We are testing patch management at the moment currently with 20 machines looking to roll out to 1500 in the future. We are getting some interesting issues in testing that I would like your thoughts on if I may. Of the 20 machines most of them were showing as 30 bulletins behind but one was 86 so I used the 86 patches as the baseline to deploy to the pilot group. It downloaded a ton of patches for the 86 updates and was then scheduled for 2am the next morning. Next morning and not much had happened - a few patches had been installed so I used the machines with 30 missing as a baseline and deployed immediately with restarts allowed. Then the fun started.
Over the next week we would come in and users would say patches are installing during the week and that a few machines could not be used as the C:\ drive space was full up - C:\Windows\Temp seemed to be the culprit. Its not a couple of hundred MB's either it is GB's of space.
From the pilot group there is not much faith in the product at the moment so Im looking for some best practices on how we move this forward and what enterprise deployments of this solution are doing to use this solution to install patches to devices.
I can see a setting where you can move the patch location for downloading them from the site server to the D:\ drive for example instead of where the NS client is located on the C:\ drive. Is there a way around this C:\Windows\Temp issue or is this hard coded from the patch vendors?
We also started seeing clients dissapearing when we checked for compliance to see how many patches are installed\not installed - any ideas why this happens?
Is there a way to not have to download so many patches from these bulletins?
Whats the max amount of bulletins we should do in any one time?
Which settings should we fine tune to make this work correctly? The next group we deploy to is 10% of the estate and if they have the issues above we will be in for pain. After 10% its 30% so even more pain.
What install window do you configure - at the moment it seems to be most of the time but ideally we only want to allow this to be Friday mornings between 2am to 6am but at this rate I cant see much getting installed at all?
Do the patches get removed at all or do we as the administrator need to go in and remove them? Above example 900 patches that will be on the NS server and then site servers as well and then on the clients as well.
If we deploy on Saturday 2am to install to 300 machines. 50 machines are switched off and get turned on Monday morning 9am. Do the patches then get streamed to the clients and installed in the next window so 9am we have lots of patch downloads happening across the LAN and then local installs on the clients? If so is there a way to stop this?
What throttling settings do you enable for your agents for network consumption or do you not bother?
Any issues etc its good to know about with Altiris Patch management that are good to share?
Is there a recommended amount of patches\bulletins to select\use in each patch session? We need to catch up a bit and have a new system but I don't want to kill the NS or the clients.
If you are downloading the patches to the NS, then to the site servers and then to the clients if there are issues somewhere external (e.g. LAN being swamped with traffic and high utilisation affecting normal application access) how can you stop the process from happening at each stage?
If you have downloaded a patch already and you then select it again will it download again or is their logic for it to know it's already available?
I know there is a lot here but many thanks for any assistance you can provide me. I have a call open with Symantec but Im not getting that far with them.