Altiris™ Patch Management Solution for Windows 7.0 SP2 from Symantec Release Notes

Article:DOC1986  |  Created: 2009-11-26  |  Updated: 2010-03-30  |  Article URL http://www.symantec.com/docs/DOC1986
Article Type
Documentation


Description



Build number 7.0.4071

This document contains the following topics:

Introduction

Altiris™ Patch Management Solution for Windows lets you scan computers for security vulnerabilities, report on the findings, and automate the downloading and distribution of required Microsoft and Adobe security patches. You can review and download specific patches from Microsoft and Adobe, create collections of computers that require a specific patch, and apply the patch to the computers that need it.

Patch Management Solution for Windows helps you automate the installation of updates for the following Adobe products:

  • Adobe Reader for Windows 7.x, 8.x, and 9.x
  • Adobe Acrobat Professional and Standard for Windows 9.x
  • Adobe Flash Player for Windows 9.x and 10.x

No separate license for Adobe is required. The functionality of the Adobe update process is the same as for Microsoft updates.

This product is part of the following suites:

  • Altiris™ Client Management Suite from Symantec
    For release notes, see knowledgebase article 49644.
  • Altiris™ Server Management Suite from Symantec
    For release notes, see knowledgebase article 50400.
  • Altiris™ IT Management Suite from Symantec
    For release notes, see knowledgebase article 51492.

Back to top

New features

The new features of this release are as follows:

Support for Symantec Management Platform 7.0 SP4

This product can be installed on Symantec Management Platform 7.0 SP4.

Performance and reliability improvements

Performance of the Software Update Plug-in, reports, and patch management import task has been improved.

Option to restart computers immediately

The Allow immediate restart if required option lets you restart the target computers immediately after the update or the update cycle has completed.

Back to top

Installation and upgrade

Prerequisites

  • Symantec Management Platform 7.0 SP4. See knowledgebase article 49811.
  • Patch Core Services 7.0 SP2

Required components are installed automatically when you use Symantec Installation Manager to install this product.

New installation

You can install this product by using the Symantec Installation Manager. You can download the installation files directly to your server or you can create offline installation packages.
For more information, see the Symantec Management Platform Installation Guide (see knowledgebase article 45732).

Upgrade

You can upgrade this product from 6.x versions if you run the Symantec Installation Manager on a Notification Server 6.x computer. To upgrade from the 6.x version, you must first upgrade your 6.x Notification Server to Symantec Management Platform 7.0 or later. During the Notification Server upgrade process, you can select to upgrade to the latest version of this product.
For more information, see the Symantec Management Platform Installation Guide (see knowledgebase article 45732).

After you upgrade the product, you must upgrade the Altiris Agent and the Software Update Plug-in that are installed on the target computers.

Data migration from 6.x

The migration of 6.x data to Patch Management Solution for Windows 7.0 SP2 is the same as for 7.0.

For more information about migrating data, see knowledgebase article 44969.

For more information about migrating Patch Management Solution data, see the Patch Management Solution for Windows User Guide.

Data migration from 7.0

All the data in Patch Management Solution for Windows 7.0 is supported in 7.0 SP2 without the need for data migration.

Installation and Upgrade issues

The following issues are known issues related to installing and upgrading this product. If additional information about an issue is available, click the Article ID link.

Issue Article ID
Certain Microsoft settings are not migrated from 6.x to 7.x

When you migrate data from Patch Management Solution 6.x to 7.x, the following Microsoft settings are not migrated:

Tab in 6.x Tab in 7.x Settings
General Software Update Options Schedule
Programs Programs
  • Run with rights
  • Terminate after
  • Send status events
Advanced Policy and Package Settings
  • Delete packages after
  • Allow Package Server distribution

 
Non-inherited permissions are not migrated from 6.x to 7.x

Non-inherited permissions for security roles are not migrated from 6.x to 7.x

 
Cloned Software Update Agent Policies are not visible after upgrade

Cloned Software Update Agent polices that were located at Settings > Agents/Plug-ins > Software > Windows Software Update Agent > Settings are not visible in the console after you perform an upgrade from 7.x to 7.0 SP2.

To resolve this issue, use the search option in the console to find missing configuration policies. Once they have been found right click on them and select move. They can now be moved to the location in which the default policy is located.

If the name of the policy is unknown the following query can be run on the SQL server to obtain the names:

SELECT Guid, [Name] FROM vItem
WHERE ClassGuid = '5e5bde22-c290-4a94-a36c-c5076da6d565'
AND Attributes & 256 = 0

 49214
Core Service page settings not migrated after upgrade from 7.x

The Software Update Package Location and Download from staging location settings on the Core Services pages are not migrated and set to their default values. You can customize the settings after the upgrade.

 
Software Update Plug-in policies settings are not migrated after upgrade from 7.x

The settings in the Software Update Plug-in Install, Uninstall, and Upgrade policies are not migrated during an upgrade from 7.x to this version of Patch Management Solution for Windows.

 
Automation policies settings are not migrated after upgrade from 7.x

The query parameters in the automation policies (Item Status Changed After PM Import, Maintain Retired Machine Historical data, Software Update Advertisement Disabled, Software Update Policy Failed) are not migrated during an upgrade from 7.x to this version of Patch Management Solution.

 
Download QChain settings are not migrated after upgrade from 7.x

Some settings on the Download QChain page are reset to default after an upgrade.

 
Microsoft/Adobe Vulnerability Analysis targets are not migrated after upgrade from 7.x

The targets in the Applied to section are reset to default after an upgrade.

 
Software Update policy targets are not migrated after upgrade from 7.x

The targets in the Applied to section are reset after an upgrade. The targets are reset to the target value that is indicated in the Default Software Update Plug-in Settings policy.

 
Custom severity with non-latin characters is not migrated after upgrade from 7.x

Sometimes custom severity with non-latin characters is not migrated.

 

Back to top

Fixed Issues in this Release

The following are previous issues that were fixed in this release. If additional information about an issue is available, click the Article ID link.

Issue Article ID
The default Package Distribution settings on the Microsoft and Adobe vendor policy page do not work.

On the Policy and Package Settings tab on the Microsoft and Adobe vendor policy page, the default Package Distribution settings are as follows:

  • Allow Package Server Distribution is checked.
  • Assign Package To is set to Package Servers Individually, and no package server is checked in the Selected Package Server list.

With these settings, the packages are not distributed to the package servers as expected.

Workaround: Change the settings in any of the following ways:

  • In the Selected Package Server list, select at least one package server.
  • In the Assign Package To drop-down list, select any other option.
  • Uncheck Allow Package Server Distribution.
 

Back to top

Things to know

The following are things to know about this release. If additional information about an issue is available, click the Article ID link.

Things to know Article ID
Patching of software that is installed into a virtual layer is not supported.

Patches that you apply to the software in a virtual layer might not be applied correctly and can corrupt the system.

 
Close the Altiris Log Viewer to improve the performance of the Microsoft and Adobe patch import tasks

If you close the Altiris Log Viewer when you run the Microsoft Patch Management Import task or the Adobe Patch Management Import task, you can improve the task's performance by as much as 50 percent.

 
About hierarchy and data replication

Patch Management Solution for Windows supports the hierarchy and replication features of the Symantec Management Platform. These features let you create settings, schedules, and other data at the top-level Notification Server computer and replicate them to child-level Notification Server computers. This feature is not new but we are providing additional information about the items that can be replicated.

The following items are replicated by the default Notification Server replication schedule with no custom replication rules:

Item Replication direction
All the Server Tasks settings and schedules (QChain Download, Check Package Integrity, PMImport for MS and Adobe) Down
Microsoft and Adobe vulnerability analysis policy settings Down
Microsoft and Adobe vendor settings Down
Default Software Update Plug-in settings policy Down
Software Update Plug-in install, upgrade, and uninstall policy settings Down
Automation policy settings Down
Software Update Policies Execution details Up

The following items are replicated with custom replication rules:

Item Replication direction Description
Language support information Up This information is replicated when the "Patch Management Language Alerting" rule is enabled.
Software Update Policies Down This information is replicated when the "Patch Management Software Distribution Replication for Microsoft/Adobe" rule is enabled. If a child Notification Server computer provided the language support information before, then the software update policies on the child only include the updates that are related to the supported operating system languages.
Patch Management Data Import Down This information is replicated when the "Patch Management Import Data Replication for Adobe/Microsoft" rule is enabled. Only the updates and bulletins that are associated with the child computer's supported languages are replicated

Microsoft Compliance summary

This information is not available for Adobe.

Up This information is replicated when the "Compliance summary replication" rule is enabled. The vulnerability analysis is replicated up as a summary.
 
Understanding Patch Remediation Center right-click actions

On the Patch Remediation Center page, you can right-click a bulletin and select a report. The following right-click actions are available:

Action Description
View Targeted Computers Displays the computers that the Software Update Policy, in which this bulletin is included, is targeting. You must create a Software Update Policy to view targeted computers.
View Applicable Computers Displays the computers to which the selected bulletin applies.
View Installed Computers Displays the computers on which the selected bulletin is installed.
View Vulnerable Computers Displays the computers that do not have the selected bulletin installed.
 
About Patch Management security roles

You can assign the following security roles to Symantec Management Console users:

  • Patch Management Administrators
  • Patch Management Rollout

Users with Patch Management Administrators role have full access to Patch Management Solution functionality, but no access to the rest of the Symantec Management Console.

Users with Patch Management Rollout role have limited access to the following Patch Management Solution functionality:

  • Software Update policies
  • Reports
  • Patch Remediation Center page

Users with Patch Management Rollout role can perform the following actions:

  • Enable/disable/change settings in the software update policies
  • View reports
 

Back to top

Known Issues in this Release

The following are known issues for this release. If additional information about an issue is available, click the Article ID link.

Issue Article ID
Patching of software that is installed into a virtual layer is not supported.

Patches that you apply to the software in a virtual layer might not be applied correctly and can corrupt the system.

 
Software updates cannot be downloaded to the client computers from an alternate download location on the package server.

Only UNC paths can be used as an alternate download location on a package server. If you specify a local path on the server as the alternate download location, the software updates are not downloaded from there.

 
In the Patch Remediation Center, Superseded Bulletins for Microsoft are not shown.

In the Patch Remediation Center, when you choose to show Superseded Bulletins and you select Microsoft as the Vendor, no bulletins appear.

Workaround: In Vendor, select All. The results include any Microsoft bulletins.

 
The Patch Management Administrator cannot turn a Software Update policy on or off.

When creating a Software Update policy, the user with Patch Management Administrator role cannot perform the following actions:

  • Enable (turn on) or disable (turn off) a Software Update policy during the Software Update policy wizard.
  • Enable (turn on) a Software Update policy from the policy edit page.

Workarounds:

To create and enable a Software Update policy:

  1. In the Symantec Management Console, use the Software Update policy wizard to create the policy, which is disabled by default.
  2. On the Manage menu, click Policies.
  3. In the left pane, click Policies > Software > Patch Management > Software Update Policies.
  4. Right-click the policy that you created and click Enable.

To disable an existing Software Update policy:

  1. In the Symantec Management Console, on the Manage menu, click Policies.
  2. In the left pane, click Policies > Software > Patch Management > Software Update Policies.
  3. Take either of the following steps:
    • Right-click the policy that you created and click Enable.
    • Edit the policy and at the upper right of the policy page, click the colored circle and then click On.
 
Packages are not always downloaded to managed computers at the correct time

Occasionally, software update packages may not be downloaded immediately to managed computers. This is due to a timing issue where the initial download is not triggered by Software Management and the status of the package is not updated. The packages will be downloaded when the update install schedule fires or when the next Maintenance Window opens.

 
Software Advertisements are removed from Software Update policies

This issue can occur when Software Update policies are being replicated down a hierarchy from a parent to a child server. A caching problem can result in advertisements for individual software updates being removed from the policy. This in turn means that the replicated policy is incomplete when it reaches the child and cannot be distributed. The policy needs to be re-created on the parent and replicated again to the child - it cannot be fixed on the child. We recommend that you use the Standard Replication Schedules rather than Custom Schedules for Software Update Policy replication in order to avoid this issue.

 
Agents requesting configuration for replicated Software update tasks before the associated packages have been re-created cause errors

During Software Update Policy replication, the policies will exist before the packages have been downloaded to the child server. If an agent requests configuration during this time, errors will be generated in the logs as the policies are incomplete until the packages are downloaded. Once the packages are downloaded, the errors will no longer occur.

 
Notification Server Item replication deletes any task history on the child

Replication of items down a hierarchy deletes any task history on the child for the Patch Management server tasks.

 
When you click Save Changes in a policy, a confirmation message displays "Saved Changes" even though the policy is still being saved

When you edit a Software Update policy, the screen is updated with the text "Saved Changes" even though the task that saves the changes made to the policy and underlying advertisements may still be running. If the changes that you made do not appear on the screen immediately, refresh the screen after a few seconds. Your changes should appear after the refresh.

 
The Software Update Agent stays in the "Update Pending" state after the dialog box closes

Occasionally, clicking Install Now on the Software Update Installation dialog box or waiting for the dialog box to close itself does not result in the immediate installation of a software update. The installation starts five minutes after the dialog box has closed, when the Software Update Plug-in wakes up and checks its state.

 
Do not use the Patch Management Rollout role

Due to a number of limitations, we recommend that you do not use the "Patch Management Rollout" role (formerly named "Patch Deployment").

 
Bulletins from other vendors can be displayed in the Software Bulletin Details report

If the software updates catalog for a particular vendor (Adobe, Microsoft) is not yet downloaded, bulletins from another vendor can be displayed in reports. For example, when on the Patch Management home page, in the left pane, you click Adobe > Software Bulletins, Microsoft software bulletin details can appear in the right pane. To view details for Adobe, you must run the Adobe Patch Management Import task.

 
Patch Management Import task status is incorrect

When a Patch Management Import task is running, the "Pending" status is displayed in the Task Status section of the Patch Management Import task page. This status is not correct. In order to view the correct status of the task, click the task instance and open the task instance details.

 
Computer restart is required after you install bulletin APSB09-19

After you update Flash Player ActiveX v10 with bulletin APSB09-19, a dialog box can appear on the client computer prompting the user to restart the computer. However, the update is installed successfully, and in reports the bulletin is shown as installed.

This issue happens because of an orphaned registry key indicating that a restart from a previous install or update is pending. The user can restart the computer or postpone the restart to a later time.

 
Incorrect numbers can be displayed in compliance reports

In a rare cases, when more than one update in a bulletin is applicable to the same computer, the Applicable, Installed, and Vulnerable columns can display incorrect data.

 
Incorrect data is displayed in the update delivery summary web part

Sometimes, the data that is displayed in the Microsoft Software Update Delivery Summary web part on the Patch Management home page does not match the data that is displayed in the drill-down report.

 
Windows Compliance by Update report drill-downs do not work for Adobe

The Applicable Computers, Installed Computers, and Vulnerable Computers drill-downs do not work for Adobe bulletins.

 
Computers with software update plug-in drill-down shows incorrect results

On the Windows Compliance page, the Computers with software update plug-in report shows the number of all computers that have the Software Update Plug-in installed. The drill-down report shows the number of plug-ins that were installed in the last 30 days.

 
Hierarchy and replication issues  
Packages are not replicated to child immediately

When you manually replicate data to a child Notification Server on the Settings > Notification Server > Hierarchy page using the right-click Replicate To command, the software update policies are replicated, but the update packages are not created on the child.

In order to recreate packages on the child, run the Patch Management Software Distribution Replication For Microsoft/Adobe rule in Complete mode. To do this, either: a) turn on this rule and run full complete replication or b) choose complete replication mode in the rule settings and specify custom schedule.

 
Right-click Replicate Now option does not work

The Replicate Now feature is not supported for Software Update policies. In order to replicate Patch Management Solution Software Update policies to child-level Notification Servers, use the Patch Management Software Distribution Replication for Adobe/Microsoft replication rules.

 
Replicating data between different versions of Patch Management is not supported

Although some items may replicate between different versions of Patch Management Solution that are installed on parent and child Notification Servers, we do not recommend doing this. If you want to use hierarchy and replication, Patch Management Solution versions must be the same on the parent and child.

 

Back to top

Where to get more information

The product installation includes the following documentation:

Document Description Location

User Guide

Information about how to use this product, including detailed technical information and instructions for performing common tasks.

This information is available in PDF format.

Help

Information about how to use this product. This information is the same as in the User's Guide.

Help is available at the solution level and at the suite level.

This information is available in HTML help format.

The Documentation Library, which is available in the Symantec Management Console on the Help menu.

Context-sensitive help is available for most screens in the Symantec Management Console.

You can open context-sensitive help in the following ways:

  • The F1 key.
  • The Context command, which is available in the Symantec Management Console on the Help menu.

For more information, you can use the following resources:

Resource Description Location

Implementation Guide

Information about how to install, configure, and implement this product.

This information is available in PDF format.

Symantec Management Platform Release Notes

Information about new features and important issues in the Symantec Management Platform.

This information is available as an article in the knowledgebase.

https://kb.altiris.com/article.asp?article=45141&p=1

You can also search for the product name under Release Notes.

Installing the Symantec Management Platform products

Information about using Symantec Installation Manager to install the Symantec Management Platform products.

This information is available as an article in the knowledgebase.

https://kb.altiris.com/article.asp?article=45732&p=1

Altiris 7 Planning and Implementation Guide

Information about capacity recommendations, design models, scenarios, test results, and optimization best practices to consider when planning or customizing an Altiris 7 Infrastructure for your organization.

This information is available as an article in the knowledgebase.

https://kb.altiris.com/article.asp?article=45803&p=1

Knowledge Base

Articles, incidents, and issues about this product.

http://kb.altiris.com/

Symantec Connect (formerly the Altiris Juice)

An online magazine that contains best practices, tips, tricks, and articles for users of this product.

http://www.symantec.com/connect/endpoint-management-virtualization

Online Forums

Forums for users of this product.

http://forums.altiris.com/

Back to top



Legacy ID



50350


Article URL http://www.symantec.com/docs/DOC1986


Terms of use for this information are found in Legal Notices