Video Screencast Help

Faronics Deepfreeze & Symantec CMS patching

Created: 27 Jun 2013 | 9 comments

Is anyone out there trying to push patches to machines with deepfreeze on them, especially laptops?

I can't think of a good way to do this because our machines will go to sleep before patches have a chance to install (if we set up a DF maintenance period for patching).

I see Faronics has their own Core solution for pushing updates, but it looks like it relies on WSUS - it would be disappointing to have to manage a WSUS on top of what we do already with CMS.

Comments 9 CommentsJump to latest comment

HighTower's picture

Use the patch agent command line in a task or a policy.  Or set up a job to do something like this:

1.  "C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /Xa  (to trigger the update cycle if patches are staged).

2.  Run your "commit" task in Deepfreeze to make the changes permanent.

3.  Reboot

Using the AeXPatchUtil.exe process really helps you get around the inflexibility of the Software Update Cycle policies as it's a policy but it lacks the ability to execute patching "as soon as possible".

Does this help?

Sally5432's picture

I will have to read up on AeXPatchUtil.exe - thanks HighTower.

The laptops would have to 

- boot into thawed state during off hours (I can schedule that with deepfreze)
- download and run latest assessment scan so it knows what patches it needs
- update client config to start downloading necessary patches. 
- wait some period of time to make sure patches have time to download

- install downloaded patches
- wait some period of time to make sure installs have time to finish

- reboot back to frozen state (I can schedule that with deepfreeze)

Not sure how to make that all happen during off hours without the laptops going into sleep mode - even if deepfreeze is able to boot them into thawed mode with lids closed (not sure on this, will be asking Deep Freeze tomorrow).  

Maybe if laptops are plugged in each night it wouldn't be an issue but I could see some not being plugged in and win updates half installing because the battery died or it went into sleep mode & that wreaking havoc.

Don't forget to mark posts as helpful if they are, and mark answers as solutions.

HighTower's picture

Software Update Plug-in Command Line Interface

AeXPatchUtil [/i] [/Xa] [/reboot] [/C]
/I       Run full System Assessment Scan
/Xa      Start Software Update Cycle
/f {GUID1} {GUID2} ...   Forces the installation of one or more software updates

/reboot  Reboot only if the Software Update Plug-in requires a reboot
/C       Update plug-in policies
/q       Run in quiet mode. No user input required.
/s       Show current state of the Agent.
/?       Usage Screen

Just as a warning to anyone who's paying attention... I have NEVER successfully used the /f switch to install particular updates.  Every time I've tried this it invariably just installed everything that's pending (and I've tried every GUID that I could find).

Perhaps you could play around with the /i switch to kick the System Assessment Scan.  If the package on the agent doesn't match what's on the client's package server it should download the new version before it runs.

b3tts32's picture

We had deep freeze at my old job so it's been a while since I've dealt with it. You'd pretty much need to set your Altiris maintenance windows inside of your Thaw period. 

For example Thaw Period : 6 - 9pm. Maintenance Window: 6:15 - 8:45pm to allow time for deep freeze to boot the machine in and out of maintenance mode without affecting any of the Altiris jobs.

Being that they're laptops makes things a bit complicated. Are these XP or Windows 7 machines mainly?

The only way I see you getting around that is maybe a scheduled task to change the power plan settings? I'd go with a scheduled task over a delivery policy in this case because you can select the option to wake the computer up and run the task. You'd run the powercfg task to change the power options so it wouldn't shutdown or whatever, machine enter maintenance mode at 6, altiris maintenance tasks kick off at 6:15.

I hadn't messed with deep freeze in a while but they seem to be pretty flexible with how they do things so I'm sure you can work something out.

cbleeson's picture

I am working with Deep Freeze and using CMS to do patching.  I am working on getting things set up and tested out but so far I've had positive results. 

I have the Deep Freeze maintenance window scheduled and inside of that I created an Altiris maintenance window.  My Altiris maintenance ends 15 or 30 minutes before my Deep Freeze window.  I don't remember exactly.  My Patch Policy is set to install during that time and allows for it to reboot before the end of the maintenance.  I also have the Assessment scan set to scan multiple times during the maintenance period.

I also allow my patch policies to reboot if needed.  That should help avoid a boot loop as well.  The maintenance window in Altiris should keep the workstations from rebooting on their own during the day.

I'm trying to do smaller patch bundles and a longer maintenance window so that I don't end up freezing the computers and sticking them in a boot loop.  Currently I am running maintenance twice a week, I have about a 4 hour maintenance window and have not stuck them in a loop yet.

Hope that helps!


Sally5432's picture

Thanks all - lots of good info here.

Chris, are you patching laptops?  Are you using AeXPatchUtil to try to force patching to happen ASAP?

Don't forget to mark posts as helpful if they are, and mark answers as solutions.

cbleeson's picture

No, I'm not doing laptops.  What challenges are you having with the laptops? 

I'm not using the Util to force patching.  I created 3 policies to help automate my patching Windows System Assessment, Software Update Plug-in, and Maintenance Window.  My maintenance starts at 00:01 so I'm not awake to check it out.  I just check the next day and make sure it looks good.

My Patch Policies are ASAP but the maintenance window forces them to install when I want them.  The downside is that as far as I can tell, the client will cache the patches outside of the maintenance period so they will be erased when the workstation reboots.

Sally5432's picture

My main concern at this point is really powering up laptops (with lids closed) and then keeping them on long enough for the maintenance period.  Dell sells carts with ethernet - but not sure in reality staff members would plug power and ethernet into them each night, but it may be best bet for keeping machines patched.  

I guess some sort of scheduled power task b3tts32 recommends might work too but only if I could get the wake on to happen in the first place.

Don't forget to mark posts as helpful if they are, and mark answers as solutions.

b3tts32's picture

As long as the scheduled tasks are set locally on the computuer there shouldn't be an issue with the machine waking itself up to run. You could try testing it with a ping command or something simple to verify functionality.