Client Management Suite

OK, I've never bothered about this but now I have someone who would like to do it. OIn a new machine - pull down windows udpates right there and then and not wait on policies. I've tried the suggestions from other posts using the

"C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /I

then

"C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /Xa

also tried

"C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /C

I dont see anything happening. No updates were pulled down. Am I missing something here ?

Joe.

It has to run a download and then run the windows assessment task before it knows what updates it needs.

Yeah, I was trying to think of a way to do that quickly for new PC builds myself.  I ended up going with a vbscript to download all the latest stuff from MS.

So if im understadning this, the quickest way to force updates then is to NOT use altiris but go to the Microsoft update website and download from there...

The backend policy and filter processing has to happen as well.  Try running the filter update tasks and then update the client's policy and see if the patches appear.

If it helps, here's the script I came up with...

Attachment(s)

MSUp.txt   3 KB 1 version

Are these completely new machines being freshly imaged and if so are you using WinPE? Do you also use or at least have, Patch Management installed? If so then you may be able to use the workflow found here: http://www.xcendgroup.com/2010/11/xcend-tech-tips-creating-a-windows-7-self-updating-hardware-independent-image-using-deployment-solution-6-9sp4-and-symantec-management-platform-7-x/?cat=18

You will want to pick up around #13 and then again at #17. Also, even though it isn't mentioned in that article, you may need to change to WinPE 3 for better off-line patching of Win 7 but at least this can be a start. I have not yet tried it but it is on the list in the next couple of weeks I hope.

Joe,

You might want to consider creating a separate software delivery, patching and base agent configuration policy for new machines.  A more aggressive policy would help you solve the patching challenge you mentioned. 

Looking at the broader new build process, you may want to wait until all of the core application components are installed before you enable Patch.  This would allow you to handle any third party updates your workstations need at the same time you're applying those critical system patches we all know and love.

Hope that helps!

I have no idea what you mean. I just find it absurd that the patching updates takes so long on a new build machine. Could you expand on how I would create a new Polciy to do this. ?

yep - its looking like connecting to MS site is the quickest.. I dont see any alternative, quick solutions. I would have thought a patch management product would have had the ability to 'Patch' machines as soon as possible if requested...I'm pretty sure a lot of people would need to do this.

I created a filter for "Computers Discovered in the Last 48 Hours".  From here I excluded all of the software installations that were part of my image build and I attached a 1 hour agent check-in time.

You could presumably set a much more aggressive patch System Assessment and remediation schedule to this.  Or, instead of using the native patch interface you could create some tasks or policies that would run the AeXAgentUtil utility to run more aggressively for the scan and the patch application.

From what I've been told, though, it appears that the "patch it now" functionality is on the roadmap.  How far off?  Who knows.

>> functionality is on the roadmap. How far off? Who knows.

story of my life with this product! I'll stick to Microsoft update site just now.

I've added it to the Ideas section. :-)

Thanks for Replies.

Joe.