Patch Management Solution

I'm looking for clarification on how patch works, specifically when a machine is reimaged.

After imaging (assuming the agents are updated), at some point the computer runs the Windows Assessment scan (or I force it).  Then the agent updates (or I force it several times).  If I'm watching the computer, I look at the agent requested time and wait and see if the changed time updates, and if it does, usually this means the computer has realized patches are available and queues them.

Sometimes I image 2 machines at the same time and do the same update agent/run scans and one computer just doesn't get the patches, but if I leave it on a day it eventually does get the updates.

If I look in reporting, I see the computer that didn't get the patches and see that it has computers applicable but not installed.  I assume that report data could be outdated from before the computer was imaged, however.

I understand with CMS a lot of things are timing based and not on demand, but when I image 2 computers I have a hard time understanding why they behave very differently.  Is there a log on the server/client I can look at to see if the assessment scan sent results to the server or what else may be going on?  If they update eventually that's ok, but I'd like to build my confidence updating will eventually happen before I send these machines into production.

Thanks!

When you reimage the computers do you previously remove them from the database ?

If you keep them in the inventory, it might be the reason. The patch management remediation is base as per all Altiris/Symantec solution on the inventory, which info are store in the dabtabase. If the patch management sees the computer fully patched as per previous inventory, it will not run until a new inventory is done.

Regarding the update you're doing it is the policy, this is a setting done for each agent on the "targeted agent setting" that will define how often it will check for new policy.

And for the pacth the setting is done and each remediation policy on when to lauch the corrective action.

Regards

Hello Sally5432,

After reimaging machine, you need to update Symantec Management Agent and Software Update Plug-in to the version that is provided by NS.
I suppose that it is verified that agent is communicating correctly with NS, considering that Install/Upgrade policy for Software Update Plug-in has been applied successfully.

Then the latest available Windows Assessment Scan package with the latest patch data should be downloaded from NS.
As soon as assessment scan package is downloaded to client you may run Windows System Assessment Scan with UNchecked checkbox 'Send Inventory Results Only If Changed' in the policy option.

In order to verify that results of Windows System Assessment Scan has been received by NS, please check report 'Windows System Assessment Scan Summary' (Reports > Software > Patch Management > Diagnostics > Windows System Assessment Scan Summary).
After the latest results of assessment scan are received by NS, compliance reports should be updated.

Then applicable/not installed updates from enabled SWU policies should be distributed to targeted machines (after Patch filters are updated).

Thanks,
Roman

@Roman - Thanks!

"Send Inventory Results Only If Changed" is checked in my default Win System Assessment Scan policy which I assume is correct for our production policy.

Are you saying to uncheck that only if I'm trying to force a newly imaged machine to update faster?

Hi Sally5432,

Yes, you are right. You do not need to keep this checkbox disabled always - I said to disable that checkbox in order to be sure that patch inventory results are sent during troubleshooting.

Thanks,

Roman