I fought with this pretty much all day yesterday. I created a script that just detects whether the system is 32bit or 64bit and then runs vulscan from the correct location. The patch process ran, but would not display the UI. Instead I saw a pop up from Windows saying that another application was trying display a message. Is this because it's being run as the local system account?
I tried several things, but still haven't found something that seems to work. I used the "startasuser.exe" to run the vulscan task as the logged in user. Now I can se the UI, but I get messages about another instance of vulscan running. Then I added the /NoSync option, but with that I get other failures. Trying to get this work has become pretty frustrating to say the least. I really wish the built-in "Patch System" task worked for us.
So, my question is -- where do you guys have the vulscan running in your template in relation to the full agent getting installed? This morning I'm going to see if it helps to have it run while only the provisioining agent is loaded. Maybe the full agent is kicking off scans that are tripping up my patch task?