Video Screencast Help

Patch Management - Download Patches but not install, user chooses patches to install, possible?

Created: 23 May 2013 • Updated: 24 May 2013 | 5 comments
This issue has been solved. See solution.

Is it possible to download patches but not install it, user then chooses which patches to install possible? 

Operating Systems:

Comments 5 CommentsJump to latest comment

Charlie D Tran's picture

You can create a filter for those special machines, then create(clone from default) a software update policy and schedule it to far the future, say year 2050.

Please keep posted.

greg_zielinski's picture

How important would "which patch to install" be vs "all pending patches"?

I can think of a few ways to leverage the software update agent command line but it would be more difficult if you wanted to allow the user to pick which available patches to run.

JeanWilson's picture

the users are actually system administrators and the computers are servers such as exchange etc.

andykn101's picture

I use Charlie's solution often for servers, it works well.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

HighTower's picture

I like Charlie's idea as well (and I actually do that here) but I do not like to enable the "Allow user to run" option in the policy.  If you have that enabled then any user, administrator or not, who can access the Software Updates tab in the SMA can trigger the patch event.  For us, that was a little too risky.

Instead we've given our administrators the knowledge to trigger the patching event from a commandline or you can build a Task that would trigger the patching command without having to access the system:

.\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AexPatchUtil.exe /Xa /reboot

That command line will trigger all available patches and then reboot when completed if necessary.

For your second question about choosing individual patches... allegedly there's a way to specify from the commandline using the same utility the GUID of the patch package you want to apply but I've never had luck with that.  The downside is the failed syntax mode is to go ahead and install all pending patches anyways surprise

You *could* just open the agent, double-click on each individual update package, select the Download History tab of the package, and then browse to the URL or UNC of the package and execute them directly and individually but this won't pass the patch commandlines and, of course, you're doing them all manually.

The better option is to do better grouping and policy creation.  However, you're going to get very complicated very quick and your org should probably get more comfortable with a process that allows you to test on a subset of systems and then proceed into production with automated installations.