Video Screencast Help

Symantec Mangement Platform 7.1 - Installation and Setup of Patch Management Solution Outline

Created: 12 Dec 2011 • Updated: 12 Dec 2011
Language Translations
wmheid@armc.org's picture
+3 3 Votes
Login to vote

As stated in the title, this is an Outline.  Following it should get you up and running on Patch Management Solution 7.1 in a minimal amount of time with an equivalent effort.  This outline is a compilation of all things I learned from the Manual, Release Notes, Symantec Connect, and by working with Technical Support.  Most steps can be performed from a Workstation and by connecting to the console; however, I found that some of the screens and dialogs vary slightly when I am not directly on my PMS Server.  I tried to make the notations where appropriate, but it would likely be best to do this on the server itself.

You are encouraged to read through this entire article before beginning your implementation.  I also encourage you to consult the Bibliography at the end of this document as well as this HOWTO Article:

http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=HOWTO56242

  1. Install or Upgrade Patch Management Solution using Symantec Installation Manager – PMS 7.1 Manual, Page 19

Ensure that your annual upgrade protection is current

Start>All Programs>Symantec>Symantec Installation Manager>Symantec Installation Manager

  1. Select the Add/Update Licenses in the upper left corner
  2. Make sure your node count is sufficient for the number of computers you intend to patch.
  3. Install or upgrade the Symantec Management Agent on your computers

Actions>Agents/Plug-Ins>Push Symantec Management Agent

  1. Edit or add computers to the list as appropriate.  These can be added manually or via the “Scheduled Push to Computers” at the bottom of the screen.
  2. If you need to exclude computers, make sure to edit the schedule before you enable it.
  3. You can also access the Agent Install Status Report from this screen which is normally located at: Reports>All Reports>Notification Server Management>Agent>Agent Installation Status
  4. Install the Patch Management Solution Plug-in – PMS 7.1 Manual, Page 24 – HOWTO55937

Settings>Agents/Plug Ins>All Agents/Plug-Ins>Software>Patch Management>Software Update Plug-In Install

or

Actions >Agents/Plug Ins>Rollout Agents/Plug-Ins>Software>Patch Management>Software Update Plug-In Install

  1. Create a schedule that is appropriate to your environment.
  2. Turn on the Policy and save changes.

Note: Once the plug-in is successfully installed on a client, there will be a Software Updates Tab on the Client.

  1. You only need to perform this step if you are upgrading from a previous version.

Actions>Agents/Plug Ins>Rollout Agents/Plug Ins>Software>Patch Management>Software Update Plug-in Upgrade

  1. Make any changes that you deem necessary.
  2. Create a schedule to fit your environment.
  3. Turn on the Policy and save changes
  4. Patch Management Core Settings – PMS 7.1 Manual, Page 30 – HOWTO59928

Settings>All Settings>Software>Patch Management>Core Services

  1. Make any necessary changes to the location to which the patches will be stored.
  2. Create and assign and custom severity levels as necessary– PMS 7.1 Manual,  Page 30
  3. Click the Custom Severity level tab.
  4. In the Severity Level box type the name you want to give the severity level. For example “Install right away.”
  5. Click Add
  6. Click “Move up” or “Move Down” to position the severity level in the list.
  7. Click Save Changes
  8. Configure the Vendor Settings for Microsoft - – PMS 7.1 Manual – Page 31

Settings>All Settings>Software>Patch Management>Windows Settings>Windows Patch Remediation Settings

Note: Parameters are described in the PMS Manual on Page 33 or HOWTO56242

  1. Software Update Options Tab
  2. Set this according to your environment.
    1. Policy and Package Settings Tab
  3. Delete Packages after 1 year
  4. Set the Use Multicast Check Box appropriately for your environment.
    1. Programs Tab
  5. Use the Default settings.
  6. Configure the Default Software Updates Plug-in Policy – PMS 7.1 Manual, Page 31 – HOWTO59957

Settings>Agents/Plug Ins>All Agents/Plug-Ins>Software>Patch Management>Windows>Default Software Update Plug-in Policy

  1. Installation Schedules Tab
  2. Repeat Weekly on Wednesday at 3 a.m.
  3. Clear – Allow user to run
  4. Allow Restart at the end of the Update Cycle - It is a Symantec best practice to reboot the end of the update cycle.
    1. Notification Tab
  5. Software Update installation notification - Notify User: 15 minutes
  6. Show pending message for 5 minutes:
  7. Show reminder message – repeat daily every 2 hours.
  8. Allow user to defer for 30 minutes
  9. Inventory Vulnerabilities Checking Interval Configuration – PMS 7.1 Manual, Page 32 – HOWTO55950

Settings>All Settings>Software>Patch Management>Windows System Assessment Scan

  1. If network traffic is a concern for you, then check the box – Send Inventory results only if changed
  2. Turn on the Policy and Save the Changes

Settings>All Settings>Software>Patch Management>Windows Settings>Windows Patch Remediation Settings

  1. Software Update Options Tab - Leave this set to the defaults.
  2. Policy and Package Settings Tab
  3. Change Delete Packages to a period of 1 year.  If disk storage space is an issue, lower this setting accordingly.
  4. Programs Tab - Leave this set to defaults.
  5. Click Save Changes
  6. Download the Updates Catalog – PMS 7.1 Manual, 40 - HOWTO55925 and HOWTO56242

Manage>Jobs and Tasks>System Jobs and Tasks>Software>Patch Management>Import Patch Data for Windows

Make setting changes as follows:

  1. Patch Management Import Settings Heading
  2. Check the Incremental Import box
    1. If enabled this will download the modified components for the selected vendors.
    2. If disabled this will force a complete patch management import download for the selected vendors.  This option is useful for troubleshooting.
    3. General Heading
  3. Leave the default location set as is.
    1. If you're using a DMZ you will need to change this setting to an alternate location.
      1. Check the box to automatically Revise Software Update policies after importing patch data.
  4. Check the box to Disable all superseded Software Updates
    1. If this is enabled it disables all superseded software updates and removes them from the patch management import.  This helps clean up patch rules.
    2. Under Vendors and Software Heading, import the data as appropriate:
  5. Adobe
  6. Google
  7. Mozilla
  8. Microsoft
  9. Click Update to update the vendors and software list
    1. Under the Task Status Heading:
  10. Click New Schedule
  11. Select Now and then clicking Schedule will run the import immediately.
  12. To configure a schedule for downloading the software updates catalog on a regular basis:
    1. Click New Schedule
    2. Incremental updates should run daily at 3 a.m. – HOWTO55925
    3. Click Schedule to set the schedule.
  13. Download the Software Updates – This will need to be done on the actual server and not a Workstation.  The columns displayed are different between the two.

Actions>Software>Patch Remediation Center

  1. In the right pane select Windows Compliance by Bulletin in the drop-down box.
  2. Click Refresh  - This will allow you to see which updates the target computers require
  3. Select the bulletins that you want to download
  4. Right-click the selected bulletin and then click Download Packages
  5. Assign custom severity levels to software bulletins

Actions>Software>Patch Remediation Center (This page can take a long time to load.)

  1. Right-Click on a Bulletin
  2. Select Custom Severity
  3. Select the Severity Level
  4. Click Refresh to Refresh the Screen
  5. Check the integrity of the Software Packages - PMS 7.1 Manual – Page 42

Manage>Jobs and Tasks>System Jobs and Tasks>Software>Patch Management>Check Software Update Package Integrity

  1. Check Delete the updates that are no longer in use from the file system box.
  2. Create a new schedule to run daily at 4 a.m.
  3. To view the status of a software bulletin download - PMS 7.1 Manual, Page 48.

Manage>Jobs and Tasks>System Jobs and Tasks>Software>Patch Management>Download Software Update Package

  1. The status will appear in the right pane.
  2. Distribute available software updates - PMS 7.1 Manual, Page 48.

Actions>Software>Patch Remediation Center

  1. In the show drop-down box, select Windows Compliance by Bulletin
  2. In the vendor drop-down box, select Microsoft
  3. Note: On some of the PMImports, it removes Microsoft from this list.  Symantec is aware of this and if you contact Tech Support, they can supply you a PointFix to rectify the situation.  The product works just fine without the fix, but you won’t be able to select Microsoft as a Vendor in the filter.
    1. Click Refresh
    2. Select a bulletin that you wish to Distribute
    3. Right-Click on the selected bulletin
    4. Select Distribute Packages to launch the Distribute Software Updates Wizard
    5. Expand the Package Options and make changes as needed.  For testing purposes, Check the Run box and the As soon as possible option.  This will download and install the packages on your test machines in Near Real-Time.
    6. Make any required changes to your Targets under the Apply to computers option.
    7. Click Next
    8. Turn the Policy On
    9. Click Distribute Software Updates – This will create the actual update policy that you can reference and further manipulate by going to:

Actions>Software>Patch Remediation Center>Software Update Policies>Windows

  1. Various Methods to Evaluate the Results - Software Update Delivery Summary Report – PMS 7.1 Manual, Page 49 - HOWTO55943

Reports>All Reports>Software>Patch Management>Remediation Status>Windows Software Update Delivery-Details

  1. Click Refresh to update the report.

Patch Management Solution Report – Compliance – HOWTO55932, HOWTO21677

Reports>All Reports>Software>Patch Management>Compliance>

  1. Windows Compliance by Bulletin
  2. Windows Compliance by Computer
  3. Windows Compliance by Update
  4. Click Refresh to update any report.
  5. To get more information from any report
    1. Right-Click Any Update and Click Resource Manager
    2. Click on Save As on any report and it will allow you to export the data to Excel where it is easy to sort, group, and filter.

Bibliography:

Implementing Patch Management Solution for Windows - http://www.symantec.com/business/support/index?page=content&id=HOWTO55935

Installing the software update plug-in

http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=HOWTO55937

Upgrading the software update plug-in

http://www.symantec.com/business/support/index?page=content&id=HOWTO55938

Configuring patch management Core Services settings:

http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=HOWTO55928

Configuring software updates installation settings:

http://www.symantec.com/business/support/index?page=content&id=HOWTO55957

Configuring the system assessment scan interval:

http://www.symantec.com/business/support/index?page=content&id=HOWTO55950

Downloading the Windows software updates catalog:

http://www.symantec.com/business/support/index?page=content&id=HOWTO55925

Downloading and distributing software updates:

http://www.symantec.com/business/support/index?page=content&id=HOWTO55925

Viewing the software update delivery summary report:

http://www.symantec.com/business/support/index?page=content&id=HOWTO55943

Viewing Patch Management Solution reports:

http://www.symantec.com/business/support/index?page=content&id=HOWTO55932

How do I configure Patch Management 7.1 SP1 for Windows:

http://www.symantec.com/business/support/index?page=content&pmv=print&impressions=&viewlocale=&id=HOWTO56242

Patch Management 7.x: How do I know which computers require which updates(Best Practices)?

http://www.symantec.com/business/support/index?page=content&id=HOWTO21677

Patch Management PointFix for Missing Vendor Policy

http://www.symantec.com/business/support/index?page=content&id=TECH164471