Client Management Suite

 View Only

  • 1.  Is there a document somewhere that explains the entire patch management process?

    Posted Aug 19, 2011 09:45 AM

    We're running into an issue where some machines aren't finishing patching in a 4 hour maintenance window.  Now, some of these machines are missing quite a few patches, but 4 hours seems a long time.  I just want to verify that we don't have something misconfigured.

     

    For what its worth, the bigger issue is that maintenance window is closing before the machines can reboot the final time.  So the machines end up prompting for reboots...



  • 2.  RE: Is there a document somewhere that explains the entire patch management process?

    Broadcom Employee
    Posted Aug 19, 2011 10:52 AM

    what Patch Management version do you use?

    If this is 7.0 I can recommend to have a look at the following articles:

    Troubleshooting: http://www.symantec.com/docs/TECH127383
    Configuration: http://www.symantec.com/docs/HOWTO9835
    Best practices: http://www.symantec.com/docs/HOWTO3124

    (last one covers mostly 6.x version but most of information is application to 7.0 as well)



  • 3.  RE: Is there a document somewhere that explains the entire patch management process?

    Posted Aug 19, 2011 11:25 AM

    OK, I think those links helped some.  Let me present a scenario and hopefully the answers will help me totally get it.

     

    1. Computer needs patches and has a maintenance window of 02:00-04:00

    2. Computer starts and finishes all patches by 02:45

    3. Computer reboots

    4. Altiris now determines that it needs more patches (what does this?  Is it the Microsoft Vulnerability Analysis?)

    5. Patches are downloaded

    6. Its still ~02:45, so its still in its defined maintenance window.  When will these new patches start to install?  Immediately or is it based on some policy?



  • 4.  RE: Is there a document somewhere that explains the entire patch management process?

    Posted Aug 22, 2011 11:04 AM

    The computer will execute any policies if it's within the maintenance window.  So if it received the new policies at 2:45 a.m., it's going to say, "What are my remediation instructions?"  The remediation instructions are: "Remediate during your maintenance window from 2:00 a.m. to 4:00 a.m."  The computer, of course, knows its within the remediation window and will begin to download and execute the policies -- in this case, software update policies.  Does this answer your question?

    For #4, yes, the Vulnerability Analysis (called a Windows System Assessment Scan in 7.1) runs on a schedule and is what determines whether a computer requires certain patches.  A new vulnerability analysis/assessment scan would be required in order to obtain additional updates to install.  That's because a new inventory must be posted to the NS and processed by the NS before the patch targets for the software update policies can be updated to include your computer.  Does this part make sense?



  • 5.  RE: Is there a document somewhere that explains the entire patch management process?

    Posted Aug 22, 2011 01:35 PM

    Yep, that makes sense.

    I've still got a big problem though.  I had a server over the weekend that needed about 30 patches.  It only got through 15 before the maintenance window closed.  Now its stuck in a pending reboot state.  This is happening over and over in my environment.  I went ahead and opened a ticket with support, as I've GOT to get this fixed asap.



  • 6.  RE: Is there a document somewhere that explains the entire patch management process?

    Posted Aug 22, 2011 02:56 PM

    Ok, looks like it may be a resource problem.  Ugh.  The CPU on this VM was pegged at 100% for the entire maintenance window.  Never seen that happen for Windows Update.  Any chance that anyone has heard of some patch bug in 7.0 SP2 MR3 that might cause this?