Patch Management using Altiris CMS 7.1 SP1
Created: 15 Apr 2012 | 4 comments
Hi,
I want to understand if we can clone the Policy which we have created for deploying Security Patches. If yes, can you please guide the steps which needs to be followed to clone the Policy which is created for Security updates.
I have checked and Policy clone option is not available for Security updates if you right click on the security update policy which you want to clone? For other policies like Inventory etc. you get the option to clone the policy but not for security update policy which you have created?
Can anyone help me on the same?
Discussion Filed Under:
Comments 4 Comments • Jump to latest comment
If you're talking about cloning "Software Update Policies" you can't do that. Yet.
You can go to this Idea and give it an upvote:
https://www-secure.symantec.com/connect/ideas/patch-allow-cloning-software-update-policies
What is the recommendation if we need to deploy same set of patches to different filters @ different times.
a) Create New Policy every time for same set of patches
b) Change the Start Time of Policy every time when you want the policy to be targeted to another filter at different time and than apply it to another fliter. Are there risks associated in playing with same policy multiple times? Is this recommended option?
I've been able to configure the same set of patches for my enterprise (fortunately). In light of that here's what I do:
1. I create one (or two, depending on the month) Software Update Policy for each month. So, for April 2012 I've enabled all of the bulletins that we've approved and then assigned those bulletins to a policy named "2012 04 April - MSSB". My naming convention is such so that they sort together chronologically and MSSB stands for Microsoft Security Bulletins. I might have another one for Windows Updates, Service Packs, etc.
2. I've created maintenance groups and then created filters reflecting those maintenance groups. The groupings are purely for scheduling purposes.
3. Then I created a unique policy for each of those filters. Each policy has its own schedule.
Until Altiris can assign scheduling based on an event and not on a date I manually change these policies monthly to a new target date. Our process is based on "X # of days since Patch Tuesday" or the "3rd Thursday after Patch Tuesday". Sometimes this doesn't work out the way you'd like it to.
Does this help?
Create a bulletin for the same set of patches, e.g. '2012.04 April'
Apply it to all computers
Computers will install the updates at different times, as defined through cloned Default Software Update Plug-in policies. Cloned policies are applied to targets, and computers not targeted by a cloned policy will continue to receive the Default Software Update Plug-in policy.
For example, clone the Default Software Update Plug-in policy three times, and call them Software Update Desktops 1 a.m., Software Update Laptops 2 a.m., and Software Update Servers 3 a.m. Then apply each to Desktops, Laptops, or Servers, as appropriate. Any computers not caught by your method for defining laptops, desktops, and servers will continue to update and reboot according to the Default Software Update Plug-in policy.
Having approved the April patches as part of the 2012.04 April policy, the desktops will install and reboot at 1 a.m., the laptops at 2 a.m., your servers at 3 a.m., and all others according to the default policy's settings.
This should be sufficient to meet your needs, since each Software Update Plug-in policy can have new start dates, and you don't need to modify the bulletin policies.
Does this work for you?
Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com
Would you like to reply?
Login or Register to post your comment.