Video Screencast Help

How to apply outstanding software/updates quickly after image deployment?

Created: 10 Oct 2012 | 5 comments

Hi there

After using both CMS 7.1 and SCCM, I'd like to accomplish something in 7.1 that was previously very simple to achieve in SCCM. Basically, we have a Windows 7 build, but as we are constantly deploying updates/patches and entire software releases, this gets out of date very quickly. What I'd ideally like is to tell a freshly imaged machine to check back for any outstanding patches or software deployments and install them asap. Some sort of completion feedback to the imaging engineer would be a positive, rather than waiting for a compliance report to refresh.

I have imported all of our software installs into the software catalogue and have created packages, detection/applicability rules, as well as supersedence and dependance data. Testing these on a blank machine seems to work fine, albeit a little slow.

Am I correct in thinking that in order to use the resources I have imported into the catalouge, I will have to setup separate Quick Delivery tasks for each software release that are 'tacked on' to the end of the deployment job? If so, this will essentially double-up our work needed when creating a resource for a new software deployment, something which I'd like to steer clear of. Also, quick deliveries do not honour dependancies/supersedence etc. I saw some similar threads that made mention of using Workflow to achieve this, but after looking through the guides and the application itself, Im not sure how this would work.

Additionally, how would we handle outstanding patches? This would be extremely important to get right, as we cannot have a situation where machines are deployed to end-users without the required patch level.

All of this needs to occur within an hour or less (deployment of image, installation of outstanding patches/software, verification by an engineer).

We currently use DS 6.9 for our deployments, coupled with very large and convoluted/complex scripts that handle the software deployments, but we were hoping to move away from these as the risk of human error and the overall time needed to maintain is quite high.

Thanks

Comments 5 CommentsJump to latest comment

andykn101's picture

I'm assuming, as you talk about duplication for Quick Delivery tasks and the lack of dependency checkin gthat you already have set up Managed Software Delivery Policies.

I recommend setting the default schedules for MSD Policies to include "00:00 No Repeat", this will have the effect of the check and remediation running immediately. Make sure the Software Management plug-in is in the image.

I'm sure I've seen a command for triggering a Patch Update cycle through the command line but all I could find was this:

"How can I start a Patch software update cycle from the command line?"

http://www.symantec.com/docs/HOWTO4198

It should still apply, AeXPatchUtil.exe is supplied with 7.1 SP2. This is a bit more recent:

"AexPatchUtil.exe command line options and examples"

http://www.symantec.com/docs/HOWTO9770

But if you want technician feedback then I suspect Workflow might be the best answer. Check here and WorkflowSwat for examples to see if anyone's tried it before.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

jim1980's picture

Hi Andy

Thanks very much for taking the time to respond.

Thats a good idea about the MSD's, but Im loathed to target a group that has existing machines in, just in case they fail the compliance check for whatever the reason and start uninstalling/reinstalling software whilst a user is logged on. I thought perhaps I could have a task in the deployment job that puts the computer in a temporary deployment group that has these Policies applied to, and then later moving the machines out?

I'll give the patch utility a go from a task and see what happens - any idea how it handles patches that require reboots before subsequent, related patches are installed?

Thanks

Zac H's picture

You could create a dynamic filter that contains machines built in the last day?  Keep in mind that none of this is going to be "immediate" though.  Here's the query I've used for that filter...

SELECT vComputer.Guid 
FROM vComputer
INNER JOIN Inv_OS_Operating_System
ON vComputer.Guid = Inv_OS_Operating_System._ResourceGuid
WHERE DateDiff(dd, Inv_OS_Operating_System.[Install Date], GETDATE()) < 1
jim1980's picture

Many thanks for that Zac. I think I am going to use Quick Deliveries for software during deployments and the command line that Andy linked to for patches.

QD's seem to work well so far, although I only have 2 in my current test job. The real test will be when we have 20+....

Andy - as far as the command line goes, I have a job that fires the following off in a task at the end of my deployment job:

"C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\aexpatchutil.exe" /I /C /Xa /q

However, the exe reports back error 1 and shows as failed in the console, but I can see that it is actually working as it should - have you heard of this?

Also, it has taken around 1 hour to just install the patches from the time this command was invoked. Currently, using DS6.9, our current deployment script deploys all patches and all software in about 20 minutes. Is this common and if so, is there anything I can do to speed it up?

Many thanks

JimChud's picture

DS6.9 definitely kicks in faster, the problem is partially to do with the agent.

The first time it starts after it's installed theres about a 15 minute window before it starts actively doing stuff and then it installs the subagents for the management agent. Once this is complete it starts working.

I believe you can add these in to the base build and obviously remove that time.

We end up putting everything in to a policy and then having machines in OU's based on requirement and thus the policies apply to that, you can also do an update request for the agent to check for new settings so when its complete it kicks in faster, we do this as part of the build as the last step in 6.9. You could use filters instead as said above and the computer be put in to the filter if was build within last x time.

They kick in shortly after the software management agent has started and complete pretty quickly. Though the startup for the agent time is higher we've found it slightly quicker to finish off installing the custom software to compliance due to the way it handles the installs through to completion with little or no intervention.

The script we use looks like:

Dim NSClient
Set NSClient = CreateObject("Altiris.AeXNSClient")
IgnoreBlockouts = 1
SendIfUnchanged = 1
NSClient.SendBasicInventory SendIfUnchanged, IgnoreBlockouts
Dim NSPolicyMgr
Set NSPolicyMgr = NSClient.ClientPolicyMgr
NSPolicyMgr.Refresh

Regards Jim.
Connect Etiquette: "Mark as Solution" those posts which resolve your problem and give a thumbs up to useful comments, articles and downloads.