Altiris™ Patch Management Solution for Windows 7.0 SP1 from Symantec Release Notes

Article:DOC1863  |  Created: 2009-07-23  |  Updated: 2010-03-03  |  Article URL http://www.symantec.com/docs/DOC1863
Article Type
Documentation



Description



Altiris™ Patch Management Solution for Windows 7.0 SP1 from Symantec

Release Notes

Build number 7.0.1510

Patch Management Solution software lets you scan computers for security vulnerabilities, report on the findings, and automate the downloading and distribution of required Microsoft and Adobe security patches. You can review and download specific patches from Microsoft and Adobe, create collections of computers that require a specific patch, and apply the patch to the computers that need it.

This product is part of the following suites:

  • Altiris™ Client Management Suite from Symantec
    For release notes, see knowledge base article 48420.
  • Altiris™ Server Management Suite from Symantec
    For release notes, see knowledge base article 48733.

Note: A new version of this product has been released. See knowledgebase article 50350.

This document contains the following topics:

Back to top

New features

The new features of this release are as follows:

Patching Mac OS X is supported.

This release contains new features that help you automate the installation of updates for Apple Mac OS X. For more information, see the Patch Management Solution for Mac 7.0 SP1 Release Notes (knowledge base article 49080).

Resource scoping for reports is supported.

Resource scoping limits the data that a user can access based on their security role. Resource scoping is implemented by assigning permissions to organizational groups.

By default, running a report extracts the full (unscoped) set of results. In this new feature, the scoping lets you restrict report results to the scope of the user who runs the report. You can apply scoping to the report results to ensure that the user sees only the appropriate data. You can also apply scoping to the report so that only the appropriate data is extracted from the database.

For more information, see the topics about configuring the scoping fields in a report and defining an SQL query in the Symantec Management Platform Help.

The Patch Management worker view provides Patch Management summary information at a glance.

The new Patch Management worker view in the Symantec Management Console provides a single place to view details about patch compliance, vulnerabilities, and potential issues. It also provides access to the Patch functions that let administrators easily take action to remediate items. By making the patch management process more efficient, the worker view helps administrators maintain a more secure environment.

The Patch worker view is available from the Home menu, under Software > Patch Management. The view menu appears in the left pane.

The benefits of the Patch Management worker view are as follows:

  • Provides a single place for a new Patch administrator to determine how and where to start monitoring, assessing, and remediating the environment.
  • Provides a proactive approach to deploying updates.
    The worker view identifies the client computers that are not able to receive updates so that the administrator can take action before the deployment.
  • Provides a single place for an administrator to review the state of the environment.
    Patch Management Solution performs the analyses and assessments that help the administrator determine the state of the environment. The worker view provides a single place for the administrator to view these assessments and take the appropriate actions.
  • Provides timely feedback on the success of the update installations.
    By providing the installation feedback quickly, the worker view lets the administrator take immediate action to remediate the failed installations and secure the environment.
Distributing update packages to specific site servers is supported.

Lets you select the site servers to replicate an update package to. Previously, all patch update packages were automatically distributed to all the available site servers. In many cases, the majority of those packages might not be applicable to the endpoints that are configured to download packages from a specific server. The ability to limit the updates that are replicated to specific site servers can help reduce bandwidth and disk space consumption.

The options for distributing update packages to package servers are as follows

  • All Package Servers
  • Package Servers Individually
    Lets you select the servers to assign to the package.
  • Package Servers by site
    Lets you assign sites to packages from a list of sites that is configured in the Site Maintenance configuration page. When a site is assigned to a package, all package servers within the selected site host the package.
  • Package Servers automatically with manual pre-staging
    This assignment occurs when a task that requires the package is assigned to a resource target. All the computers that are identified by the resource target require the package. The package is assigned to all of the sites that are associated with those computers. The package is downloaded to all the package servers that are in those sites.
    This option is the default.

These options appear on the Policy and Package Settings tab on the Microsoft and Adobe vendor policies.

Hierarchy and data replication is supported.

Patch Management Solution for Windows supports the hierarchy and replication features of the Symantec Management Platform. These features let you create settings, schedules, and other data at the top-level Notification Server computer and replicate them to child-level Notification Server computers. This feature is not new but we are providing additional information about the items that can be replicated.

The following items are replicated by the default Notification Server replication schedule with no custom replication rules:

Item Replication direction
All the Server Tasks settings and schedules (QChain Download, Check Package Integrity, PMImport for MS and Adobe) Down
Microsoft and Adobe vulnerability analysis policy settings Down
Microsoft and Adobe vendor settings Down
Default Software Update Plugin settings policy Down
Software Update Plugin install, upgrade, and uninstall policy settings Down
Automation policy settings Down
Software Update Policies Execution details Up

The following items are replicated with custom replication rules:

Item Replication direction Description
Language support information Up This information is replicated when the "Patch Management Language Alerting" rule is enabled.
Software Update Policies Down This information is replicated when the "Patch Management Software Distribution Replication for Microsoft/Adobe" rule is enabled. If a child Notification Server computer provided the language support info before, then the software update policies on the child only include the updates that are related to the supported operating system languages.
Patch Management Data Import Down This information is replicated when the "Patch Management Import Data Replication for Adobe/Microsoft" rule is enabled. Only the updates and bulletins that are associated with the child computer's supported languages are replicated

Microsoft Compliance summary

This information is not available for Adobe.

Up This information is replicated when the "Compliance summary replication" rule is enabled. The vulnerability analysis is replicated up as a summary.
Patching for Adobe Systems products is supported.

This release contains new features that help you automate the installation of updates for the following Adobe products:

  • Adobe Reader for Windows 7.x, 8.x, and 9.x
  • Adobe Acrobat Professional and Standard for Windows 9.x
  • Adobe Flash Player for Windows 9.x and 10.x

No separate license for Adobe is required. The functionality of the Adobe update process is the same as for Microsoft updates.

The features of Adobe patching are as follows:

Feature Description

Tasks

  • Adobe Patch Management Import
    This task is a clone of the Patch Management Import task, except that it does not contain the options to revise software update policies or disable superseded software updates.
  • Check Software Update Package Integrity
    This existing task now supports Adobe updates.
Policies
  • Adobe (vendor configuration)
    This policy is a clone of the Microsoft vendor policy. It is located under Settings > Software > Patch Management > Adobe Settings. Its default settings are the same as for Microsoft.
  • Adobe Vulnerability Analysis
    This policy is a clone of the Microsoft Vulnerability Analysis policy. It is located under Settings > Software > Patch Management > Adobe Settings. Its default settings are the same as for Microsoft.
Patch core reports that show Adobe data
  • All Software Bulletins
  • Software Bulletin Details
  • Superseded Bulletins
  • Reboot Status
  • Windows Software Update Plug-in rollout status
Adobe-specific reports

Both of these reports are clones of the corresponding Microsoft reports.

  • Adobe Compliance by Bulletin
  • Adobe Compliance by Computer
Data classes
  • Adobe Service Pack
  • Adobe Software Release
  • Applicable Adobe Software Update
  • Installed Adobe Software Update

Back to top

Installation and upgrade

Prerequisites

  • Symantec Management Platform 7.0 SP2 Hot Fix 1
    See knowledge base article 46035, Symantec™ Management Platform 7.0 SP2 Release Notes.
  • Patch Core Services 7.0 SP1

New installation

You can install this product by using the Symantec Installation Manager. You can download the installation files directly to your server or you can create offline installation packages.

For more information, see the Symantec Management Platform Installation Guide (knowledge base article 45732).

Upgrade

You can upgrade this product from 6x versions if you run the Symantec Installation Manager on a Notification Server 6.x computer. To upgrade from the 6.x version, you must first upgrade your 6.x Notification Server to Symantec Management Platform 7.0 or later. During the Notification Server upgrade process, you can select to upgrade to the latest version of this product.

For more information, see the Symantec Management Platform Installation Guide (knowledge base article 45732).

Data migration from 6.x

The migration of 6.x data to Patch Management Solution for Windows 7.0 SP1 is the same as for 7.0.

For more information about migrating Patch data, see the Patch Management Solution for Windows User's Guide.

Data migration from 7.0

All the data in Patch Management Solution for Windows 7.0 is supported in 7.0 SP1 without the need for data migration.

Installation and Upgrade issues

The following table lists the known issues that are related to installing and upgrading this product. If an article ID is included, you can click the link for additional information.

Issue Article ID
Certain Microsoft settings are not migrated.

When you migrate data from Patch Management Solution 6.x to 7.0 SP1, the following Microsoft settings are not migrated:

Tab in 6.x Tab in 7.0 SP1 Settings
General Software Update Options Schedule
Programs Programs
  • Run with rights
  • Terminate after
  • Send status events
Advanced Policy and Package Settings
  • Delete packages after
  • Allow Package Server distribution

 
Cloned Software Update Policies are not visible after upgrade

Cloned Software Update Agent polices that were located at Settings > Agents/Plug-ins > Software > Windows Software Update Agent > Settings are not visible in the console after you perform an upgrade from 7.0 to 7.0 SP1.

To resolve this issue, use the search option in the console to find missing configuration policies. Once they have been found right click on them and select move. They can now be moved to the location in which the default policy is located.

If the name of the policy is unknown the following query can be run on the SQL server to obtain the names:

SELECT Guid, [Name] FROM vItem
WHERE ClassGuid = '5e5bde22-c290-4a94-a36c-c5076da6d565'
AND Attributes & 256 = 0

 49214

Back to top

Things to know

The following table lists the additional things in this release that you need to know about. If an article ID is included, you can click the link for additional information.

Things to know Article ID
Close the Altiris Log Viewer to improve the performance of the Microsoft and Adobe patch import tasks.

If you close the Altiris Log Viewer when you run the Microsoft Patch Management Import task or the Adobe Patch Management Import task, you can improve the task's performance by as much as 50 percent.

 

Back to top

Known Issues in this Release

The following issues are unresolved in this release. If an article ID is included, you can click the link for additional information.

Issue Article ID
Updated documentation and Help are not shipped with this product.

Updated versions of the User's Guide and Help for Patch Management Solution for Windows are not available at the time of this release. When it is updated, the PDF version of the User's Manual will be posted to the following locations:

  • The Documentation Web site, which is available at the following URL:
    http://www.altiris.com/Support/Documentation.aspx
  • As an article in the knowledge base. 

The User's Guide is now available. See article 49576.

 49576
Patching of software that is installed into a virtual layer is not supported.

Patches that you apply to the software in a virtual layer might not be applied correctly and can corrupt the system.

 
Software updates cannot be downloaded to the client computers from an alternate download location on the package server.

Only UNC paths can be used as an alternate download location on a package server. If you specify a local path on the server as the alternate download location, the software updates are not downloaded from there.

 
In the Patch Remediation Center, you cannot show Superseded Bulletins for Microsoft.

In the Patch Remediation Center, when you choose to show Superseded Bulletins and you select Microsoft as the Vendor, no bulletins appear.

Workaround: In Vendor, select All. The results include any Microsoft bulletins.

 
The default Package Distribution settings on the Microsoft vendor policy page do not work.

On the Policy and Package Settings tab on the Microsoft vendor policy page, the default Package Distribution settings are as follows:

  • Allow Package Server Distribution is checked.
  • Assign Package To is set to Package Servers Individually, and no package server is checked in the Selected Package Server list.

With these settings, the packages are not distributed to the package servers as expected.

Workaround: Change the settings in any of the following ways:

  • In the Selected Package Server list, select at least one package server.
  • In the Assign Package To drop-down list, select any other option.
  • Uncheck Allow Package Server Distribution.
 
The Patch Management Administrator cannot turn a Software Update policy on or off.

When creating a Software Update policy, the Patch Management administrator role cannot perform the following actions:

  • Enable (turn on) or disable (turn off) a Software Update policy during the Software Update policy wizard.
  • Enable (turn on) a Software Update policy from the policy edit page.

Workarounds:

To create and enable a Software Update policy:

  1. In the Symantec Management Console, use the Software Update policy wizard to create the policy, which is disabled by default.
  2. On the Manage menu, click Policies.
  3. In the left pane, click Policies > Software > Patch Management > Software Update Policies.
  4. Right-click the policy that you created and click Enable.

To disable an existing Software Update policy:

  1. In the Symantec Management Console, on the Manage menu, click Policies.
  2. In the left pane, click Policies > Software > Patch Management > Software Update Policies.
  3. Take either of the following steps:
    • Right-click the policy that you created and click Enable.
    • Edit the policy and at the upper right of the policy page, click the colored circle and then click On.
 
Packages are not always downloaded to managed computers at the correct time.

Occasionally, software update packages may not be downloaded immediately to managed computers. This is due to a timing issue where the initial download is not triggered by Software Management and the status of the package is not updated. The packages will be downloaded when the update install schedule fires or when a Maintenance Window next opens.

 
Software Advertisements are removed from Software Update policies

This issue can occur when Software Update policies are being replicated down a hierarchy from a parent to a child server. A caching problem can result in advertisements for individual software updates being removed from the policy. This in turn means that the replicated policy is incomplete when it reaches the child and cannot be distributed. The policy needs to be re-created on the parent and replicated again to the child - it cannot be fixed on the child. We recommend that you use the Standard Replication Schedules rather than Custom Schedules for Software Update Policy replication in order to avoid this issue.

 
Agents requesting configuration for replicated Software update tasks before the associated packages have been re-created cause errors.

During Software Update Policy replication, the policies will exist before the packages have been downloaded to the child server. If an agent requests configuration during this time, errors will be generated in the logs as the policies are incomplete until the packages are downloaded. Once the packages are downloaded, the errors will no longer occur.

 
Notification Server Item replication deletes any task history on the child.

Replication of items down a hierarchy deletes any task history on the child for the Patch Management server tasks.

 
When you click Save Changes in a policy, a confirmation message displays "Saved Changes" even though the policy is still being saved.

When you edit a Software Update policy, the screen is updated with the text "Saved Changes" even though the task that saves the changes made to the policy and underlying advertisements may still be running. If the changes that you made do not appear on the screen immediately, refresh the screen after a few seconds. Your changes should appear after the refresh.

 
The Software Update Agent stays in the "Update Pending" state after the dialog box closes.

Occasionally, clicking Install Now on the Software Update Installation dialog box or waiting for the dialog box to close itself does not result in the immediate installation of a software update. The installation commences five minutes after the dialog box has closed, when the Software Update Agent wakes up and checks its state.

 
Do not use the Patch Management Rollout role.

Due to a number of limitations, we recommend that you do not use the "Patch Management Rollout" role (formerly named "Patch Deployment").

 

Back to top

Where to get more information

The product installation includes the following documentation:

Document Description Location

User’s Guide

Information about how to use this product, including detailed technical information and instructions for performing common tasks.

This information is available in PDF format.

Help

Information about how to use this product. This information is the same as in the User’s Guide.

Help is available at the solution level and at the suite level.

This information is available in HTML help format.

The Documentation Library, which is available in the Symantec Management Console on the Help menu.

Context-sensitive help is available for most screens in the Symantec Management Console.

You can open context-sensitive help in the following ways:

  • The F1 key.
  • The Context command, which is available in the Symantec Management Console on the Help menu.

For more information, you can use the following resources:

Resource Description Location

Implementation Guide

Information about how to install, configure, and implement this product.

This information is available in PDF format.

The Documentation Web site, which is available at the following URL:
http://www.altiris.com/Support/Documentation.aspx

Symantec Management Platform Release Notes

Information about new features and important issues in the Symantec Management Platform.

This information is available as an article in the knowledge base.

https://kb.altiris.com/article.asp?article=45141&p=1

You can also search for the product name under Release Notes.

Installing the Symantec Management Platform products

Information about using Symantec Installation Manager to install the Symantec Management Platform products.

This information is available as an article in the knowledge base.

https://kb.altiris.com/article.asp?article=45732&p=1

Altiris 7 Planning and Implementation Guide

Information about capacity recommendations, design models, scenarios, test results, and optimization best practices to consider when planning or customizing an Altiris 7 Infrastructure for your organization.

This information is available as an article in the knowledge base.

https://kb.altiris.com/article.asp?article=45803&p=1

Knowledge Base

Articles, incidents, and issues about this product.

http://kb.altiris.com/

Symantec Connect (formerly the Altiris Juice)

An online magazine that contains best practices, tips, tricks, and articles for users of this product.

http://www.symantec.com/connect/endpoint-management-virtualization

Online Forums

Forums for users of this product.

http://forums.altiris.com/

Back to top



Legacy ID



48255


Article URL http://www.symantec.com/docs/DOC1863


Terms of use for this information are found in Legal Notices