Patch Management Solution

I don't yet know enough about Patch Management to be able to ask the question properly, but it came up while going through HOWTO56242 and reading about scheduled patches vs. maintenance windows, staging vs. installing, etc.

The "patch" or software involved in a bulletin - update or patch or whatever - is downloaded onto the server or a location you otherwise define. Got that, it's simple - you can't push and patch if you have nothing in your hand to push or patch with. So the server downloads the files needed to take care of Microsoft's critical rated bulletin 123. Say it's 3 files to get that bulletin taken care of.
You right click, choose to download the "patch" and it says complete, 3 files are now on your Notification Server for use by Patch Management.
I assume we can say the software is staged on the server.

Now you want to get it out to the masses.
The software that was downloaded to the server and staged there now needs to get to the client - and it would run from the location on the client to install or do its patch work.
In a way similar to how Windows updates work - you first must DOWNLOAD the updates, then it starts to run through that list to install them.

The HOWTO docs say that it may be staged on the client but not installed - under certain scheduling conditions?
That's the part I don't get - if it made it to the client, why doesn't it just go ahead and install the 3 files that are part of that policy - that bulletin?

Under what conditions would it stage onto the client but not install it - and why would it do that instead of following through and finishing the job?

I might see a possible use for that - if you needed to get it out there but wanted to wait for the actual install, but this document made it sound like it just did it that way if this were in place and that wasn't or some thing I didn't fully grasp.

When you stage the patch and create the bulletin the PCs that you have targeted the patch at and have it as applicable will download it. That is provided they have a Patch assessment scan policy running to do the assessment scan. But they will only install the patch on the schedule set in the Patch Install Policy, you can have more than one of these but no PC should have more than one of them applied. So you might have one for desktops for 22:00 every night and one for servers for once in 2030 - this enables the patches to be downloaded to the server but only installed when you go into the Software Update tab on the Symantec Management agent and select "Run software update cycle" So a PC can have more than one Patch policy but should only have only one Software update Plug-in Policy (the patch install schedule policy)

If I truly understand that, then hat totally changes my thinking on "when" patching should happen.

If I have this correct -  if the agent is set to run the patch assessment scan say every 4 hours just to use a number, I assume that this 4 hours starts counting down from the time a computer is "turned on" and the agent is functional - meaning it's somewhat random unless all users come in at exactly 7:00 am on the nose, and they coordinate any computer restarts with a starter's pistol.

It's the downloads that kill the WAN, not the patch installs - so if this stages the software then WAITS until the appointed time that the policy states for the actual patch event or installation, no wonder you keep saying you have no problems with the product killing performance.
If I have this right, the only issue or inconvenience is the processor and memory taken for the patch install itself (and any restart that may be required if one is required). 
I believe you are saying the download of the patch from server to computer is somewhat random and very unlikely to kill a WAN link.

This document 56242 states that if there is a maintenance window enabled and a set schedule for a patch using Run (other than agent default) and On schedule, the patch would download during the maintenance window but not install until the agent's patch policy time *if the check was there to over-ride the maintenance window*.

Otherwise if Override Maintenance Windows settings was NOT checked in the patch policy, it would download and apply during the maintenance window.
Does that sound correct?

Thanks for the great explanation. That's a keeper I'm printing for my notes.

If you set every 4 hours with a windows I'm not sure how that's triggered, you can check on the Symantec Management Agent when that's run for any specific PC and use the Software Execution Report to see when it's running on all your computers. The patch will start to download as soon as the Computer picks up the policy. If you have problems with your WAN you might consider putting in a Site Server running the Package service on the remote sites so the package only gets downloaded over the WAN once. A desktop will do for a small site. The timing partly depends on how often your Symantec Management Agents do a policy update - if it's 15 minutes then all your PCs will start to download any patches they need within 15 minutes of the Patches being enabled. I'm not that familiar with maintenance windows - I prefer to use a combination of fixed schedules and unobtrusive packages to avoid the need for them.

We don't have WAN problems so much as it is related to SCCM and/or how the person who used to run it operated it - we have historically had problems with SCCM saturating things as it pushed updates out once a month to 300 computers at once.
My guess is that part of the problem was how SCCM operates and part were user error (or lack of understanding?)
Even done in 2 phases sending gigabytes of Microsoft patches through each month, all at once, to 300 computers doesn't go well.

That's why the looking at how this stages the patches/software. If the patch(s) all go out to all computers at the same time, that could be trouble.
But if they get the file staged to them a few at a time or as computers check in, that's fine.

I don't have concerns for this product if it's going to stage the software based on a certain randomness of agents checking in. We can control that interval and if it's 15 minutes from the time they start up, then every 15 minutes after that, it's going to be quite random and that's great.

I'll look but I can't see leaving it at 15 if that's how it comes default.

The information on how it gets the software there vs. the actual "install" or "application of the staged patch" timing is very helpful. Again, you've nailed it with a good explanation. That along with the documents I have printed and laying by the keyboard have taken me far the last couple of days.

Still learning but hey, I got a Flash update out to between 1/3 and 1/2 of the target group of 75 out in short order and not so much as a hiccup anywhere. No one even seemed to notice.
Granted Flash files are small, and don't normally require a reboot, but the fact I got it out like that gave me a pretty good feeling, especially since part of that went out before I left yesterday and I never even noticed an increase in traffic.

I have a good feeling about the product. Me, not so much - there's still doubts about me, it will still take time to learn this, but the product can't be blamed for my DNA-based requirement for many details before I move or needing to see a picture of something.

Just a value add...

It may be that this question is for the different between the SMP Bulletin Policy and the Software Update Cycle. One makes the files and command available, the other executes the commands.

Windows System Assessment - A scheduled event that verifies available patch IsInstall/IsApplicable rules and informs SMP.

SMP Bulletin Policy (Staging) - A bulletin policy that targets computers and allows them to begins downloading the associated files and installation commands.

Software Update Policy (Installing) - A policy that tells the computer when to perform the Software Update Cycle using the associcated installation commands.

Patch Installed - The outcome of the installation commands. (Installation DOES NOT EQUAL Applied)

Patch Applied - A Patch Assessment needs to be run that verifies available patch IsInstall/IsApplicable rules and informs SMP.

There are some caveats to some of these, but this should provide the basic understanding.

That's also very helpful and good information. The product is nice, but it's so very different it's taking a bit to get used to terminology, processes, definitions and which needs to come before what.

I'm getting there, but I'm sometimes not patient with things and sort of like my wife - she wants to know how to do something but doesn't want to learn how to do it. (I ask her if that's even possible....... but I don't get a response I really want.......)

Yes, with Windows you can install something, but if there are files in use to be replaced that can't happen until the files are "closed" or Windows rebooted so the registry and pointers can be updated, etc.

The Windows System Assessment is something I definitely want to know and read more about as it key to this whole thing in a lot of ways.

There are times with this product I don't know enough about it to know how to ask the question intelligently so that it makes sense to others, or use terms that make sense - that doesn't help me in my quest for answers. To get good info back one must know what to ask and how.
Basically, yes - I needed to know the levers, gears and belts and pulleys of this, what connects to what, and what relies on what, sort of like services, dependancies.
That reply helps a lot and is a decent reference to have handy while I continue to learn this.

We are hoping this isn't too pricy, too far out of our limited budget range as I already like it a lot and my boss is indicating he's liking what I am reporting and what I've shown him in this short time that it can do.
The more I know, the better our case.

Thanks. The folks in this area of Connect are extremely helpful and knowledgable.
I wish besides the "solution" possibility that we could also mark other responses as "also helpful".

As I read through the responses I am not sure that your basic question was really answered.  Below I lay out a simple example I hope you can follow.  It takes a bit of wrapping ones head around to understand what your options are and I hope to provide clarity.  Everyone has different requirements so this may not apply.

Our Requirements:

• Deploy Patches in 3 stages - PM Stage 1 - 30-50 user that include mainly IT resources, PM Stage 2 - 30-50 additional users that include sample users resources from across the organization, PM Stage 3 - Entire organization (2400+)
  • Purpose of this is to not spend time testing each patch, but deploy in a staged approach with the intention of identifying issues with the smaller numbers
• Deploy Patches to specific groups of people OR types of devices on different schedules and with different behaviour
  • We have Notebooks and other mobile Windows devices and we want them to get patches but NOT force a restart.  We provide a Notification for these devices that requests them to restart but not forced
  • We also have remote sites that stay open later than our main site.  We have about 8 different groups.
  • We also have the need to ONLY do this manually.  In this case we have delegated the task to the specific user(s) and we follow up.  In these cases all the patches get to the machine (copied to client but not installed).  The user then kicks of the Patch Cycle in the Symantec Agent
  • We have a "force Patch" group - place a machine in here and it checks every 15 minutes, installs patches and restarts at end of cycle
• We also want some different behaviour for Multicasting across the network.  In most cases we have Multicast enabled so that large deployments are very light on the network.  In the case of our notebooks and Force group, we turn multicasting off.  This is based on the fact that in most cases not a large set of computers are in motion

So, we have

• 12 different DSUPs (default software update policies
• 5 different Targeted Agent Settings
• 3 Stages to Patch Deployment in which stage 2 and 3 include the previous stages

There is a bit more detail in this overall structure but I wanted to keep this short and answer questions for clarity.