer 7.1 CU1 hosts to XenServer 7.1 CU2.

XS71ECU2

XenServer 7.1 Cumulative Update 2 (XS71ECU2) must be installed by customers running XenServer 7.1 LTSR CU1. It includes all previously released XenServer 7.1 CU1 hotfixes. Installation of XS71ECU2 is required for all future functional hotfixes for XenServer 7.1 LTSR.

XenServer 7.1 Cumulative Update 2 and its subsequent hotfixes are available only to customers on the Customer Success Services program.

Citrix will continue to provide security updates to the base XenServer 7.1 CU1 product for a period of three months from the release date of the XenServer 7.1 Cumulative Update 2 (until March 12, 2019). After this three month period elapses, any new hotfixes released will only support XenServer 7.1 with CU2 applied.

For more information about XenServer 7.1 CU2, see the Citrix XenServer 7.1 Cumulative Update 2 Release Notes.

Content live patchable** No
Hotfix XS71ECU2001 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issue:

  • The XenServer host can experience a memory leak in dom0. This memory leak is triggered by invalid responses to FLOGI messages from connected FCoE equipment.
Content live patchable** Yes
Hotfix XS71ECU2003 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • Depending on the guest OS and device, devices passed through to a guest might not function correctly due to missed interrupts.
Content live patchable** No
Hotfix XS71ECU2004 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • If you attempt to reboot a Windows VM from XenServer at the same time as you attempt to reboot the Windows VM from within the VM, the reboot can fail with the following error: “You attempted an operation on a VM that needed to be in state ‘Running but was in state ‘Halted’.
  • Scheduled metadata backups can fail intermittently when the pool backup metadata VDI gets full. The default size of the pool backup metadata VDI has been increased to 500MiB.
  • A VM taking more than 30 seconds to shut down no longer leads to “Domain stuck in dying state after 30s.”
  • While applying a hotfix to a pool, if XAPI restarts on a pool member, it detaches the hotfix update from all hosts in the pool as part of clean-up operations. This can cause the hotfix to fail to apply to other pool members.
Content live patchable** No
Hotfix XS71ECU2007 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • Improvements to VM performance and stability.
  • A race condition in XenBus can cause pauses in Windows VM operation, which lead to Timeout Detection and Recovery (TDR) events. The TDR can cause the VM to crash.
  • Under low resource situations, Xennet can consume all of the RAM on a Windows VM. This causes the VM to crash.
  • Windows VMs with the XenVBD driver installed can experience a high number of system interrupts when performing storage operations, especially if you are using fast storage and transferring large amounts of data.

This hotfix also includes the drivers required to support Windows Server 2019 VMs on XenServer 7.1 CU2.

Content live patchable** No
Hotfix XS71ECU2008 – For XenServer 7.1 Cumulative Update 2 All customers who are affected by the issues described in CTX251995 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No

Apply the following hotfixes for XenServer 7.0 and restart XenServer when the hotfix installation is complete.

Hotfix XS70E001 –

For XenServer 7.0
This is a XenCenter update (a .exe file) and not a host side Hotfix. This package needs to be installed

on the Windows Machine Running XenCenter
Hotfix XS70E002 – For XenServer 7.0 All customers who are affected by the CVE-2016-2107 issue described in

CTX212736: Citrix XenServer Multiple Security Updates should install this hotfix.
Hotfix XS70E004 – For XenServer 7.0 Important: This is a critical hotfix for customers running XenServer 7.0. All XenServer 7.0

customers must apply this hotfix.
Hotfix XS70E009 – For XenServer 7.0

This hotfix resolves the following issue:

  • In rare circumstances when a XenServer host is enabling HA, or during a host reboot with HA enabled, the host can fail to establish HA communication with the other hosts. This is due to another process on the host using the listening port required by the HA software.
Update XS70EU001 – Management Agent for XenServer 7.0 The Management Agent update resolves the following issues:

  • Installation of Management Agent can fail after installing newer I/O drivers through Windows Update.
  • Failure to reboot a Windows VM after installing XenServer Tools can result in excessive log entries being written to xensource.log and xenstored-access.log until the VM is rebooted. If customers do not reboot the VM, or delay the reboot, excess logs can fill up the XenServer host log partition.
  • The Management Agent can crash and respawn on systems without a terminal services Windows Management Instrumentation (WMI) object causing high CPU usage and excessive logging in /var/log/daemon.
  • If the Management Agent auto update is enabled after installing XenServer Tools, and a new update is available, the initial auto-update can fail due to a race condition that can cause multiple update attempts to occur simultaneously.
Update XS70EU002 – Management Agent for XenServer 7.0 New versions of the I/O drivers, compatible with Microsoft Windows Server 2016 have been released.
Update XS70EU003 – Management Agent for XenServer 7.0
  • The default behavior of the Management Agent has been improved to enable customers to configure whether any I/O driver updates included in the Management Agent should be applied automatically. For more information, see section 4.3.1 Installing XenServer Tools in the XenServer 7.0 Virtual Machine User’s Guide.
  • This version (v7.1.844) of the Management Agent includes new versions of the I/O drivers that are compatible with Microsoft Windows Server 2016. These drivers have been released previously through the Microsoft Windows Server Update Service. For more information, see Update XS70EU002 – Windows I/O Drivers for XenServer 7.0.
Hotfix XS70E018 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX220112: Citrix XenServer Multiple Security Updates should install this hotfix.
  • This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX219378: Citrix XenServer Multiple Security Updates should install this hotfix.
  • This hotfix supports the improvements to XenServer’s Direct Inspect APIs.
Hotfix XS70E024 – For XenServer 7.0
  • When booting a vGPU provisioned Virtual Machine (VM) from network, an interaction between VGA BIOS and VGA emulation code in the vGPU device model can result in the corruption of the VM console in XenCenter.
Hotfix XS70E027 – For XenServer 7.0
  • When Installing XenServer or upgrading XenServer to a newer version, PBIS services get enabled (even when Role-based access control (RBAC) is not used) and display a lot of error messages. Also, this issue consumes a lot of control domain (dom0) resources.
Hotfix XS70E028 – For XenServer 7.0 This hotfix supports the following new guest operating systems.

  • Oracle Linux 6.8
  • Red Hat Enterprise Linux 6.8
  • CentOS 6.8
  • NeoKylin Linux Advanced Server 6.5 ( only 64 bit )
  • NeoKylin Linux Advanced Server 7.2 ( Only 64 bit )
  • SUSE Linux Enterprise Server 11 SP4
Hotfix XS70E037 – For XenServer 7.0

This hotfix addresses the following issue:

  • When attempting to use XenServer Conversion Manager (XCM) Console to connect to an XCM Virtual Appliance that runs on a slave host, the connection fails and the following message is displayed by the console: “There was a failure communicating with the plugin.” This hotfix ensures that the XCM Console can connect to a XCM Virtual Appliance that runs on any XenServer host.
Hotfix XS70E041 – For XenServer 7.0

This hotfix resolves the following issue:

  • When using SSH to connect to XenServer, a user might experience a memory leak in systemd on XenServer.
Hotfix XS70E048 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX230138 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E052 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX232655 – Citrix XenServer Multiple Security Updates should install this hotfix.This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.
Hotfix XS70E061 – For XenServer 7.0

This is a hotfix for customers running XenServer 7.0.

All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Hotfix XS70E062 – For XenServer 7.0

This hotfix resolves the following issues:

  • Virtual machines (VMs) configured with in-guest software RAID may fail to cleanly shut down or restart.
  • After taking a disk-only snapshot for a VM running in the pool, users randomly fail to access the Virtual Hard Disk (VHD) when trying to unpause the VM, and the VM stops responding. This is caused by time racing in Linux Logical Volume Manager (LVM).
  • After rebooting, a XenServer host can fail to connect to iSCSI targets on Compellent arrays.
  • When Intellicache mirroring fails due to ENOSPC on shared storage, the VBD image list gets truncated to point to itself. This causes an infinite loop and can lead to the I/O datapath stopping and subsequently VMs freezing.
  • When a pool master node executes multi-step plugins on the pool member nodes after important events such as coalesce, the plugin continues to execute through all its steps even if one of the previous ones have failed. This can lead to complications such that the other VDI operations are permanently blocked with OTHER_OPERATION_IN_PROGRESS.
  • After deleting a snapshot on a pool member that is not the pool master, a coalesce operation may not succeed. In such cases, the coalesce process can constantly retry to complete the operation, resulting in the creation of multiple RefCounts that can consume a lot of space on the pool member.
  • The storage cleanup process initiated after a VDI destroy can conflict with ongoing VDI copy processes (including Storage XenMotion), causing subsequent operations on the SR to fail.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E063 – For XenServer 7.0

This hotfix resolves the following issues:

  • High Availability (HA) enabled VMs can take longer to restart after a HA failover.
  • In rare cases, when a XenServer host in a pool is restarted, it may not be able to rejoin the pool.
  • In rare cases, attempts to shut down a XenServer host in a pool may not succeed.
  • On HA-enabled pools, when a task is initiated after a XenServer host has failed, VMs running on the host can take longer (about 10 minutes) to restart. This issue occurs when a task is assigned to the host after it has failed, but before XAPI is aware of the host failure. In such cases, the task doesn’t get cancelled even when XAPI is notified about the failure, causing delays in restarting the VMs.
  • When migrating VMs that have Dynamic Memory Control (DMC) enabled, the VMs shutdown operation can unexpectedly fail. This is caused by reducing memory allocation before shutdown and this operation taking longer than expected.
  • On Nutanix hosts, the host’s memory-overhead is miscalculated after first boot. This is because XAPI calculates the available host RAM on startup assuming no domains other than the XenServer Control Domain are running. On first boot this is true but on subsequent boots, the Nutanix Controller VM (CVM) is started before XAPI.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E065 – For XenServer 7.0

This hotfix resolves the following issues:

  • A race condition caused Windows VMs to hang repeatedly and give an error with Event ID 129: “StorPort detected a SRB timeout, and issued a reset”.
  • XenVBD can consume 100% of a vCPU and can block other processes from using that vCPU.
  • If a restart is performed without clicking on the Yes or No buttons of the restart to complete installation dialog box, the dialog box continues to appear even after restarting the VM.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E066 – For XenServer 7.0 All customers who are affected by the issues described in CTX246572 – Citrix XenServer Multiple Security Updates should install this hotfix.

This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.

This hotfix also includes the following previously released hotfixes:

Related:

  • No Related Posts

Patching Office 2016 That Is Not In Image

I need a solution

We currently do not install Office 2016 in our image.  We install it after we log in with the domain user after imaging.  We are in the process of switching over to Patch Management Solution with SMP from WSUS.  My question is, how do I handle Office updates?  Right now I do not have the updates packaged into the installer of Office 2016 because it drastically slows down the install on a machine, which means that whenever we first install it on a station it shows that it requires nearly 50 patches from SMP just for Office.  Should I create a single policy that contains all 50 policies and assign it to all machines that have Office, then continue to add all new updates to the same policy to help freshly built machines?  My initial thought with other updates was to create a single policy with just this months updates. 

To begin with we’re only going to be patching the OS and Office, so I was just going to create a single policy with this months updates and push it to all stations after piloting of course, but if I do that I’m not sure if that will mess with a newly built station that is missing office updates from a year ago.  Would anyone mind shedding some light on best practices for handling this situation?  I think that I have an idea as to how to manage patches on a machine that is up to date, but I’m confused on managing a machine that requires updates from months ago.

Thank you.

0

Related:

  • No Related Posts