Video Screencast Help

Missing some critical patches from Microsoft

Created: 13 Dec 2013 • Updated: 17 Feb 2014 | 7 comments
This issue has been solved. See solution.

I have a question about the Altiris Patch Mgmt solution for Windows.

Special note:  I do not have the additional pieces for the client management suite, I only have patch management.

I am missing critical updates from Microsoft.  They are KB articles (not the MS13-0xxx type updates).

Here are two examples:


What is different about these KB's I listed above that they would not show up within Altiris patch mangement for Windows?

Is there some type of description that explains exactly what updates are provided from Microsoft vs the ones that are not provided?  I can get these through WSUS but not Altiris and I don't understand what the differences are between one update and another.

Thank you,


Operating Systems:

Comments 7 CommentsJump to latest comment

HighTower's picture

Those are considered optional updates and as such are not provisioned by the Symantec process unless users request that they are.

You can open a ticket with Support and can give you guidance on whether or not these updates will be included in the PM Import process.

Alternatively, if you had CMS you could use Software Delivery to build a Managed Software Delivery policy to deploy these updates.

Just curious... how did you come by just Patch Management?

scott.c.walker's picture

I opened a support ticket with Symantec.  I will see how they do the process with me requesting.

Let me ask you something else.

Let's pretend I purchased the software delivery piece.  Those missing KB articles that are not included with the PM Import process, would they all of a sudden "appear" out of thin air since I had software delivery or instead to use software delivery I would download the package from Microsoft and build the update delivery myself?

I think it means I would build the package myself but just making sure.

We ended up with only patch management because I am in the security department and am in charge of making sure all systems are patched.  The desktop support department was going to purchase the inventory and software mgmt piece but dragged their feet (for years).  I cannot wait around to get patching done so went ahead with only patch mgmt.  So now we only have patch mgmt and desktop support still has nothing to manage anything else.

Thank you,


HighTower's picture

No, if you had SWD working the missing hotfixes would not just appear.  In that case I would personally make use of "dynamic filters" (as a Managed Software Delivery policy can't use Windows Updates in it detection rules, but I digress).  First, create a filter that defines the computers that have a particular update installed.  Then create a filter that you want to target against for hotfix deployment and exclude the first filter from the second.  This way you're not trying to install software against systems that already have it installed.  Then you'd build your package which contains the hotfix binaries and command lines for a silent install and you'd build your policy that governs installation schedules and behavior and target your second filter with this policy. 

I'm surprised that you own just "Patch" as I'm not even aware that they sell it like this now.  Perhaps give your Symantec or VAR rep a call to see what it would take to get you into full CMS. 

Depending on your org you might have more power than you realize coming from the Security team.  Symantec has always said that they believe a well-managed endpoint is a secure endpoint... secure means a whole lot more than just patching.

Joshua Rasmussen's picture

These updates may fall into the outline provided on KM: TECH198736

They may require user interaction, or may not have a solid update executable to be deployed like some Advisory Updates.

You may always open a Support Case and request Backline Escalation to review adding these updates moving forward.

scott.c.walker's picture

I opened a ticket with Symantec Support.  This is what I found out.

Windows updates are supplied by the PMI process.  Symantec cannot guarantee every single MS patch will be provided.  This is a relationship between Symantec and Microsoft and someone decides what is delivered via the PMI.  There really is not a way for me as a customer to find out exactly what will be delivered at what date.  Symantec cannot guarantee support of every single update.

The updates not delivered could be deployed by the customer with software distribution where we write our own deployment.

It sounds like most customers have the full blown CMS and not just the patch management piece like me.  Oh well, I am trying to figure out if we can purchase the other pieces of CMS.

Thanks for all the responses.


HighTower's picture

I'm seeing that this thread is still open. Can you consider it closed and mark a response as a solution?