Patch Management Solution

Hello,

We are trying to clean up our outstanding Office installs using patch management in the CMS suite (version 7.1 SP2 MP1.1 rollup 8.)  So I created a filter with test systems that require and not require the office updates to test if CMS can deploy the patch to the proper systems and run only when it is supposed to .  During my investigation, I have a Windows 7 system that has Office 2007 SP0 (version  12.0.4518.1014) in this scope.   The policy has been enabled with this scope for 4-5 days and the system resides in the same subnet as a site/package server.   I used the RAAD tool and the patch management tab shows the policy to install Office 2007 SP3 but the entry is listed as "Not Currently Applicable".   I ran the patch inventory, start patch cycle, and run update but the status is still "Not Currently Available".   I checked the details of EXCEL.exe and it still has the version of 12.0.4518.1014.   The system was rebooted in the process of running the October patches but I am not sure where else to go with this.

Thank you in advance for your help.

Thanks,
Jamie

Is the status "Not Currently Applicable" or "Not Currently Available"? "Not currently available" would suggest to me a problem with downloading the package. Check the logs using RAAD.

The status shows "Not Currently Applicable." 

I would think if the patch was not applicable that it would not be there because...well... it is not applicable.   This group is in the policy to get service packs for 2007, 2010, and 2013. 

Thanks,

Jamie

You probably need to run this manually to figure out what the issue is.

Goto C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery

Find the correct GUID named folder for the Service Pack you are trying to install. Browse into the cache sub folder and run the update manually without any command-line switches making it silent. If doing this returns a message, on the screen, that the patch is not applicaple, then there are other issues on the system. I seen this a long time ago with IE. Registry was saying one version, but IE Help > About was saying a completely different version. Issue was from the repackaging using IEAK.

Hi,

I just checked the directory in the Software Delivery folder for that GUID and I have the three xml files but I do not have the Service Pack listed as downloaded.   So I am guessing that because it is not applicable, it never downloaded the package? 

I am "staging" the file now using a SWD task with cmd.exe as the command to just get the file downloaded. 

If I wanted CMS to "redownload" the package from Symantec, is there a "best practice" way to do it?   I am really hoping this can be done through patch management instead playing around with managing a project with a SWD job rollout. 

Thanks,
Jamie

 

 

 

You can always redownload a package through Patch Remediation Center by right-click > Recreate Package. This is the best method as it will repull everything from Symantec for that patch.

Problem with doing it as a SWD task is that you have dont have a way to control applicability or compliance. Using the Patch engine, it does it for you via assessment scans.

Since you are not seeing the patch in the Software Delivery folder, most likely the binaries have been removed because you have the "Delete unused patches after x days" set and this patch is deemed as unused by the client.

You can always copy the file from the server to the client machine. <InstallDir>:\Program Files\Altiris\Patch Management\Packages\Updates is the location of all your downloaded updates on 7.1. The executable will be in there.

I recently rolled out SP2 for Office 2010. The way I did it was through Patch Remediation Center. I right-clicked the SP (there are 2, 1 for each architecture) and created a new policy. The target of the policy was the default software update target set on the Settings page. I then changed the schedule to "Run (other than agent default)" and set the time I wanted to upgrade my machines. Yes, every computer in the environment will add some logic in the Patch Assessment XML but that is fine. Just like any other patching, only computers that are applicable will show the update/SP as scheduled and only the applicable computers will run it.

 

 

For future information, I recreated the package and it worked fine after I did this.  So I was on the right track.