Symantec Management Platform (Notification Server)

Hello all,

My compliance reports tend to show computers that are vulnerable but when I go on the computer, I see that they've been updated and in some cases its days ago.  My understanding is that "Inventory Rule Agent' is what is used to find out what the computer still needs in terms of updates.  I don't see it as an available package...Wondering how I can go about in getting these reports updated.

Plus not all but the majority of these computers are ones that aren't on too often.  Some are laptops that are spares, so I'll boot them up, force to update any new configs and manually run the Software Update Agent.  After I'm done I used to reboot and then go back in and force a basic inventory update back to the server but now I don't think that sends patch inventory.

Any help would be greatly appreciated.  I'm running Patch for Windows version 6.2.3644.  My Default OS Inventory Policy is set to "Always Update" and at every 4 hours.

Correct, the basic inventory will not send the patch inventory.   

If you check the software updates tab on the agent?  Is that confirming your patch status?

If so,

1) What does the queue look like on the system.  What I've found with inactive systems is they have a lot of inventory to report and, if they are only on for a short window, it cannot get everything uploaded.  Older equipment or low bandwidith will make this worse.

2) Do you have duplicate machines in your database?  The unupdated systems on the report may be orphaned and patch status is updating to a duplicate.

The computers have all been updated.  I generally boot them up and force a software update cycle.  Once all updates have been applied, I'll reboot and send the basic inventory...but yeah that doesn't seem to do the trick.

When you say queue...which queue are you talking about??  If your talking about the software update queue on the clients they are all current and all updates have been applied.

Ideally...I'd like to boot up these computers...login...and force a software update cycle.  Once all patches are done, I'd like to send some kind of patch inventory back to the server so I can then shut these computers down and expect their results to show up on the compliance reports.

I've just tried running the patch inventory on the RAAD tool for one of the laptops and that seems to get the data back to the server, but I was hoping for some executable on the laptop itself that I can run.  This way I don't have to go back and forth between the laptop and my computer running RAAD.

I had a duplicate computer in the past but was able to get rid of it using one of the tools in Altiris..I forget which one.  But these others that aren't updating the compliance report do not have duplicates.

I found this.  Looks like it will suit your needs.

AexPatchUtil.exe is a command line utility that provides the ability to execute the following.    /I  Run All Inventory  /Xa  Start Software Update Cycle  /f  Forces the installation of one or more software updates, for example: aexpatchutil /f (4E2A75A9-F685-4E80-BBBF-0DE7156818DD)  /reboot  reboot only if the Software Update Agent requires a reboot  /C  Prompts the Altiris Agent to request a new configuration  /q  Run in quiet mode. No user input required.  /?  Usage Screen   Note:  The /f switch is capable of taking a list of guids separated with a space and enclosed in parentheses.  The guid that is used with the /f switch can be located in many ways but one location is the Resource tab> Resources> Software Management> Software Patch Packages> Software Updates> Security Updates, then right click the desired update and view the Properties to obtain the guid. When AexPatchUtil executes it simply kicks off the desired action then closes and allows the process to complete on its own.  The two codes that are returned by the utility only indicate if it was able to successfully launch the command, not that it completed successfully.  For example AexPatchUtil may return a 1 for a success when initiating a software update cycle and the software update cycle could still fail. 1 = Success 0 = Failure By default it is placed on computers running the Software Update Agent, in the following location; <Install dir>:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent.

Also, Regarding the queue.

The Altirisagent generates an event for everything and puts it in a subfolder of C:\Program Files\Altiris\Altiris Agent\Queue coinciding with your server name.  If the server is up and you have connection to it, then the events are delivered in short order.

In our case,  Swap computers and various other inactive computers are fully powered on but lacking a network connection.  They generate days, weeks or months of events.  When they are reattached to the network, they get and run new policies but any inventory or status of such events takes its place at the end of the queue.  Because its a laptop with an aggressive sleep timeout, the system suspends before the queue empties.

Many thanks on finding that AeXpatchUtil documentation.  Seems to work like a charm!  Worked for one laptop but not the other....I go into that Queue folder for the 2nd laptop and there are tons of nse files....a couple go away but more keep coming back.  I think it was doing inventory so it wasn't really going down....but now as I'm typing it seems it's going down so I should expect the report to get updated.  I might also run that compliance scheduled task just in case.

 Anyhow thanks again for the documentation and the clairification on the queue folder.  I wasn't aware of it and it totally makes sense in the environment...especially with computers who aren't online all the time.