Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Understanding How Patch Management Solution for Windows Works in Hierarchy

Created: 17 Nov 2010 • Updated: 17 Nov 2010 | 11 comments
Language Translations
Doug Butler's picture
+5 5 Votes
Login to vote

Replication within a Hierarchy is not designed to be an instantaneous process, however because of the critical nature of Microsoft patching speed is desired for Patch replication.

This article explains some of the processes and the order they should occur in to ensure the fastest possible replication process, with respect to Patch Management Solution for Windows. 

 

Order

Task \  Process

Parent \ Child

Verification Methods

1

Microsoft Patch Management Import - Task

Parent

Check the status of the task.  Manage> Jobs and Tasks> System Jobs and Tasks> Software> Patch Management> Microsoft Patch Management Import

2

Patch Management Import Data Replication for Microsoft - Replication rule

Parent to Child

This can be monitored by using the Current Replication Activity report, keep in mind that this report will not show that this is the replication running just show the replication tasks that are currently running

3

Stage the bulletins - Patch Remediation Center

Parent

Wait for the process dialog box to state task completed or check Manage> Jobs and Tasks> System Jobs and Tasks> Software> Patch Management> Download Software Update Package task to verify it has completed

4a

Site Server in the SMP Server site  downloads the packages

Parent

Step 1 - Look at the UI on the Site Server  and verify that the packages have been downloaded.  Step 2 - Look at the Site Server in the Console and verify that the package count matches what the agent had

4b

Create the Software Update Policies - Patch Remediation Center

Parent

Wait for the wizard to complete After going through the wizard select the policy in the tree.  There can be a delay depending on the size of the policy

4c

Add the policies to Patch Management Software Distribution Replication For Microsoft rule - Replication Rule

Parent

Save the replication rule and open it again if needed to verify that the changes were saved

Important Note: If any of the above items have not completed before the Software Distribution replication rule runs it will need to run again.

5

Patch Management Software Distribution Replication For Microsoft - Replication Rule

Parent to Child

Look at the location the policies will be replicated to, and verify that they exist.

* Use the Current Replication Activity report to monitor the process.

Note: Only include policies that have not been previously replicated and run in Complete mode.

6

Download Software Update Package - Task

Child

View the policies, they will no longer show a message that the bulletins need to be staged and or look at the Download Software Update Package task

7

Site Server downloads the packages

Child

Step 1 - Look at the UI on the Site Server and verify that the packages have been downloaded.  Step 2 - Look at the Site server in the Console and verify that the package count matches.

8

Client updates configuration and installs updates

Child

Use the Compliance and Vulnerability reports. 

Note: See the diagram to get a better feel for the flow of data

Comments 11 CommentsJump to latest comment

JeffDG's picture

This is the type of detail we need when designing hierarchy and replication structures.  Thanks, Doug.

0
Login to vote
fogginj's picture

I guess I should have said NS7 or NS71?  since hierarchy doesn't apply to NS6x

0
Login to vote
Doug Butler's picture

I can't believe I forgot to specify but yes it is for version 7.

English - Who needs that? I'm never going to England!

0
Login to vote
bsakata's picture

Great article...  Any way to automate step 4c?  We've completely automated this patch process from staging of bulletins to patch policy creation.  However, the only manual step we have is having to add the patch policy to the replication rule.

It seems a bit redundant to have to create the replication rule to replicate patch policies, then have to add any newly created policies to the rule.  For software managed policies you can replicate everything, etc.

Brent Sakata
mindSHIFT Technologies

0
Login to vote
gshpakov's picture

The step 4c is eliminated in Patch 7.1.

The patch policies will be replicated in the same way as other policies, e.g. managed software delivery.

0
Login to vote
Doug Butler's picture

Unfortunately there is not, the behavior will be automated in the next version but currently it must be done manually.

English - Who needs that? I'm never going to England!

0
Login to vote
99six's picture

Nice to have this for reference, thanks.

As part of the setup of PM in a hierarchy there is an initial communication from the child to the parent advising of the "PM Hierarchy Installed Culture".

In PM 7.0 if a bulletin is staged, but has no policy then the package is not replicated.. does anyone know if this behaviour changes in 7.1?

0
Login to vote
Dmitri_Gornev's picture

> does anyone know if this behaviour changes in 7.1?
there is no plan to change it for 7.1.

0
Login to vote
Robert Biesinger's picture

Hi,

for testing purposes I did create one Software Update Policy on the Parent SMP including the Bulletin/Updates related to the outlook junk email filter.

I did enable it for replication as described above, and it did replicate to the child. I was looking forward to see that the updates belonging to this policy are staged automatically.

But surprise: a large number of bulletins got marked for staging and are downloaded.

None of the colleagues did right click those bulletins for staging, nor have they been marked for staging on the parent. 

Any ideas?

Are they flagged to be staged automatically because of dependencies?

Kind regards

Robert

 

 

0
Login to vote
Robert Biesinger's picture

Hi,

btw: great article Doug.

I did forget something in my previous post:

the replicated Software Update Policy (SUP) does not allow to attach another target to it.

I am only allowed to enable or disable it. There was no option on the parent to specify that the target may be changed on the client as it is with other policies.

 

Kind regards

Robert

 

0
Login to vote