New ZCM user here (evaluating ZCM for my company) who has used two VMWare instances to deploy ZCM (used installer's Sybase) on a test Win2K3 (SP2) member server as well as one test WinXP Pro (SP2) client. Let me also say that my ZENworks knowledge is literally hours (maybe 1 day now ) old.

I started out slowly by picking a vulnerability (Microsoft .NET Framework 2.0 SP1) to manually push out to my lone test client. I walked through the wizard, it said it completed, and I stood back for a while to "watch it in action". I half expected the PC to reboot at some point (as the wizard gave me this impression), and kept checking Add/Remove programs to see if the update was installed... no joy... no reboot... no patch installed.

So I decided to start looking into setting Mandatory Baseline's for device groups. Again I started slowly by adding the same lone patch (Microsoft .NET Framework 2.0 SP1) to the baseline for the dynamic workstation group for "WinXP". (Noticed its icon was now Blue, which revealed the "preloaded signature vs downloaded patch" concept; obviously occurring after the manual patch push) Kept checking Add/Remove programs to see if the update was installed... no joy.

I noticed though that the Vulnerability page for the Dynamic Group was showing counts higher than 1. Found this odd as the group filters for WinXP should have excluded the one server. Decided to check the Server Dynamic Group for Win2K3... same "issue".

So I decided to remove my Dynamic Group Baseline and try create a workstation group (with baseline) of my own. But after creating the group and adding the lone XP client manually, the Vulnerability tab still showed counts higher than 1. I added my baseline again anyway (Microsoft .NET Framework 2.0 SP1).

I took a break from this and started playing with remote management. I played with the concept of looking for a user in the ZCC, and opening up the "device" page for the PC they were logged into, and loading the RM from there. While on this page though, I happened to click on Relationships and noticed that "Microsoft .NET Framework 2.0 SP1" was listed as a File Bundle with the status of Completed... What? When? Checked Add/Remove programs to see if the update was installed... sure enough it was.

So I returned to the ZCC and reopened the Vulnerabilities and it still read Patched: 0 (expected 1), Not Patched : 2 (expected 0 [or 1 if it is supposed to be global])... I see this no matter how I get to a Vulnerability list... directly off the left nav bar, off a device group for server or workstation, dynamic or manual.

I then got thinking of the other goodies that were on the Windows XP Device's Relationships... Discover Applicable Updates windows-x86-en-xpsp2 was also there, so I looked at its Assignments and noticed that it was configured for "On Refresh"... so I did a Refresh Workstation and checked the Vulnerability lists again... still Patched: 0.

This got me thinking of my Microsoft .NET Framework 2.0 SP1 File Bundle again ,also sitting there... so I checked it's assignments too... it was also set for "On Refresh"... so might this patch have actually been deployed on a previous Refresh Workstation when I was just playing around? More to add to my confusion...

So let me try summarize my questions:
  1. Am I wrong to expect that the Patched and Not Patched counts should be specific to the group? or is this a bug?
  2. Should the successful patching have updated the Vulnerability list? or does a DAU need to be executed 1st? Should my Refresh Workstation not have accomplished this?
  3. Seeing as I made 3 attempts to push my lone patch... which one actually worked? Is there a detailed log?
  4. Was I too impatient? How much time should one wait to verify success?
  5. I assume the adhoc patch I pushed didn't work as it was set to reboot, or does this wizard option only reboot if the patch requires it?
  6. Could an adhoc Refresh Workstation actually be what pushed out my patch? Not good news for a Mandatory Baseline if so.

Many thanks in advance for your answers & advice.