Patch Management Question

to that time frame. That is when all patching activity takes place.

I am looking for a way that I can have an Altiris agent, go out to PM and say hey, I see that you have all these updates, can I please have them because i dont. I think the dashboard recomendation would work, but is there another way for just PM to do it. if so how would I set that up.

If you are not actively automating patch with Altiris already, you could enable a patch policy to have all machines apply their patches on some arbitrary date in the past, such as 1/1/1980.  Because there is an active patch policy for the machine, it should automatically download and stage the patches, but unless someone manually adjusts the computer's clock, the patches will never automatically apply.  At that point you could manually kick off the patch process via the GUI or via the AeXPatchUtil.exe with the /Xa switch.

An easy way to solve this issue is to create a collection called "Unpatched Machines"

Create a separate Software Update policy for new machines, with tighter update intervals.
Link the collection you created to the new policy, and drop new machines into the collection during build, and remove them after.

Lastly, and quite importantly, Make SURE you exclude the Unpatched Machines collection from your standard Desktop Update policy.

Altiris Patch Management Solution 6.2 always has a delay between adding a PC to a Notification Server and installing approved updates on a Client PC.
This delay will depend on:
• NS Agent configuration
• Additional agents installation schedule
• NS collections update interval
• Inventory Schedule
• Patch Management Configuration, especialy Patch Management inventories schedule

If you set very aggressive schedule you may end up with unresponsive NS and SQL server.
You need to consider risk of having unpatched PC on the network for a few hours vs network load, NS/SQL usability.

In our environment all Client PCs install approved updates daily, so new PC is no more than 24 hours unpatched.
We are imaging PCs with XP Pro SP3 and currently have 31 outstanding updates for new PCs.

I have wrote an article a while ago, about how we configured Altiris Patch Management Solution 6.2.
Have a look and hopefully it will answer some of your questions.

https://www-secure.symantec.com/connect/articles/p...

PS I am working on the process to install approved MS patches to all newly imaged PCs at the end of imaging from the Deployment Server. Will share my findings soon.

Andrey Shipov

One thing I have done for 'immediate' updates in the build room, is to add selected Microsoft Patches to the driver\install directories that get FIRM copied down during the build process. This allows you to utilize the cmdlines.txt or GUIRUNONCE method to install patches prior to them connecting to the network.

I have run across some really good methods in the past of doing auto-updates, but I'd have to dig around and beg for information to see if these methods are still valid.