Client Management Suite

So I have a business need to babysit some computers for patching (on 7.1 SP1).  Basically, I want to fire up the agent and manually start the software upgrade cycle.  I can't seem to wrap my head around how to do that.

We're using maintenance windows, so this group of computers has an always open maintenance window.  It seems that once the patch polices are applied, they are installed.  I gather its based on the Default Software Update Plug-in Policy, but I can't figure out how to make a policy that tells the agent not to install them at all...

Is this possible?

Hi Zac H, 

By default, Patches are installed according to Maintenance Windows, Default SWU Policy schedule is disregarded in that case. As far as those computers have an always open Maintenance Window, Patches will be installed ASAP on them. 

To make patches install on custom schedule, You should select "Override Maintenance Windows settings" checkbox in the Default Software Update Plug-in Policy. Note, that this policy can be cloned and then targeted to the desired group of computers, to leave all other endpoints obey Maintenance Windows.

Regards,

Serge

If you want them not to install at all, you should also be able to go to the filter that is attached to the software update policy and explicity exclude the desired machines.  I think the filter is the "windows computers with the software plugin agent installed" or something along those lines.  You should be able to determine the filter name from the policy.

Unfortunately, the default software update policy has no viewable filter attached to it.  Removing the open maintenance window, and setting an "expired" update policy to ignore maintenance windows resolved the issue.

If you clone the software update agent policy, you can see the filters.  You could clone it twice, turn off the default filter, and set up the two different policies as desired.  I had to do this for our developers since patch installations during the day caused too much disk I/O while they were compiling.

Ahhh, I didn't think of turning off the default policy.  Another good idea.  Thanks!

You can also schedule in the future and then force it remotely (or from the keyboard) with the command AeXPatchUtil.exe /Xa

I actually plan on doing that for some servers that need some scripts run before and after patching runs.  Another piece of my puzzle that this "manual" patch method will solve.

One other option is to set the patch schedule waaaaaay in the future and then enable the "Allow user to initiate patch process" option.  This exposes the hyperlink in the Altiris Agent that allows the technician to start the patching from the GUI.

However, if you do this, the cached patches never get removed from the computer and binaries will consume disk space until the option is disabled or the computers are moved out of the group that the policy applies to.

Since we're on the subject of patching, when do 'weeks' start in Altiris patching?

I just setup a maintenance window for Sunday Week 1, thinking it would be this weekend.  It's not.  The MW is now set to open in November.

Week 1 Sunday means the first Sunday of the month from what I understand.  So in October that would have been October 2.  For November this will be November 6.

I agree with this.  I recently had a SNAFU where I patched on "Week 3 Thursday" at 10pm and set my reboot even for "Week 3 Friday" at 2am.  The problem was that the intended Friday was actually the 4th Friday of the month.  Looking at the agent it showed the reboot event for being scheduled 6 days prior to the patch event.  Therefore those systems never rebooted.

Mike Gruber stated at a user group meeting that they'll be working on scheduling relative to an event, or a date, or something.  Like "14 days after Patch Tuesday" or something.  This is going to simply our complicated patching process tremendously.

Its certainly confusing.  Although I'm not sure how to make the Weeks option *not* confusing.  I'm just glad I checked the maintenance window after I set it...