How do I configure Patch Management 7.1 and 7.5 for Windows?

Article:HOWTO56242  |  Created: 2011-07-26  |  Updated: 2014-08-11  |  Article URL http://www.symantec.com/docs/HOWTO56242
Article Type
How To



1. Licensing: Ensure Annual Upgrade Protection is current to allow for downloading Patch Management Import Data, which enhance the software's abilities to deploy current updates.

  • Found at Start > Programs > Symantec > Symantec Installation Manager - open the SIM and select the Licensing link in the upper left corner.
  • Ensure sufficient Node Count is up to cover the amount of clients to be utilized by Patch Management Solution.

2. Software Update Plug-in Install / Upgrade Policy: deploys the Patch Agent Plug-in to clients with the Altiris Agent Installed.

  • Found at Console > Settings > Agents/Plug-ins > Software > Patch Management - Software Update Plug-in Install
    • Quick Setup:
      • Configure the targeted filter; schedule to run daily and ASAP to ensure maximum deployment of the Patch Agent
        • Caution: Do not enable more than one daily single schedule, for multiple schedules / windowed schedule will cause conflicts and fail to deploy.
      • Review the rest of this section for more detailed information concerning the Software Update Plug-in Install / Upgrade process.
  • Configure the targeted Filter
    • Ensure the targeted Filter holds the desired clients to receive the Patch Plug-in
  • Configure Schedule
    • Configure to run at a specific time or windowed time frame.
    • Configure to repeat daily until targeted filter holds 0 members or desired deployment count reached 
  • Configure Extra schedule options
    • Run once ASAP: Runs and executes only once. If it succeeds or fails it is finished.
    • User can run: Allows the user to view this in the GUI and they can run it from the Software Delivery Tab > Application Tasks in the blue pane
    • Notify user when the task is available: Notification Popup on the desktop
    • Warn before running: Notification Popup is received on the desktop
  • Enable the policy by selecting the Off/On in the upper right corner
  • Save Changes
  • Advisory1: Cloning Install / Upgrade Policies will split the policy into several policies that target each original filter from the main install policy. 
    • Best Practice: Use the Software Update Plug-in Install / Upgrade Policy and change the targeted filter.
    • Amendment: The clone of Install / Upgrade Policies for PM 7.1 MP1 (only) appear to work; however, this has not been officially tested by Development. If there are any problems with deploying the Software Update Plug-in via cloned Install Policy: delete the clone and use the default Install Policy.
    • Always TEST in any environment before deploying in production!
  • Advisory2: Deployment is not real time. The Altiris Agent needs to compile Basic Inventory and then Patch Inventory. May take several hours to be fully functional.


3. Import Patch Data for - Windows: Downloads the rules for all enabled vendor updates from Adobe / Microsoft and others

  • Found at Console > Manage > Jobs and Tasks > System Jobs and Tasks > Software > Patch Management > Import Patch Data
    • Quick Setup: 
      • Patch Management Import Settings: 
        • Incremental import - Enabled; to provide better performance as it downloads only the segments of the .cab data that are needed.
          • Note: Disabled will run a full import to ensure complete .cab file is downloaded.
        • Delete previously downloaded data for vendors, software and languages that are now excluded - Disabled, for this is only needed to be Enabled if a recent change was made to the Vendors and Software listing to remove unwanted patch data
          • Note: Enabled will clear all packages and resource assocations from the database for anything no longer present in the Vendor list
          • Caution: A corrupt Vendor List, having missing data from a previous healthy listing, would delete Patch Packages & Policies for updates that were not meant to be cleared. This is rare, but has happened, so leaving this setting Disabled is best practices, unless the clean up of recent exclusions is in order by the Admin.
      • General: Enable clean-up check boxes to ensure rules for revised and superseded updates are updated and able to deploy newly revised updates.
      • Vendors and Software: Update - downloads the selected languages and vendor data
      • Task Status > New Schedule > Run download 'Now' and download the PMImport.
      • Review the rest of this section for more detailed information concerning the PMImport.
         
  • Patch Management Import Settings:
    • Incremental Import:
      • Enable: downloads the modified components for selected vendors
      • Disable: force a Complete PMImport download for selected vendors
    • Delete previously downloaded data for vendors, software and languages that are now excluded
      • Cleans up any previously downloaded / staged updates that are now excluded under 'Vendors and Software
         
  • General:
    • Default Location: Enabled will download from the Solution Sam Site
    • Alternative Location: Input path to download from when using DMZ Management Server Configurations
    • Revise Software Update Policies
    • Superseded Software Updates will be disabled after the Import Patch Data task has completed.
      • Enable: Disable all superseded Software Updates to remove them from the PMImport
      • Advisory: Helps to clean up Patch Rules, for Patch Reporting automatically removes superseded updates 

         
  • Vendors and Software:
    • Import of Available vendors, software and languages: 
      • Click 'Update' to execute the import.
      • Run this to display the list of Vendors, software and languages available for this PMImport
        • Check the main box to support all updates for the selected Vendor
        • Exclusions: Expand the [+] to deselect undesired update types
           
  • Languages:
    • Enable the check box for each language type supported in this environment
       
  • Task Status:
    • New Schedule:
      • Now: allows the PMImport to run now with current saved settings
      • Schedule: configure to run at a specified date / time with current saved settings. 
        • Date: configure the date to start the PMImport
        • Time: configure the time to start the PMImport
        • Repeat Every: configure interval to repeat the process
          • Advisory: Best practice is to set Date: Today, Time: 03:00am, and Repeat: 1 - Daily
      • Advisory: It is best practice to schedule the PMImport for 03:00am / Daily. 
        • Custom schedule will appear in the Task Library as 'NS.Run Import Patch Data...'

4. Patch Management Inventories: Windows System Assessment Scan

  • Found on the Console > Settings > All Settings > Software > Patch Management > Windows System Assessment Scan
    • Quick Setup:
      • Default configuration is best practice.
      • Review the rest of this section for more detailed information concerning the Patch Management Inventory processes.
  • Schedule:
    • Runs daily and every 4 hours.
      • This schedule may be adjusted, but this is optimal settings for environments up to 10,000 clients. This setting may be adjusted to run every 6 hours if the environment exceeds 11,000 clients.
  • Start the scan immediately when new or updated policy is received (Setting only provided in Patch Management Solution 7.5+):
    • Keep this disabled, for it will maintain better environmental performance, especially when the recently released Software Update Policies target the clients.
    • Enable only when the targeted policies have 'Package Options' enabled (Detailed as a 'one-off' setting in Section 6 - 'Creating the Software Update Policy to deploy the packages' below)
      • If the 'one-off' setting is needed, e.g. deploying an Out-Of-Band update outside the regular scheduled Software Update Cycle, then this setting will ensure the Assessment Scan will be ran prior to executing.
  • Send Inventory Results Only If Changed: 
    • Keep this enabled unless testing / troubleshooting Patch Inventories are needed.
    • Disabled: All targeted clients will return all Patch Inventories regardless if they have already been received and processed to the database. Resulting in unnecessary processes for the Management Server.
  • Applied To:
    • This policy targets the default filter: Windows Computers with Software Update Plug-in Installed Target.
    • Ensure the targeted count is the proper number of clients that have Patch installed, for there may be a problem regarding the Software Update Plug-in Install or Upgrade policies.
      • Note: There is no need to add to, or remote from, the targeted filter for this policy.

5. Scheduling the Software Update Cycle to install updates: Default Software Update Plug-in Policy

  • Found on the Console > Agents/Plug-ins > All Agents/Plug-ins > Software > Patch Management > Windows > Default Software Update Plug-in Policy
    • Quick Setup:
      • Schedule the Software Update Cycle
      • Schedule reboot settings
      • Enable override maintenance windows if needed
      • Review the rest of this section for more detailed information concerning the Software Update Cycle process.
      • Advisory1: This policy can be cloned to target specific filters for individual Software Update Cycle / Reboot Schedules. The Default Policy will release the targeted client when the clone is created and targets the filter; however, it is best practice to disable the Default Policy if the cloned filter is populated by AD Import. This will ensure any clients that 'fall out' of the targeted cloned filter will not get updated through the Default Policy.
      • Advisory2: When cloning the Default Software Update Plug-in Policy; always ensure the clone is of the Default Policy, for cloning a clone of that policy has been found to cause corruption in the code and database resource associations.
      • Advisory3: At least one Default Software Update Policy will need to be enabled to ensure resource associations are established during Patch Package creation process. Ensure one policy is enabled at all times.
        • If needed; configure to run in the far future (year 2030) if the Software Update Cycle needs to be delayed or disabled from this policy.
        • The schedule may be deleted altogether if needed; review the behavior of this configurations on KM: HOWTO51921
           
  • Installation Schedules tab:
    • Software Update Installation:
      • Schedule: Best practice is to run the Software Update Cycle on a daily repeating schedule to ensure updates install soon.
        • Windowed Schedule: another Best Practice setting, for it can run the Software Update Cycle, repeating as needed, during a windowed timeframe
          • Example: Start at 3am, End at 5am, and run every 1 hour with reboot schedule 'At end of software update cycle;' this allows for the updates to install, reboot, wait one hour and then install any that were unable to install during the last update cycle due to OS limitations (registry needed refresh before more updates could install)
        • Start / End dates: Configure the date to begin and end the Software Update Cycle
        • Add Schedule: Configure a Windowed Schedule if multiple Software Update Cycles are needed
        • Note: for a Manual Install Schedule: Configure this schedule to run in the far future; something like year 2030, for that will ensure the client never starts the Software Update Cycle.
          • Additionally, confirm the Software Update Policy is not configured to run the Software Update Cycle; leave all 'Package Options' disabled on the Software Update Policy, for that will ensure the packages are merely deployed to the clients and wait in a 'Scheduled' status until the far future date.
      • Restart Defaults: Best practice is to configure reboot at the end of the Software Update Cycle, for that will refresh the client's registry following the update. 
        •   Note: Some Microsoft Updates will affect the registry in a manner that a reboot is required to install more updates. Setting the Windowed Schedule to run for 4 hours and configure the 'During window, check every' to a 1 hour interval will assist with this, for the Software Update Cycle will execute every 1 hour for 4 hours, and reboot at the end of the Software Update Cycle.
      • Maintenance Windows:
        •   Enable this setting if Maintenance Windows interfere with the Software Update Cycle.
          • Note: If Maintenance Window Schedules are to be used as the start of the Software Update Cycle; ensure the start date on this schedule is configured to far in the future. Example: Set start date to begin in the year 2030 or later, for the product has been designed to ensure that any missed schedules will run ASAP. Setting the schedule to run in the year 1985 will cause a 'Run ASAP' state for this policy.
  • Notification tab:
    • The Notification Tab is outlined in detail on KM: TECH127404

6. Patch Remediation Center (PRC): Download Packages and Create Software Update Policies 

  • Found at Console > Actions > Software > Patch Remediation Center
    • Quick Setup:
      • Vendor > Microsoft
      • Highlight the Bulletin, right-click / Distribute Software Updates
        • This will run the 'Download Packages' process first and then run the Software Update Policy creation process
        • Target the desired filter and configure as desired
        • Enable and save policy
      • Review the rest of this section for more detailed information concerning the PRC.
         
  • Show: All Software Bulletins
  • Vendor: Select to choose which Vendor to view (e.g. Microsoft)
    • Create the Software Update Package
      • Highlight a Bulletin:
        • Right-click / Download Packages for the specified Bulletin(S) 
          • Advisory: Do not select too many to download at once, for the PRC will take the time to download each, and may timeout on the download. Also, any further action taken following the download will not be immediate, for it will be queued behind the previous download action. Staging one month's released updates at a time is generally safe.
        • Right-click / Disable: Optional: Disconnect the Bulletin from the PRC
        • Right-click / Recreate Packages: Recreate the packages to clear any stale codebase
    • Creating the Software Update Policy to deploy the packages
      • Right-click / Distribute Software Updates:
        • Name: Set customer name or leave default for Bulletin
        • Software Bulletins and Updates: Displays Bulletin and Update list associated
        • Package Options: Set to execute the Software Update Cycle As soon as possible or on Schedule 
          • Advisory: It is best to schedule the Software Update Cycle through the Default Software Update Plug-in Policy to ensure there are no scheduling conflicts as outlined on KM: TECH41865 
            • This utilizes the Software Update Policy to merely be a method to deploy the Software Update Package and hold it on the client in a 'Scheduled' Status.
        • Override Maintenance Windows settings: May be used to override Maintenance Window settings, but keep in mind that the rebooting is part of the core schedule from the Default Software Update Plug-in Policy as outlined in KM: TECH164464 
        • Apply to Computers: Ensure the targeted filter is one that requires the listed Bulletin / Updates.
        • To enable: select the On/Off in the upper right-hand corner and then Next > Distribute Software Updates.
        • Caution: Creating Software Update Policies with too many software updates may cause time out issues when saving changes. The limitation is around 50 Updates. Keep in mind each Bulletin holds multiple updates. Best practice is to limit a Software Update Policy to all Bulletins released that month.
          • This is detailed further in KM: HOWTO95202 
          • Note: If there are too many and unable to save / delete the policy view resolution on KM: TECH122266
        • Warning: Never delete a Software Update Policy without first disabling it for a duration that allows all targeted clients to receive the change in policy status. Create a sub folder in the tree for Old Policies, and store them for deletion at a later time.
        • Advisory: The Patch Plug-in relies on the Altiris Agent to Update Configuration and receive new tasks / policies, or changes to these policies. The default for this setting is every 1 hour. Keep this in mind when scheduling the Software Update Cycle.


 7. Package Storage and Replication:

  • Found at Console > Settings > All Settings > Software > Patch Management > Windows Settings > Windows Patch Remediation Settings:
    • Quick Setup:
      • Target: Configured to one filter, and ensure that it targets at least one Client Resource as detailed on KM: HOWTO79488
      • Policy and Package Settings tab > Policy and Package Settings tab > Package Distribution: Best practice setting is 'All Package Servers' or 'Package Servers Individually' and enable the ones to be used.
        • Advisory: Changing these settings will execute the Check Software Update Package Integrity job and that will run a refresh of ALL Software Update Packages.
      • Review the rest of this section for more detailed information concerning the Package Storage and Replication settings.
         
  • Windows Patch Remediation Settings (Microsoft Vendor Policy):
    • Software Update Options tab:
      • Patch Filter Update Interval: Schedules the interval in which the NS.Microsoft scheduled task is run. This task will update the Patch Intersect Filters and targeted filters for Patch Policies.
        • Configured to run every 30 minutes by default; should only be increased in heavy loads of management for over 8k nodes or if the SMP sees heavy burden during this scheduled task run
      • The Default Resource Target used by the Software Update Policy Wizard: Change the targeted filter to automatically change the filter that is set in place when creating Software Update Policies through the PRC.
    • Policy and Package Settings tab:
      • Delete Packages After: This setting deletes the packages from the client if they are unused for the specific amount of time. 
        • Note: If this time is set to 0 Days, the package will be deleted immediately, and will most likely fail to run on the Software Update Cycle.
      • Use multicast when the SMA multicast option is enabled: Allows for clients to download packages from other clients.
        • Note: May increase bandwidth usage in larger environments (10K+ Clients)
      • Package Distribution: Best practice setting is 'All Package Servers' or 'Package Servers Individually' and enable the ones to be used.
        • Use Alternate download location on Package Server: Enable and input the file structure to be used for storing Software Update Packages on Package Servers.
        • Use Alternate download location on Clients: Enable and input the file structure to be used for storing Software Update Packages on the clients.
      • Advisory: Changing these settings will execute the Check Software Update Package Integrity job and that will run a refresh of ALL Software Update Packages.
  • Programs tab:
    • Program Defaults:
      • Terminate after: Best practice setting is 4 hours.
      • Run with rights: Best practice setting is System Account
      • Program can run: Best Practice setting is Whether or not a user is logged on
    • Agent Events:
      • Send package events: Enable to provide more data concerning the package events for the agent
      • Send status events: Enable to provide more data concerning the status events for the agent
        • Note: These 'Send Event' settings will create more inventory and cause for more resources, bandwidth and processing, to be used.
  • Core Services: 
    • Locations tab:
      • To Location: Implements the file structure where the Software Update Packages will be stored on the Management Server
      • Download from staging location: Targets the Software Update Packages for downloading from a shared file structure when configuring the a DMZ Management Server
    • Custom Severity tab:
      • Severity Level: Add and adjust custom severities to view in the PRC
           

8. Reporting Compliance for Patch Management:

  • Found on the Console > Reports > All Reports > Software > Patch Management > Compliance
  • Run the Windows Compliance by Bulletin, Computer or Update to view vulnerabilities in the environment.

 CAUTION: 

  • Always TEST in lab environment before deploying in production!



Article URL http://www.symantec.com/docs/HOWTO56242


Terms of use for this information are found in Legal Notices