Overview of Three Strikes the Patch is Out in ZENworks

This is an overview of the "three strikes the patch is out" capability in Novell ZENworks.  This is a new feature added to ZPM to be able to stop patch policies from continually applying when a patch fails to apply.  

This can happen in multiple scenarios.  The most likely scenario is that the vendor releases a bad patch or there is software on the system preventing the patch to be applied.  In this scenario, zpm still needs to attempt to patch all the good patches, but after 3 tries and failing to apply a bad patch, it needs to go to quarantine for just that endpoint.  Furthermore, if the patch fails to apply, then a reboot should not happen. 

If the patch is successful, but still reports as being not patched, then a retry will occur following the reboot. This process will repeat for 3 times. On the fourth (and subsequent) attempts, zpm will skip the deployment and log specific messages in the zmd-messages.log file to indicate that the bad patch has been quarantined.

Example:

The patch 'Windows Defender Definition Update 1.207.1501.0 (September 30, 2015)' can be installed successfully, but it can't be changed to patched state due to problem with the patch content.  

Testing setup:

1. Create a patch policy with two patches, 'Windows Defender Definition Update 1.207.1501.0 (September 30, 2015)' and another normal patch which is supports reboot and can be changed to patched state.
2. Publish this Patch Policy and run zac pap on the agent platform.
3. When the reboot dialog window appears, click the Reboot button and allow the machine to reboot.
4. After the reboot, run zac pap another three times. Open the log file and observer the "Patch is in quarantine <patch policy name>" statement.

Actual result:

The installing progress will display in progress bar each time when running zac pap. Notice that it takes more time to perform the first three attempts after running zac pap, but the fourth time will be considerably faster. This is due to the patch deployment being skipped on the fourth (and subsequent) attempts with no reboot occurring.

Log File Information:

The zmd-messages.log file will contain the following two log statements to aid in diagnostics:

[Patch]… "Item is not applicable or already patched:  <itemID>"

[Patch]… "Patch is in quarentine <patch policy name>" 

Note:  Later versions will show proper spelling in the log:

Patch State Persistence:

The three strikes patch state is persisted.  In order to apply the patch again in the future, one of the following actions can be performed to reset the patch state:

1. Update the patch via "Update Now" subscription request and action "Update cache" on the patch

2. Perform the patch Deploy Remediation action again

or

to troubleshoot further, delete or modify the file DeploymentResult.xml located at: %ZENWORKS_HOME%\zpm\ and restart agent or reboot.  Then redeploy the deployment or patch policy to get original cause of failure.  

Note:  on ZENworks version 2020 and later there is a Quick Task to release quarantined patches via ZCC.