As part of our patch policy, we deny all Service Packs and most Update Rollups. Some of these denied patches are showing up as "Failed Patches" in the PAtch Status (KB976932: Windows 7 Service Pack 1 and KB982861: Windows Internet Explorer 9 for Windows 7 ). If these patches are denied, why are they showing up as failed?!
I was wondering if anybody us seeing this as well? Is there something we are not doing right?
Approval levels apply to patches that are processed by Automatic Update. Automatic Update will only ever try to install patches that are approved at the time that the update cycle runs. If a patch fails to install during an Auto Update cycle and, after that cycle, is set to Denied, the patch will not re-attempt installation. However, since it is already marked as failed based on a previous install attempt, it will remain with a status of failed. Changing the approval level from "approved" to "denied" does not negate the failed installation attempt.
Another possibility is that an admin attempted to install the patch using either Machine Update or Patch Update. Either of these options allow the admin to disregard patch policy and attempt to install a patch. If the patch that is already denied, an install attempt is made using Machine Update or Patch Update, and that attempt fails, the patch will be marked as failed. It will not reattempt install during Auto Update because the approval policy marks the patch as denied. Auto Update always follows approval policy.
Finally, if a machine is part of one patch policy where the patch is approved, an attempt to install the patch is made but fails and, before successful installation the endpoint is made a member of a patch policy where the patch is denied, the patch will not attempt to reinstall and will continue to be marked as failed.
The logs gather sufficient information to determine which of these scenarios is true for a particular patch as long as the log retention period extends further than the point in time the changes were made. You can find when patches were approved/denied by policy on the System tab > System Log. You can find changes to a machine's patch policy group
or attempts to install patches via Machine or Patch update under Agent > Agent Logs and selecting the Config Changes log. However, if your retention period is 30 days but the changes happened 31 days (or more) in the past, the info that allows you to determine the reason for the installation attempt will no longer exist, so these types of issues are best investigated at the time they're first discovered.