Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Start patching process directly

Created: 17 Feb 2013 | 5 comments

Hi,

I have a quick question.

I just install an Altiris 7.1 test system to test the patch management solution. For the client communication I used SSL.

Now I create a test filter with 5 machines where I install the client. The communication between the client and the notification server looks well.

I download the patches and create 3 test policies and apply them to the filter. Some of the patches were installed after 2 days on the machines. (So in generally the process is working)

Now I add a new server, the patch management solution was installed and I try to start the patch management process directly. But I’m not able to do this. I request a configuration update, which worked fine, the maintenance windows is turned off and in the policy I configured to rollout ASAP.

Never the less nothing will be installed…. I wait over 2 hours and in total I have only these 5 machines, but no patches will installed…. WHY?

How can I trigger a rollout immediately? Why is it not starting directly when the server has nothing to do? Can someone explain me the process?

Thx BR Torsten

Comments 5 CommentsJump to latest comment

Roman Vassiljev's picture

Hi Torsten,
What do you mean saying "Start patching process directly"?

Updates included to SWU policies are received by clients only if these updates are detected as applicable and missing on client.

General process is the following:
1. Assessment scan is executed on client and its result is sent to NS
2. NS receives result of assessment scan from each of client and knows which updates are applicable and not installed on clients(this information is shown in Patch Compliance reports)
3. Hidden Patch filters(filters that include machines where update is missing according to current patch compliance data) are updated for each patch from existing SWU policies. Patch Filters update interval is specified in Windows Remediation Settings(All Settings > Software > Patch Management > Windows Settings > Windows Patch Remediation Settings > Software Update Options)
4. As soon as Agent configuration is updated, agent should receive SWU policy in case if client is included to targets of SWU policy and update was detected missing.
5. Updates are downloaded to client and can be installed according to specified scheduled and options.

Thanks,
Roman

mmathews's picture

If it is 7.1 SP 2 MP1.1 your agent may be hanging keeping it from getting the new patch policy.  Try stopping and restarting the service on one of your clients, update configuration and send basic inventory.  If the patch then appears you agent is hanging up.  If the policy still doesn't appear it could be something else.  Or the patch hasn't distributed to your package server yet.  You may look at what your schedule is on your package server to see if the download is still pending. 

Michael Grueber's picture

Please see Roman's comment above.  You can't use the Patch Management Solution to install a particular patch on a computer until:

  • The system assessment scan has been run on that computer;
  • The assessment finds that patch is applicable and not installed;
  • The results are reported back to the Notification Server; and
  • The computer is question is added to the hidden filter associated with the policy (or policies) distributing that patch by the scheduled task running in the background on the Notification Server

The Patch Management Solution will not attempt to download and install a particular patch on a computer unless it determines that the patch is applicable to that specific computer and is not installed on that computer.  If the Patch Management Solution just downloaded and attempted to install patches on every targeted computer, then it would not only waste a lot of bandwidth but would also result in many installation failures in cases where a patch was not applicable to a particular computer.

It's also important to understand that the hidden filter serves the same purpose.  If you create a policy that targets, for example, all Windows 7 computers, you don't want that policy to distribute the patches in that policy to every Windows 7 computer.  Rather, you want the policy to only distribute the patches to those Windows 7 computers that need them.  That's what the hidden filter does.  When the system assessments scan informs the notification server that a particular patch needs to be installed on a specific computer, the scheduled task that I mentioned above uses that data to identify the policy that contains that patch and adds the computer to the hidden filter for that policy.

You may be asking why this process doesn't happen instantaneously and immediately when the results of the system assessment scan are reported to the notification server.  The reason that this process is driven by a scheduled task rather than happening instantaneously and immediately when the results of the system assessment scan are reported to the notification server is to mitigate the risk of performance issues that could occur on the notification server if this process were to run instantaneously and immediately every time that results of the system assessment scan were reported to the notification server by each managed computer.  You have full control over the frequency that this scheduled task runs, but it's important to understand that the more frequently this task runs, the more likely it is that it could result in performance issues on the notification server.

 

 

Torsten Klein's picture

Thank you for your postings! It helps me to understand the process in more detail and answer most of my questions. In my case I had different reasons why it was not working. One client was really hanging, but there was also a misconfiguration in my filter.

I was also confused that the agent doesn’t show up all patches that were already installed (by system or by a user) I mean the list on the agent “software updates”  “Software updates for this computer” that hold all old activities on Altiris 6.0. This list is always empty on my machines. Only after patches were deployed I see the installed patches for a while before they disappear.

Is here an option to change that setting? Can I receive somehow the same view like in Altiris 6.0 that all patches show up on the agent side?

 

Thx BR Torsten

Roman Vassiljev's picture

Hi Torsten,

Only after patches were deployed I see the installed patches for a while before they disappear. Is here an option to change that setting? Can I receive somehow the same view like in Altiris 6.0 that all patches show up on the agent side?

You should have file InstallLog.csv containing information about executed installations of updates on client machine. It is usually located under "C:\Program Files\Altiris\/Altiris Agent\Agents\PatchMgmtAgent\" on client machine.
Please check http://www.symantec.com/docs/TECH147912 for more information on this change.

Thanks,
Roman