Radia - General Discussions

Jim Longo
How to create an acquisition job without updating the wsusscn2.cab file / Custom XML

 In some instances it is not necessary to update the wsusscn2.cab file on each acquisition. For instance, custom XML files are independent of the wsusscn2.cab file. Also, If you run multiple acquisitions on or after Patch Tuesday and the wsusscn2.cab file is current, the subsequent acquisitions can skip the download and extraction of the current wsusscn2.cab file until the next update.

 The following example is for custom XML files to acquire and manage third party content, however, the syntax to skip the wsusscn2.cab file can be applied to any acquire job.


 Copy the custom XML files into the data/PatchManager/patch/custom folder prior to acquisition. 


1.> Create a new custom acquisition job named custom. This can be reused to acquire custom content by updating the Bulletins with the bulletin ID’s to be acquired.

2.> In the Command Line Overrides section add the following syntax to disable the wsusscn2.cab file update. This will speed up the acquire process by bypassing the wsussnc.2cab file download and extraction.




3.> Enter the bulletins to be acquired separated by a comma. In this example we are using 2 custom bulletins to manage Notepad++ and FileZilla via Radia Patch Manager.

4.> Set Force and Replace to Y to automatically update the CSDB with the latest bulletin data. Only use Force and Replace set to Y when re-acquiring specific content, otherwise set both to N.

5.> Set acquire Microsoft patches to Yes.

6.> Run the acquire and check the CSDB editor for the bulletins.

0 3
Exporting published packages
Hi there, Is there a way to export the published packages in Radia.
2 2
Brian Jakubowsky
BitLocker PIN disable on Radia Reboot

There was some discussion at the Radia Summit about getting Radia to not prompt for a BitLocker PIN upon reboot. I thought I would share what we do.. We basically configure a "Post Connection Script" (EXBEXIT) in COP. As part of that we run this code. It is partial and written in Winbatch but I think you will get the point. Basically, it is determining if Radia will reboot. If so, it uses the Microsoft utilities to read if PIN and TPM are enabled. If so, it runs the code to disable the PIN entry for one reboot. The only drawback that we live with is if the user cancels reboot, the PIN will not be promoted for on the next reboot (which could be a while). However, our security team was fine with the risk as the device is still encrypted, there is just no PIN for one boot.

FileWrite(hLogFile,StrCat(DateTime(),@tab,"Reboot (RADSETUP.BOOTTYPE) is ",BootType))
if BootType <> "N"
 FileWrite(hLogFile,StrCat(DateTime(),@tab,"A reboot is required. Running command to determine if PIN should be disabled on next reboot"))

 ManageBDE =  StrCat(WinDir,"\system32\manage-bde.exe") ; Default Location for 32-bit via Radia
 if FileExist(StrCat(WinDir,"\sysnative\manage-bde.exe"))
  ManageBDE =  StrCat(WinDir,"\sysnative\manage-bde.exe") ; if 64-bit, this is the location

 if FileExist(ManageBDE)
  output = GetStdOut(StrCat(ManageBDE," -protectors -get c:"))
  if StrIndexNc(output,"TPM AND PIN",1,@FWDSCAN)
   FileWrite(hLogFile,StrCat(DateTime(),@tab,"TPM AND PIN Found"))
   RunShell(ManageBDE, "-protectors -disable c:", "", @HIDDEN, @WAIT)
   FileWrite(hLogFile,StrCat(DateTime(),@tab,"Disabled PIN entry for next boot"))
   FileWrite(hLogFile,StrCat(DateTime(),@tab,"TPM AND PIN NOT Found, not running command to disable PIN"))
  FileWrite(hLogFile,StrCat(DateTime(),@tab,"Can not find manage-bde (key bitlocker file)"))   


4 2
John Edmondson
9.1 Client upgrade package contains a zstop that does not work with v7.9 clients.

In the service RCA_AGENT_0910_UPGRADE_WIN
(which comes with 9.1 media for client upgrade purposes)
contains a zstop for client version which is EDMGETV(ZMASTER,ZPKGRELI)>='V0910.20140131'
unfortunately, the version in ZPKGRELI for version 7.9.x (we have 7.9.6 and 7.9.8 clients) shows as
V7 is NOT less than V09 and so the zstop takes effect, and the package does not install.

Before we reinvent the wheel to fix it..Has anyone already run into this and if so how did you deal with it?

2 2
Andres Alpizar
HPCA Core v 8.1: Reporting changes PRIMARY.SECURITY even when there were not changes.


In Client Automation Enterprise (CAE), when running a dmabatch to sync the core with satellites, sometimes some changes are reflected for the PRIMARY.SECURITY Domain in the sync.log, even this domain is not in use.









Everytime  the core server/ tomcat server is restarted, the default packages(SCAP, Vulnerability)  gets published into CSDB even though they already been published.

And  if this is done the first time dmasync just after the restart ,these logs gets generated though there is no usage or change of the security domain.

 This can be verify with below steps.

1) On core machine stop all the services except the Configuration Server and DCS service.

2) Run a dmabatch sync from satellite, and check logs. The logs will not contain any of primary.security domain changes as no default package data is published to core CSDB.

3) Start the core service/tomcat service and than do the dmabatch. the logs will have primary.security domain changes.

 This process is part of the design and this a expected behavior.


To avoid these repeated logs ,the promotion of the default paakcges should be stopped.

This can be achceived by:


1)Once these packages gets published into CSDB, If these packages gets removed from the priming folder, these promote will not happen again and again.


2) Stop tomcat server -2) Take backup of the <CA-installed dir>\VulnerabilityServer\content\priming\services

3) Remove the content from the <CA-installed dir>\VulnerabilityServer\content\priming\services folder.

4) Start tomcat server

0 2
Vinod Kumar
Branch Cache


Is there any best practice available to use the branch cache technology along with Radia or any third part tool recommended ?



2 2
Salish Gopi
How to Recover,Export and Import the OpenLDAP database

To Recover the OpenLDAP database:

1.Stop the RCA Directory service service.

2.Open the command prompt and navigate to the directory


3.Run the following command:

db_recover -cef –h database\rmp


To Export the OpenLDAP database:

1.Stop the RCA Directory service service.

2.Open the command prompt and navigate to the directory


3.Run the following command:

slapcat –f slapd.conf –l openldapP.ldif


To Import the OpenLDAP database:

1.Stop the RCA Directory service service.

2.Rename the existing rmp folder.(<InstallDir>\Directoryservice\Database\rmp)

3.Create a new rmp folder.

4.Copy the DB_CONFIG file from the existing rmp folder to the new folder.

5.Open the command prompt and navigate to the directory <InstallDir>\Directoryservice.

6.Run the following command:

Slapadd –f slapd.conf –l openldapP.ldif

7.Restart the directory services.

0 2
Jim Longo
Windows 10 1709 to 1803 Branch Update using Radia Patch Manager

 A Radia customer recently asked if Radia Patch Manager can be used to manage Windows 10 Branch Updates. 


 The short answer is yes, it is possible to use Radia Patch Manager to update Windows 10 to a newer branch but it may be more advantageous to use Radia Software or OS Manager to manage Windows 10 Branch Updates because there is more functionality built into Software/OS Management processes.


 Radia Patch Manager is more of a drop and run scenario where Radia Patch Manager delivers the Branch Update Media and a script to initiate the update. This can be done with 2 services to deliver the content and execute the update on separate occasions, or a single service to deliver and execute the update at the same time.  


 Below is an overview of using Radia Patch Manager to deliver the Branch Update media, a script to execute the Branch Update, and a custom descriptor file to acquire/manage the delivery of a Branch Update.


 While this is not considered to be the best way of updating Windows 10 Branch Updates, this example provides some insight into the flexibility of Radia Patch Manager to provide custom content delivery and execution.. 


 Windows 10 Branch Update  overview:


1.>   Download and execute the latest MediaCreationTool.

2.>   Extract Windows.iso, rename the Windows folder to Windows_1803_ESD

3.>   Use component select mode to publish WINDOWS_1803_ESD to the PATCHMGR Domain. (For this example, folder renamed to Windows_1803_ESD and location is C:/temp).


4.>   The Windows_1803_ESD service should now be present in the PATCHMGR.ZSERVICE Domain. The service will deliver the media to the agent if the media doesn’t exist. The media can be staged on the agent in the c:/temp/Windows_1803_ESD folder using a custom Patch service, or a compiled script to copy the media to the agent over the Network prior to the install event. The install event and media delivery can be run separately in different Patch services.


5.>   Create, compile and acquire the installation script using a custom Descriptor file to manage Windows 1803. (.vbs compiled to .exe). Modify the command line with the desired install options, Example: include /Noreboot to stop the automatic reboot after the Branch Update is installed.






6.>   The MSBU-WIN1803 Patch service should now be present in the CSDB. In this example, only Windows 10 1607/1703/1709 systems are applicable and will execute if ReleaseID is not set to 1803 in the registry.

 In the PATCHMGR Domain locate the MSBU_WIN1803 service, right click/show connections, locate and drag Windows_1803_ESD service onto the MSBU_WIN1803 service.


8.>   Assign MSBU_WIN1803 in Policy and run a patch connect from a Windows 10 1709 system.


9.>   The MSBU_WIN1803 will be at risk since the ReleaseID is not set to1803 and the sub service WINDOWS_1803_ESD will deliver the OS. Once WINDOWS_1803_ESD is delivered MSBU_WIN1803 will execute installing/upgrading Windows 10 to 1803.


 And finally the compliance reporting.


1 1
Jim Longo
Acquisition server data clean-up

Radia Patch Manager users who do not use the metadata model will acquire patch data into the Acquisition server. This data is not automatically deleted after the acquire process publishes content into the CSDB. Over time this data can build into several hundred GB's.

NOTE:  MS-KB890830 (Microsoft Malicious Removal Tool) is a static bulletin ID so this data will be re-downloaded if deleted. For this reason the MS-KB890830 folder can be left in place. 

 Once this data is published to the CSDB the data can be deleted using the following steps.

  • On the acquisition server, Navigate to the data/PatchManager/patch/Microsoft folder.
  • Delete only the folders that contain the patch content. (Example: MS15, MS16, MS17, MS-KB).
  • Do not delete the bulletins (.xml) or the wsus/wua folders.


0 1
James Longo
ZERO hour Security Patching with Radia Patch Manager

I recently wrote a short article on LinkedIn and thought I would share it with the Radia community on this forum who may not be a part of the LinkedIn groups.


At Evergreen Systems we take security patching to the next level by developing custom Radia bulletins for our customers on demand.

With ZERO hour security patching you can have a Radia Patch Management solution in place within an hour of a critical security patch release.

Our custom bulletins don't require an updated wsusscn2.cab file. This is a huge advantage over the standard acquisition and deployment process since there is no need to run a 2 hour acquisition, and deployment of the 200MB+ wsusscn2.cab file before the enterprise can even start patching the enterprise. In some environments, it literally takes days to roll out the updated wsusscn2.cab file each month before patching can begin leaving the enterprise vulnerable for several days.

With ZERO hour patching from Evergreen Systems you can start patching the environment using Radia Patch Manager within hours of the critical security patch release.

For more information about our support offerings send an email to support@evergreensys.com


0 1
Shaun Dawkins
Community question about OS Zstops

Our group is at a bit of a stalemate when it comes to adding OS level Zstops to all CSDB services.

We currently support over 800 applications and when a new OS comes out we can spend months testing all our applications on the new OS platform.  Unfortunately, and as an example; if the service currently has a WIN7 zstop on it we can’t quickly test the applications on WIN10. It’s a long process carefully adjusting Zstops on every application so they can even be tested. (We have to do this by exporting the .xpi files and opening them in notepad, changing the Zstop, and reimporting back into the system.) That way it doesn’t modify the date and time stamp of the service and force a reinstall of the software throughout the environment.  As another example, if the application ends up working on WIN10 we would typically add the new OS Zstop to the service and will be faced with the same problem later when WIN12 comes out. 

That means that our only other solution is to NOT add an OS Zstop at all unless the software just won’t work on a particular OS.  We’ve gone through many discussions on the pros and cons of adding the OS level Zstop to all software. The biggest pro of adding the OS Zstops is to prevent major catastrophes like blue screening every machine that has a particular software on a new OS. The major con of the OS Zstop is that it can take months of testing on the new OS. With hundreds of supported applications, it becomes a huge undertaking.   

I’m curious what other companies are doing and if they face the same pain points that we go through when a new OS enters the picture? Maybe there is some solution we aren’t even considering?

3 1
Brian Jakubowsky
Tomcat.exe and mysqld-nt.exe on FSS
Can someone explain why/how the MySQL and Tomcat process are used on a Full Service Satellite. I had always understood these where part of the Core. However, I am seeing a bunch of stuff with netstat showing there is internal communication between some of these components during client connect. (SATLRCCDLIN549 is I am running 9.1. TCP SATLRCCDLIN549:50604 ESTABLISHED [mysqld-nt.exe] TCP SATLRCCDLIN549:50605 ESTABLISHED [mysqld-nt.exe] TCP SATLRCCDLIN549:50607 ESTABLISHED [mysqld-nt.exe] TCP SATLRCCDLIN549:50608 ESTABLISHED [mysqld-nt.exe] TCP SATLRCCDLIN549:50609 ESTABLISHED [mysqld-nt.exe] TCP SATLRCCDLIN549:50610 ESTABLISHED [mysqld-nt.exe] TCP SATLRCCDLIN549:50611 ESTABLISHED [mysqld-nt.exe] TCP SATLRCCDLIN549:50612 ESTABLISHED [mysqld-nt.exe] TCP SATLRCCDLIN549:50613 ESTABLISHED [tomcat.exe] TCP SATLRCCDLIN549:3479 ESTABLISHED [tomcat.exe] TCP SATLRCCDLIN549:3479 ESTABLISHED [tomcat.exe] TCP SATLRCCDLIN549:3479 ESTABLISHED
2 1
Finalizing Patch Installation Taking Long
I have patched around 40 machines in our environment using RCA but I want to know why the finalizing patch installation takes too much time. Also need to know about why I am getting too much errors on
0 1
Brian Jakubowsky
Batch Publisher - 255 character path limit?

Can anyone confirm or deny that there is/was a 255 path limit in the Batch Publisher? I think I remember this from long ago. It used to be a Windows problem. Now Windows addressed it, however, I think utilities still needed to be updated to work with the newer APIs. We are probably using an older version of it, so maybe it was addressed in a new release. We can likely work around it, or call it into support. Just looking to see if anyone else knows the answer off the top of their head.

Details from the error I am pretty sure because the path is over 255 for this file.

20160121 09:06:12 Error: Target <Q:/_AUTOPUBLISH/MDT_W8X64_ENT_WIN/V6.3.0.0/deployprod/Deploy/Operating Systems/Windows 8.1 Ent (x64) 2014.11.21/sources/sxs/amd64_netfx-system.directoryservices.protocols_b03f5f7f11d50a3a_6.3.9600.16384_none_3cdb1f0252010eb1/system.directoryservices.protocols.dll> does not exist
20160121 09:06:12 Error: could not read "Q:/_AUTOPUBLISH/MDT_W8X64_ENT_WIN/V6.3.0.0/deployprod/Deploy/Operating Systems/Windows 8.1 Ent (x64) 2014.11.21/sources/sxs/amd64_netfx-system.directoryservices.protocols_b03f5f7f11d50a3a_6.3.9600.16384_none_3cdb1f0252010eb1/system.directoryservices.protocols.dll": no such file or directory

3 1
Vijayan M
MS15-093 out of band patch

RADIA customers are able to acquire MS15-093 out of band patch successfully through Radia Patch Manager.

1 1
Michael Conwell
CAE Satellite Updates using the Console

After manually upgrading a 100 server infrastructure with the 8.10.0003 patch, why isn't there functionality in the RCA console to import a Satellite patch to the Core and execute the stage it to the satellites and remotely install it on the satellites?

You would have to have it done in stages: 1. Import the patch 2. Stage the patch to the satellite 3. Execute the patch. In my mind, the staging should be done in advance of installation and it should be done so in a fashion that it doesn't flood the WAN while it copies to the Satellite. Execution needs to be done separately due to the possible scheduling restrictions imposed by a Change Management system.

Also, patches shouldn't require manual installation for desired components. If I need the 8.10.0003 patch PLUS the OS Management components, I should be able to select this from the console and then have the system update itself when I tell it too.

Supression of Reboots would be a necessary component.

Centralized reporting of success, failure, pending-reboots, etc. would be needed.

It is long past time to giving us this feature for maintaining our RCA infrastructure.

1 1
Jesse Swensen

I would like to better understand the use of these two tables. I understand HSAPSTATS is the history table for SAPSTATS. But how is the SAPSTATS table populated and with what information?

3 1
Vinod Kumar
Satellite Management - Server Details


Why does the Operations and Configuration tab does not show up for each Satellite servers under RCA console?

Browsing under Satellite Management for each satellite server there are different tabs available like Summary, Properties, Cache, Server Pools, Locations, Reporting, Operations and Configurations tab. We get an error while selecting Operations and Configuration tab alone ?

Screenshot attached.



1 1
Vinod Kumar
Sap Management


In Core/Satellite model, we have an option in RMP.CFG to enable/disable the SAP Automatic Management. If enabled it does two things 

  1. Create SAP instances for any new Satellite server added in the environment

  2. Create RPS_ User account under PRDMAINT.POLICY.USER class


So is there a way we can disable the user creation only and not the SAP instance creation ?




7 1
Andres Alpizar
Radia v 9.0 User Capabilities Error with AD User when logging.

When logging in the Radia Console v.9.0, with an Active Directory (AD) user, a screen saying "E*rror Retrieving Capabilities*" is shown.

This happens because the account used to log in is in a different organization unit (OU), container (cn)  or groups than the one specified in the Authentication Group DN when creating the Directory Service, so please try to have the user in just one OU,CN or group.

If it is necessary for the user to be on several OU, CN, groups please contact PSL Support

0 1
Vinod Kumar
Client Agent data to Core


In 9.x Core Satellite Architecture - What kind of information would be send from Client Agent to the Core? Like we are not doing any OSM connects so what other information would be send. Can this be tracked ?




6 1
Mohammed Al-Nady
How to restrict a service resolution to any machine which has a specific software installed ?

Hi all, 

can any one help to know how can i limit the service a service resolution so that it should be deployed only on any machine which has mozilla installed ?



3 0
Jim Longo
Microsoft released an updated wsusscn2.cab file on March 12, 2020

 Microsoft released an updated wsusscn2.cab file on March 12, 2020. If you already ran the acquire for March prior to March 12, 2020 please re-acquire the March content using force and replace set to YES to ensure you have the most up to date content. If you have any questions please open a support case. 


Verify the wsusscn2.cab date (03/12/2020) in the following location. 


0 0
William Dodson
Adobe flash end of support on December 31, 2020

What is the roadmap for radia on not using adobe flash?

1 0
Jim Longo
KB4474419 Version 3 Update: SHA-2 code signing support update for Win 2008 R2, Win 7, and Win 2008

Microsoft has updated KB4474419 with a version 3 patch. Since Microsoft uses the same KB number the bulletin MS-KB4474419 must be re-acquired with force and replace to update the CSDB with the latest patch information. 

We have received reports of problems with detection and rebooting after installing the December CU KB4530734 security update without first updating 4474419-V3. 

Please re-acquire MS-KB4474419 with force and replace set to YES to update the Radia Service MS-KB4474419 with the latest patch information. 



0 0
Jim Longo
How to enable Patch Management Reports (Entitled)

Currently in Patch Manager reporting, the patch compliance for a device is calculated by the applicable and acquired bulletins. This hotfix enhances the Patch Manager reporting to add a new set of reports for displaying the patch compliance for entitled bulletins instead of acquired bulletins.

The new set of reports named "Patch Management Reports (Entitled)" is added at the same level as the existing "Patch Management Reports".

Existing Patch Manager reports will continue to work as it is. The modules needed to enable these reports should already exist so there should not be a need to update the modules from hotfix QCCR1C55215. Only the instructions below should be needed in order to update the reports with entitled bulletins. 

1. Edit the patch.cfg located at <InstallDir>/PatchManager/etc
-> Add


2. Re-start the RCA Patch Manager Server service

Steps for Messaging Server:

1. Edit the patch.dda.cfg located at <InstallDir>\MessagingServer/etc (Place in "msg::register patch.odbc" section)
-> Add


2. Re-start RCA Messaging Server Service.

Steps for RCA Reporting Server:

1. On the Core Server, navigate to <InstallDir>\ReportingServer\reportpacks
2. Navigate to <InstallDir>\ReportingServer\reportpacks\etc\rapm.cfg
3. Search for "ENABLE" key word, change the value from 0 to 1 and refresh the reporting page.

After applying above Hotfix , please do the following mentioned Steps for Configuring Client:

1. Open the Admin CSDB Editor.
2. Navigate to PRIMARY->PATCHMGR->Client Method->DISCOVER.
3. Edit all the attributes (Create Method, Delete Method etc.) to add a new parameter -sab Y where sab stands for Send Assigned Bulletins.
4. Repeat this step for FINALIZE and MANAGE.

0 0
Jim Longo
The December acquisition is failing with an invalid token error.

Accelerite is currently investigating an invalid token error when acquiring the December wsusscn2.cab file and MUC bulletins. We will update this post when we have more information and a solution is available.  

20191211 15:47:24 Info: STDOUT: Invalid text value '20191211 15:47:24 Error occured while reading patch information error "not well-formed (invalid token)" at line 1 character 1
"ï <--Error-- »¿<LocalizedProperties><Language>en</L"'


1 0
Jim Longo
Windows 7/Windows Server 2008 (R2) Extended security patching using Radia Patch Manager

 On January 14th, 2020, Microsoft will end regular support for Windows 7, Windows Server 2008 and Windows Server 2008 R2. In order to continue patching Windows 7 and Windows Server 2008 and Windows Server 2008 R2 an extended support contract with Microsoft is needed. 

 Depending on the delivery mechanism Microsoft uses there may not be a need to use custom XML descriptor files to patch these OS's. Microsoft has released a hotfix for extended support for these OS's and the patches may be delivered through the existing MUC data feed and wsusscn2.cab file. In that scenario Radia Patch Manager can continue to be used to distribute security updates. 

 If however Microsoft uses the same delivery mechanism as the Windows XP/2003 Server updates then custom XML descriptor files will be needed to continue patching these OS's via Radia.

 For those who will be extending security patch support with Microsoft and require custom XML descriptor file support to continue to distribute the security patches via Radia Patch Manager, please open a case with our support department requesting details about our XML descriptor file program to manage out of support Windows Operating Systems.

 Once we have the details about how Microsoft will be delivering the security updates we will update this post with more information.


4 0
Jim Longo
How to deploy Chrome Zero-Day fixes for Chrome zeroday vulnerabilities CVE-2019-13720 CVE-2019-13721

 The Chrome Zero Day fix is Chrome version 78.0.3904.87 or newer. The current version of Chrome that is downloaded when acquired is Chrome version 78.0.3904.97. 

 Radia can deploy the Chrome update via Software Manager or Patch Manager depending on preference or availability. 

 To use Software Manager, download and publish the update from Google.


 Patch Manager can update Chrome using the built-in Google-Chrome acquisition, but this will require an update on our end to the latest version before it will correctly detect if Google needs to be updated based on certain versions. We will update the built-in Google-Chrome bulletin and make it available for acquisition next week.

 If you need to update Google-Chrome immediately you can request the custom bulletin CHROME-78.xml which will update Google Chrome to version 78.0.3904.97. This covers multiple OS's including Win7, Win8.1, Win10 (all version including LTSB), Win2K8 R2 and Win2012 R2, if you need an OS added that is not present please let us know and we can add it to the custom bulletin.

 If you need any assistance acquiring the CHROME-78 or built-in GOOGLE-CHROME bulletins please let us know and we will help get the content acquired and distributed. 

1 0
Jim Longo
How to force a Patch service to trigger a return code of 811 (reboot)

To force a Patch service into an 811 (reboot) add the following syntax to the Patch service.


Note: Using MS-KB4516655 as the example service to force a reboot.


Navigate to:

PRIMARY.PATCHMGR.ZSERVICE.MS-KB4516655 /reboot and double click the reboot variable.

Enter the value: 



NOTE: Setting a reboot flag to 811 will not stop other Patch services from installing during the same patch connect.

0 0

Top Contributors