Patch Management Solution

 View Only

  • 1.  SWU policy Package Options to allow immediate restart?

    Posted Feb 12, 2014 11:51 AM
      |   view attached

    Hello there,

     

    I attached the screenshot of the Software Update policy "Package Options" here. Would you please advise if I should uncheck the "Allow immediate restart if required" options in the Package Options?

     

    My concern and doubt are that if the first KB got installed and required restart but be put in "pending", can the rest of the KB(s) still be going on to install during and within a deployment? It seem like if one patch is pending restart, the rest of the KB supposed to be install during that one deployment is postponed???

     

    Please advise.

     

    Thank you so much,

    Charlie.



  • 2.  RE: SWU policy Package Options to allow immediate restart?
    Best Answer

    Posted Feb 12, 2014 04:37 PM

    Yes I would disable that option, as it is far better to use the "At end of software update cycle" option which is part of the "Default Software Update Plug-in Policy" policy.



  • 3.  RE: SWU policy Package Options to allow immediate restart?

    Posted Feb 12, 2014 04:58 PM

    I concur with SK and strongly advise to only use Package Options for one-off conditions. (Example: you have a solid schedule outlined on the Default Software Update Plug-in Policy, but one update merits a run outside that schedule, so you will use the Package Options for deployment).

    The main reason is that the SWU Policy will target for install, and if it fails for whatever reason (e.g. client needed a reboot prior to the update schedule), the client will fall back on the Default Software Update Plug-in Policy schedule, and if it fails once more, it will run as soon as possible (see KM: TECH41865).

    The Default Software Update Plug-in Policy schedule can be cloned and utilized for any target group of clients to ensure control of install / reboot for that particular Filter. The details of this process are outlined further on KM: HOWTO56242.

    Hope this helps,

    Joshua



  • 4.  RE: SWU policy Package Options to allow immediate restart?

    Posted Feb 13, 2014 11:09 AM

    Hi SK and Joshua,

     

    I highly appreciate your prompt reply and recommendation.

    So, we would disable/uchecked the "Allow immediate restart if required" option. If SWU policy failed for any reason, the cilent will fall back to plug-in policy schedule for install/reboot of patches.

    If plug-in policy schedule failed again, it will run ASAP. Does this mean the install or reboot may happen at any time???

    If this to be happened in production, that would mean a production server went down for reboot without (1) Change Record request/approval, without (2) IT announcement to system owner/customers/other consumer/producer interfaces, and without (3) approval schedule ???

     

    Would you please advise how we would prevent this from happening? Should we have maintenance window set up with specific targets or with no target?

    Thank you,

    Charlie Tran

     

     



  • 5.  RE: SWU policy Package Options to allow immediate restart?

    Posted Feb 13, 2014 12:22 PM

    Yes, your client will reboot outside the schedule if it fails initial install as configured on the Software Update Policy > Package Options, for it will fall back on the Default Software Update Plug-in Policy, run the install then, and the client will reboot when complete. 

    The concept of this behavior; if the 'one-off' Package Options in the Software Update Policy are being utilized; this update needs to get out ASAP. Otherwise, one would use the Default Policy to manage schedule. Again, these Package Options are intended for single deploy of urgent updates that need to run outside a scheduled update cycle, or for a test run of an update to a test filter.

    As for Maintenance Windows; they allow for the Altiris Agent to dominate the Patch Plug-in and runs the Software Update Cycle as soon as the window opens, for the Agent says 'I am in a maintenance window; do what needs to be done now.' This behavior is outlined in KM: TECH127411, and this is why the Update Policies have the 'Override Maintenance Windows' setting. 

    My advice; disable all Package Options on the Software Update Policy, configure the Software Update Cycle solely on the Default Software Update Plug-in, and configure this policy as needed for each targeted filter via Clone, Windowed Schedule and reboots as needed (detailed on KM: HOWTO56242 - Step 7).

    Please note; my purpose is not to overwhelm you with possible issues, but more to advise of 'gotchas' to be aware of. If the environment is well maintained with scheduled reboots, and the clients are in order for installing updates, you may never see any anomalies deploying via Package Options schedules. 

     



  • 6.  RE: SWU policy Package Options to allow immediate restart?

    Posted Feb 13, 2014 11:09 PM

    Hi Joshua,

     

    Thanks so much for your great advice and recommendation. I really appreciate your prompt reply and time.

    It is really a great solution to my question and concern.

    Have a great day, buddy

    Charlie Tran