Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Patch software best practice

Updated: 23 Feb 2012 | 7 comments
ttiller's picture
ttiller
0 0 Votes
Login to vote
This issue has been solved. See solution.

Looking for input about what to do when all my PC's have been patched by a software policy. Do you just delete the policy? Or do you disable and then delete? And when I delete the policy, does it remove the stored files from the server? If not, how do I reclaim that space? Appreciate any input.

Tommy 

Discussion Filed Under:
, , ,

Comments

sdubey's picture
13
Dec
2011
0 Votes 0
Login to vote
sdubey

We leave it enabled for 1 year if it is a security update

Becasue our environment is always changing, new PC's on the network, old ones getting reloaded etc, we have decided to leave all security updates enabled for 1 year after they were initially rolled out. This covers us in the event of a new system entering the network that maybe didn't get a patch installed during it's initial setup. Each month while I stage the new round of patches I also disable the ones that have reached thier year end and then delete the task. 

 

Shannon

Shannon DuBey

CMS/SMS 6.x & 7.x

ttiller's picture
13
Dec
2011
0 Votes 0
Login to vote
ttiller

Thanks for the reply Shannon.

Thanks for the reply Shannon. So I guess my question would be is when you delete the task/policy, does that also delete the file off the server? Or do I need to go somewere in my file structure to reclaim that space? Thanks again for the info.

Tommy

sdubey's picture
14
Dec
2011
0 Votes 0
Login to vote
sdubey

yes and no

I may be wrong here, and one of the Altiris guys could correct me, but to thebest of my knowledge the packages are not deleted from th server immediately. They are however "retired" so they will not get updated, used, or pushed to package servers any longer and the clock will begin to tick away on how long they atay out on the server. All packages have a time limit on them for how long they stay on the drive and it's set by adjusting the "delete unused packages after:" setting. We currently have that set to 1 year, because that is how long patches are left active in our environment, but occasionally I set that to 1 day, allow it to clear out all the old stuff, and then re-download any packages that may have been deleted that we wanted to keep around.

 

Hope that helps.

Shannon DuBey

CMS/SMS 6.x & 7.x

ttiller's picture
14
Dec
2011
0 Votes 0
Login to vote
ttiller

Thanks Shannon. That does

Thanks Shannon. That does help. I'll check my setting and try to see if old stuff is going away automatically. Appreciate your time.

 

Sally5432's picture
14
Dec
2011
1 Vote +1
Login to vote
Sally5432

I just went through the "how

I just went through the "how do I delete unused patch's from server automatically" process with support this week.

It seems like under jobs/tasks - patch - integrity check, if you have the box checked for 

"Delete the updates that are no longer in use from the file system"

Then once a patch is not used in a policy (i.e. the policy is deleted), and if you go to the superseeded report in the remediation center and right click on the superseeded bulletin and click "disable" then the patch does get removed from the server the next time you have your integrity job scheduled to run (I think default is 1x a week).

If you disable a bulletin in the superseeded report, but leave it in an active policy (even if it's unchecked in the policy), it doesn't seem to delete in my testing.  I have some patch policies that have several patches in them is how this came up, some were superseeded, others weren't.

In my site server settings, package service, "Delete package files if they are unused for" is completely unchecked for me, and those patches do delete.  I have a lot of packages (not patches) that don't necessarily get used often so I didn't want to check box.. I think.  Still trying to figure things out myself.

If anyone has anything to add regarding best practices here, please feel free to share.  Thanks.

---

SOLUTION
ttiller's picture
14
Dec
2011
0 Votes 0
Login to vote
ttiller

Appreciate the help. I had my

Appreciate the help. I had my "delete the updates that are no longer in use" checked and my "Policy and Package Settings" under settings>software>patch management>windows setings, set for deletion at one year. So it sounds like to me, once I disable and delete the policy, it will remove the software from the server after it runs the integrity check. Or if the policy is still in use, it will delete it after one year.

My package integrity schedule had been changed, so I set it back to one week. Lots of options when it comes to this program. Thanks again for the help. I hope I have it right now.

 

ohzone's picture
23
Feb
2012
0 Votes 0
Login to vote
ohzone
Admin

I've unlocked this thread

I've unlocked this thread just in case some additional comments need to be made.

Thanks,
Cheryl

Endpoint Management,
Endpoint Virtualization
Community Manager
www.twitter.com/EMnV_symc
Need Altiris help? IRC chat #Altiris

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,005