Video Screencast Help

CMS 7.x - patch mgmt support frustrations, is it just me?

Created: 15 Nov 2012 • Updated: 17 Sep 2015 | 8 comments
My biggest frustration with Symantec/CMS is the wide variety of quality of support I get for different components of the product.  For some parts, like deployment, I usually am able to get actual product issues escalated into development within a reasonable amount of time.  
I know that patch support has gone through some transition lately, but it is still often painful.  My patching process is I look at a few baseline machines that represent my fleet and see what patches are available in win update.  Then I go to CMS and start testing available patches on those machines, then send to test group, then to the fleet.  My goal is to make those baseline machines show as few available patches as possible for Microsoft.  I don't know if others are patching the same way - seeing what's in win update and basing which bulletins to stage off of that.
Inevitably, almost every month, there's a patch that was released (or updated) by microsoft that Win Updates says I need that is either not showing in remediation center, or it shows installed already (if it's an updated patch v2, etc) when I still need the new version.  These are usually pretty straight forward PMImport issues that IF I can get the issues escalated to 'backline' - they're usually fixed, sometimes quickly, sometimes it takes a few weeks.
My problem isn't with backline sometimes taking long (although for critical security updates, waiting a few weeks is questionable).  I understand that patch support must be very complicated.  My complaint is getting those tickets escalated is often difficult at best.  When a ticket goes in, I try to be as descriptive as possible.  I've learned to include my OS, my PMIMport version, screenshots, etc.  Some of these tickets are so obvious PMImport issues, but Level 1 will come back sometimes asking me to describe the issue without any indication they read the info I put in the case, and then after going back and forth for days or weeks, asking me to run through the barrage of data collection from HOWTO60789 (which I shouldn't have to do for every patch case).  I get that they need XYZ in order to escalate, but I'm tired of every month going through the wringer.
I often ask if Support has a test environment, does the patch show for them, etc.  One time they told me 'yup works for us' and my issue was I wasn't selecting the right Microsoft data under the 'import patch data for windows' and I should check every single MS update there.  I refused, not wanting the clutter (it was an office update, I had all the office versions checked) and asked the tech to ask backline which update needed to be checked. Weeks later I got a reply that backline fixed the issue and now it works as expected without me checking anything additional in import patch data job.  It was questionable to me that it ever really was working for the tech in their test environment. 
I have 2 remaining tickets in for October win updates, and Level 1 tech assigned to the case seems to be doing his best, but seems to be getting the run around trying to escalate the case.  He replied that backline said "If you go to Programs and Features (Add/Remove Programs) in the Control Panel. Enable see Updates, are both of these updates installed? If they are showing installed there, but Windows Update says it is not. Then something is wrong with the Windows Update tool or within those two updates themselves. That would be something Microsoft would need to address."  In control panel, I don't have the win updates installed, and win upadte is correct.  Really, the odds that windows update is reporting wrong and remediation center is reporting right are slim to none in my book.
Patch is the reason I chose CMS because it represented one console where I could do anything.  I totally understand that PMImport issues are going to happen, but, as a customer, I am tired of feeling like the tickets I put in are inconveniencing backline and I need to do a handstand while bouncing a ball on my feet to get them to even look into it.  I'm paying for support.  I'm helping you to make your product better because I'd estimate 9/10 patch issues I put in are PMImport issues that must affect more than me.  I don't expect anything to get fixed overnight, but I do expect to be able to feel like my ticket is in the hands of someone who understands and is working towards a resolution.
Are others getting the run around almost every time they put a patch ticket in?  I used to have a great Sales Engineer contact at Symantec who would escalate any case I had issues with and it almost always lead to a quick resolution.  He has left the company, and the replacement isn't answering my emails.  One time on the forums I was given contact info for someone else who deals with patch issues exclusively, but he has also left the company.  
Any suggestions short of looking for a new PC management suite?

Comments 8 CommentsJump to latest comment

David Rowley's picture


My name is David Rowley and I am the Director of the Technical Support Department. I am looking into this and will reply back to you with more information.

David Rowley

David D. Rowley

Symantec Corporation

rweiss77's picture

Patch has also been a real pain here in our infrastructure, that is why we are still using WSUS until a lot of this gets ironed out.  I do know SP2 MP1 seems to be much more stable than previous builds according to our patch engineer. 

MichaelCiv's picture

Patch management is proving to be a very resource intenisve process in our University. I'm not sure we expected it to be as labor intensive as it is. Does anyone know if 7.5 will be making this product any easier to use? 

Sally5432's picture

@rewiss77 and @MichaelCiv

The patch product itself has worked very well for us as long as the patches are available via PMImport (however maybe relative to you our scope is small at ~500 computers).  Our problems come up when a patch isn't available weeks after release, or it isn't reporting correctly in compliance reporting and then dealing with support (which isn't always a bad experience, but sometimes is very frustrating).  

An example of a case I have open now

MSWU 661 not showing up in compliance reports, but shows in console under all software bulletins.  Windows update shows I need it.

Ticket submitted 11/6/2012 with screenshots 
11/7 Support had me stage the policy from all software bulletins, but computers didn't get it (I guess b/c Patch doesn't think I'm in need of it).  
11/8 support wanted me to make sure my inventories are running (they were, and this didn't really make sense to me since every other bulletin shows in compliance report ).  
11/9 support say they can replicate it but it's probably happening because it's a low severity update (my response is other updates with low severity show in remediation center compliance report).  
11/20 support said "I do not see them in Windows Compliance by Bulletin. Because once installed they drop out of this compliance report. " (that's just incorrect isn't it? the point of compliance reporting is to show where they are installed, they don't drop out of the report).  
Also on 11/20 support says I need Hotfix 2574819 to be eligible for 661, I replied with screenshot I have hotfix installed on our machines via a prior update.  
11/27 backline asks for 6D417916-467C-46A7-6D86D9345B61/Cache and server logs, sent over.  
11/29 Received eTrack case
12/4 I got email from support TECH200438 was created for the case for me to follow -

The tech assigned to the case is trying to help.  I understand this isn't a high priority security update, it just happens to be a case I can view the history on easily.  I feel like everything that happened between 11/7 and 11/27 probably could've been handled via one or 2 phone calls versus weeks of going back and forth which I think is the real root of frustration.  

I'd like to say this is a fluke but I have had more than a few similar experiences of cases dragging on and on trying to get them escalated.

Don't forget to mark posts as helpful if they are, and mark answers as solutions.

Ludovic Ferre's picture

To answer the patching resource intensive process, I have created a couple of utilities posted here on Connect [1][2] to answer this need, whilst knowing the process implemented in a rough pair of .Net CLI tools will be native in 7.5.

To comment on the support experience or difficulties, I must admit that quality has gone up with regards to false positives since we switched to an OEM partnership on the Patch Assesment Scan.

It doesn't resolve all of the problems, and comes with some on its own (like, we can't check the inventory rules for Applicable and Installed updates anymore - so it's much harder to find out exactkly what isn't working) however our patching product remains very strong and the support team is quite responsive - from backline up to development.



Ludovic FERRÉ
Principal Remote Product Specialist

Trigger's picture

I can agree with all of the customer feedback above. The product is getting better, but this really needs some focus as patching is our number 1 concern re client management.

Sally5432's picture

@ludovic -"however our patching product remains very strong and the support team is quite responsive - from backline up to development" - "quite responsive" is very relative I guess.  I still have remaining tickets opened in Oct or early Nov awaiting some sort of response from backline.

An example is I haven't been able to run a successful Adobe Flash report since October some time.  

See this thread

Don't forget to mark posts as helpful if they are, and mark answers as solutions.

Ludovic Ferre's picture

Okay, I got you there.

Unfortunately this is not an issue with our team but with our data provider that is proving difficult, but you are in touch with the Product Manager, so from our side you could not be in better hands.

Ludovic FERRÉ
Principal Remote Product Specialist