Patch Management Group

We are looking for guidance with respect to using Altiris Patch Management for Windows Servers and potentially Linux based servers.

One of the key requirements we have is the ability to orchestrate many aspects of the process in a similar manner to that of a backup process.

We require the ability to do Pre and Post tasks to manage the patching and restarting of OS and applications.  We also want to take advantage of our monitoring system to change the status of the system so that alerts are not created during the process and uptime statistics are not affected by the planned outage.

For example:

Planned outage for Patching a server

• Put server in maintenance mode on Monitoring System
• shutdown database or application on server
• apply patches waiting on server via Patch Management solution
• restart server
• restart database or applications on server
• Return server to Production status in Monitoring System

Our investigation did not find any abilities in ITMS that could accomplish these tasks.  Before we accept that this can't be done in ITMS, we wanted to float this question to the server community to see how others handle this.

Thanks in advance

At present, our ITMS is only being used for Desktop/Notebook patching.  The server team uses WSUS and an add-on that provides this orchestration.

M

ITMS has extensive capabilities to run tasks, including scripts, so, provided you can manipulate the monitoring system with scripts you should be able to accomplish the other tasks. The patch agent can be triggered via a script to run the patch install cycle: "How can I start a Patch software update cycle from the command line?" http://www.symantec.com/docs/HOWTO4198 If you use the "Run script on Task Server" task type you can pass variables like Computer Name into the script and then do things like run scripts to manipulate your monitoring system.

Thanks for your response.  It is encouraging that this can be done.

I am a firm believer in this suite of products but at times, it is hard to gain the understanding.  With only one response for the area of Server Management, that is a bit disappointing at the same time. 

On the desktop/notebook side of things we have a variety of different methods for patching that focus on avoiding user impact and discruption.  We have all the mobile devices installing but not restarting at the end of the update cycle.  They get a reboot required warning with clear english and a choice for the user to Restart Now or Restart Later.  The text indicates that a restart is necessary but an option as we do not want to disrupt business.  Desktops install at various times in the evening with a scheduled reboot at 2 am.  There are some that are configured with Manual user intervention and we educate these users to kick off the update cycle which completes with a reboot at the end of the cycle.  It does warn of the reboot as well with a 15 min count down.

These configurations we understand and are looking to expand this into the server realm.  To do that in the area of higher risk targets, the processes and procedures are even more critical.  To use a product like ITMS to orchestrate server patching, I was hoping for some more detailed guideance and input from those experienced with managing their servers in this manner.  With around 400 virtual and physical servers, automation of patch management for servers is a potential time saver but it must be accomplished with accuracy and control.

Thanks in advance.