I wanted to share our production configuration for Altiris Patch Management Solution 6.2. The first part of the article is a quick introduction to Patch Management Solution and the second part is actual configuration. We are using a few custom collections that can be built from inventory results.
Audience
- IS Infrastructure Team
- Altiris Administrators
- Patch Management Solutions Users
Tools
- Internet Explorer 6 or later
- Login to Altiris Web Console with correct rights
- Link to Altiris Web Console:
- http://xxxx/Altiris/Console
Introduction
Altiris Patch Management Solution is the part of Altiris Notification Server infrastructure.
Altiris Patch Management Solution (Altiris PMS) lets administrators scan computers for security vulnerabilities, report on the findings, automate downloading and distribution of needed Microsoft security patches.
Administrators can review and download specific patches from Microsoft, create collections of computers that require a specific patch and apply patches to the computers that need them.
Previous releases of Patch Management Solution (prior to 6.2) used Microsoft Baseline Security Analyzer (MBSA) as the primary means for the verification that a patch was installed. This release of Patch Management Solution uses results of inventory gathered by Altiris agents installed on Client PC and Microsoft Patch Management Import files as the means for patch management.
Altiris PMS key benefits include:
- Support for Multilanguage operating system and applications.
- Information repository that provides detailed information on each software bulletin, such as technical details, severity ratings, and number of executables.
- Software repository that automates downloads from the vendor website prior to distribution without administrator intervention.
- Patch-specific inventory for determining supported operating systems, applications and the associated service pack level, and whether a patch is installed.
- Improved distribution wizard and targeting that automatically determines the patch installation requirements and automatically assigns Client PCs to Altiris Notification Server collections based on the requirements.
- Extensive control over installations, such as: integration with QChain, reboot control, and easy selection of command-line options.
- All updates (KBs) are grouped by bulletins and only one update task is needed for all updates in this bulletin.
Patch Management Solution Processes
Patch Management Solution features
- Information Repository:
The repository provides comprehensive data on software bulletins, software updates, inventory rules, and so on.
- Comprehensive Inventory:
Detailed information on the operating system and installed applications, as well as inventory on software updates installations. For effective targeting during distribution, inventory results populate predefined hidden system collections based on operating system service pack levels and application versions.
- Software Repository:
Contains all downloaded updates. Patch Management Solution starts download staged updates immediately after updates have been staged by administrator. After, when all staged updates were downloaded they can be distributed.
- Software Update Analysis:
Automated evaluation of patch dependencies and automatic revision of update tasks reduces the labour requirements of patch management.
- Simplified Distribution Tasks:
A wizard simplifies the management of distribution policies. Instead of creating a task for each individual software update, administrators create a single policy for the software bulletin. Example: if there 3 software bulletins with 7 software updates, administrators only have to manage 3 distribution tasks. Also, most software bulletins have software updates for different operating system versions and the languages associated with them.
- Recovery Solution Integration:
After Altiris Recovery Solution is installed, Patch Management Solution provides an agent option to automatically create a snapshot prior to software update installations. This allows for roll back when a software update causes problems.
Patch Management Solution Overview
This section gives a brief overview of Patch Management Solution and how it uses inventory it gathers to create Software Update packages.
After administrator creates Software Update tasks, the associated packages are sent to managed computers and the appropriate Software Update programs are installed.
A. Collections are automatically created from inventory
As part of the deployment of the Software Update Agent, the Inventory Rule Agent gets installed on managed computers and sends back inventory specifically needed for managing software updates. Inventory includes software vendor, software release, and service pack information.
From this inventory, Patch Management Solution creates specific collections to target only the computers that individual software updates should go to. These collections are hidden system collections and created when the software bulletins that contain them are staged. These collections contain computers that are applicable for the software update.
B. Software bulletin information needs to be downloaded
After Patch Management Solution gets installed, administrator decides when to download software bulletin information from the Altiris Web site. This information includes the severity of each software bulletin as well as details on its software updates and where they can be downloaded from Microsoft. This information also includes rules for creating collections and rules how to verify that the software update is installed.
Note: Notification Server needs an internet connection on ports 80 and 443 to download the Microsoft Patch Management Import files that contain software bulletin information and updates from Microsoft website.
C. Administrator stages software bulletins to download software updates and create packages.
When administrator stages a software bulletin, each associated software update executable automatically gets downloaded from Microsoft. Administrator can then create a Software Update task for each software bulletin needed to be deployed. From the information in software bulletin executables, Patch Management Solution then creates a Software Update package for each software update. There are one or more software updates associated with each software bulletin. Every software update applies to a software release/service pack combination. Each software update also has a Software Installation Type.
D. Administrator creates Software Update tasks to deploy downloaded software updates
Software Update tasks can be created using the Software Update Task Wizard. Software Update tasks use the associations created from the inventory received from the Inventory Rule Agent to select the appropriate collections to which the software updates should go.
When administrator creates a Software Update task, one or more programs are automatically created and attached to the Software Update package associated with the software update. When the managed computer receives the Software Update task, it first verifies that the software update is needed, then downloads the Software Update package and launches the required program. This program then installs the software update.
To save network bandwidth, the agent verifies that the software update is needed. The software update may already be there for multiple reasons (sometimes another process rolls out a software update). If the software update is already installed, it does not get downloaded and reinstalled.
At an interval, the Software Update task is re-evaluated and, if needed, reinstalled.
Example: If some operation removes a software update, it will be reinstalled.
Prerequisites on the Network
- Notification Server 6.0 SP3 R2 or later
- Altiris Console 6.5
- Patch management agent is installed during initial installation of Altiris Agents to Client PCs or maybe deployed to the managed Client PCs from NS at any time later.
Altiris PMS 6.2 SP1 Configuration
To work with Altiris PMS 6.2 Altiris Console 6.5 is recommended. This document is for use with Altiris Console 6.5. For detailed information for each option please refer to Patch Management Solution 6.2 SP1 for Windows Help.pdf
All settings below show current production environment settings and brief description.
Start Altiris Console 6.5 and go to View =>Solutions => Patch Management
Configuration
Server Settings
Global Settings:
- Patch Management Core Solution
- General
Current: Choose English language only and NO products are excluded
- Custom Severity:
All custom severity levels created here.
Current: Approved, Denied, Review, Fully SS (superseded) - this levels used when approving updates.
- Download Software Update Packages:
sets location for downloaded updates on Notification Server
- Revise Software Update Tasks:
used for revising software update tasks when update has been changed or superseded.
Microsoft Settings:
- Download QChain:
Sets location for QChain on Microsoft website and download schedule
Location:
http://download.microsoft.com/download/9/5/2/952ac356-53cb-43a2-9c85-54b1262fca2c/Q815062_W2K_spl_X86_EN.exe
- Microsoft
Here you set Patch Management target collections update interval - we have it at 60 minutes. Also you specify how updates are installed on the Client PCs
- Microsoft Patch Management Import:
Sets location of pmimport.cab on Altiris website and download schedule
Location:
http://www.solutionsam.com/imports/6_2/patch/microsoft/pmimport.cab
- Microsoft Patch Management Import - Supplementary:
Sets location of pmimportsup.cab on Altiris website and download schedule. pmimportsup.cab contains information about updates not included in pmimport.cab
Location:
http://www.solutionsam.com/imports/6_2/patch/microsoft/supp/pmimportsup.cab
Currently we are doing it manually on the monthly basis
Windows
- Software Inventory
Sets default inventory schedule for Patch Management, this is inventory about all updates on client PC
Current: Leave default settings to send delta of the inventory at every 4 hours for all, except
Default Microsoft Vulnerability Analysis Policy - set to 30 minutes, only if changed.
- Software Update Agent Configuration
Sets Software Update Agent configuration and how updates are applied.
Please note: that collections for agent configuration and collection to which update tasks are applied are completely different.
We have two configurations: desktop and laptops
Desktops Software Update Agent Configuration Policy
Includes All Desktops with Windows XP and all Altiris agents
Laptops Software Update Agent Configuration Policy
Includes All Laptops with Windows XP and all Altiris agents
Same settings for Default Software Update Agent Configuration Policy
- Our Software Update Agent Install
We install Software Update Agent in a few steps: as part of initial NS agent and additional agents installation and then to all PCs missing it.
Collections for Software Update Tasks
These collections are used for deployment of updates using Altiris PMS. They are used only for actual updates tasks and NOT for agent configuration.
- 01. Test Group - Contains test PCs. List of PCs and users is agrees by Patch Management committee.
- 02. All Client PCs to which updates are deployed with PMS
NB Altiris PMS cannot push updates immediately to newly imaged PCs. After NS Agent is installed, PC needs few hours to install all additional agents and run all initial inventories so all solutions can start working. In production environment all approved updates will be install next day. There is a potential risk for machines not having updates for up to 24 hours, but we are accepting it and need to monitor newly build PCs to make final decision.
Updates: Approve, Stage, Deploy
Please refer to How to use Patch Management Solution 6.2 to deploy Microsoft Updates