Video Screencast Help

What do you do with patches that get updated after you have deployed them?

Created: 13 Mar 2013 | 8 comments

Hi Guys/Girls

 

Just wondering what you do with Patches that have been updated after you have sent them to your client machines. For instance MSRT-001 or any other patch that gets updated after you have created your job and pushed it out.

I created a job for MSRT-001 and every month it tries to install. Obviously because it has been updated via symantec servers. It is using the policy that I created months ago.

Do you create your monthly patch job and set an End time/date so that this doesnt rerun? The issue I have with that is that any new machines that get put onto the network will not get all the patches that it requires.

 

Would you advise me turning this setting on? Automatically revise Software Update Policies after importing patch data.

 

I hope I have provided enough information. If it does not make sense I will try and explain a bit more.

Regards
Jason

Operating Systems:

Comments 8 CommentsJump to latest comment

oi_son's picture

Hello again, I don't suppose anyone has got any advise for me with this?

BTW - I am using 7.1 SP2 of SMP

Thankyou
Regards
Jason

Roman Vassiljev's picture

Hi Jason,
Yes, in order to keep existing SWU policies up to date you need to enable revise checkboxes - in this case after each PM import task existing SWU policies will be updated according to imported patch data:
With enabled checkbox 'Automatically revise Software Updates Policies after importing patch data - if vendor re-released some software update, it will be re-downloaded
With 'Enable distribution of newly added Software Updates' - if vendor added some update to existing bulletin, this update will be downloaded, added to SWU policies containing this bulletin and distributed to targeted clients.

Thanks,
Roman

oi_son's picture

Thankyou so much for your reply Roman.

I am unsure what the best way to configure my patch management is. I am wondering if others (including you Roman) could let me know how they do their patching. Or what I could do in my situation.

I will explain how I do it.
• When the patches come out for the month I will go through them to see what is applicable to my company.
• I then Download/Stage and create the policy for testing.
• The policy will then be tested on some test machines. If all goes well then we can proceed with production.
• Production consists of 2 separate rollouts. For 3 separate locations. So I have to create 2 policies (I wish I could do this with 1 policy) but I can't from what I understand because 1 of the locations has to be rolled out at a different times.
• The policies are setup with the following settings:

- Run (other than agent default) and set a scheduled time/date (the date can change each month because the company likes to do the patching towards the end of the month normally on a Wednesday or Thursday).

- End Date. Not ticked. (the reason for this is because when a new machine comes onto the network I want it to receive all the patches that it requires.

- No repeat on schedule (this will make sure that the machines if turned off at the schedule will get the patch when they start their machines)

- Override Maintenance Windows settings. Ticked.

The problem with my setup is that if a patch gets updated by the vendor. Lets say for example MSRT-001 and this patch was setup in some previous policies. It will attempt to install on ALL machines automatically because I didn't set an End Date on the policy but I do not wish to put an end date on the policy because I want it to install on any new machines that come onto the network.

So I seem to be stuck with this.

I can configure my maintenance windows to only turn on at a certain time but I don't think this will help me because the patches get rolled out at different dates each month.

Should I make the patch rollouts happen on the same day each month to make this better? Maybe I should setup the repeat to happen on the last Wednesday Or Thursday of each month? The problem with that then is that if a new machine gets put into the network it will take that long for the patches to get installed on those machines.

Any advise on this would be great.

I hope I have provided enough information here. If not please ask me where I should provide more info and I will.

Regards
Jason

Joshua Rasmussen's picture

Hello Jason,

Unfortunately, I cannot provide a short answer. In review of your main concern; here is a summary of how Patch deals with revised updates:
When Microsoft revises an update; it is seen as a 'newly added update' by Patch Management. The update will be a new version and have an updated executable (v2, v3 etc). 

It is advised to enable the settings you outlined in the 'Import Patch Data for Windows' screen shot. They are most helpful in regards to this process.

  • The first 'Automatically Revise...' helps to ensure the Software Update Policies are updated, for if the update is revised, and this is not enabled, the Software Update Policy will be completely disabled.
  • The second 'Enable distribution...' helps to ensure the individual software update advertisement is enabled on the Software Update Policy following the refresh of the revised packages

These settings are detailed further on KM: TECH40390.

In review of your environment:

  1. Default Software Update Plug-in Policy cloned for 2 separate Software Update Cycles (SUC)
  • This is to control the date / time for the locations separately
  1. The schedule of the SUC is not configured with 'End Date' nor is it repeated
  • This is to ensure the powered-down clients will runs the SUC when they boot up.
  1. Override Maintenance Windows is enabled
  • This is to allow the client to run the Software Update Cycle outside the Maintenance Windows

My advice moving forward;
     Enable the settings on the 'Import Patch Data for Windows' to allow Revise / Enable, for that will ensure the Software Update Policies are refreshed with the current software update packages from Microsoft. This will ensure your clients have the latest / greatest version of the update installed.

     Keep in mind that the Superseded updates, updates completely replaced by a newer update from Microsoft, will not be reported on or applied through Patch Management. Enable the setting on the Import Patch Data for Microsoft to 'Disable Superseded Updates' as this will help performance on the SMP.

     Next, disable any 'Run' options enabled on the Software Update Policy. Allow for the Software Update Cycle to be executed on the Default Software Update Plug-in Policy (or a clone of the Plug-in Policy) and that will ensure the clients run as specified.

     Keep in mind that with 'Override Maintenance Windows' enabled; the client will run the Software Update Cycle on the detailed schedule from the Default Software Update Plug-in policy. This is a good idea, for it allows the Software Update Cycle to execute unhindered by Maintenance Windows.

     Last, due to the limited schedule to run once a month; run the Software Update Cycle on the client with a 'Windowed Schedule' on the Default Software Update Plug-in Policy. Allow for multiple reboots during the process to ensure the client is not hung on a reboot required step and fails to finish installing the updates. This can be configured to run over a duration of 3 hours or so and have the Software Update Cycle execute on the 1 hour mark. You could go as aggressive as 30 minute executions, but I would keep it as close to 1 hour if possible.

     The configurations for 'Windowed Schedule' and other items listed are detailed further in KM: HOWTO56242 under Step 7. Testing this process is key before rolling out in production, for you want to ensure the overall configurations are in order.

Hope this helps,

Joshua

oi_son's picture

Hi Josh

Thanks heaps for your detailed response. I have enabled 2 out of 3 options so far and am testing. How long should the Import Patch Data for Windows take after enabling the settings?

I enabled the "Automatically revise Software Update policies after importing patch data" setting and the "Disable all superseded Software Updates".

I did not enable "Enable distribution of newly added Software Updates" just yet. I wanted to test it without  anything being installed for the time being.

Anyways I left the normal MetaData schedule set to 1am as it normally is. The last one ran for 31 hours. I thought maybe it was the first time it has run so it might take that long. Well the next one which is still running now has been running for almost 22 hours. Previously it didnt take nearly this long.

This seems to be clogging up the bandwidth a bit on my servers (NS and DB) or atleast making them both slow.

Is this normal?

 

Patch Import 08-04-2013 10-29-33 PM.jpg
Joshua Rasmussen's picture

Hello Jason,

This does present a concern. The time spent on this process is most likely one of two things; 1. Multiple languages enabled on the PMImport, or 2. Numerous Software Bulletins downloaded & Software Update Policies created.

Here are some checks you can perform moving forward;
1. Ensure, following the initial run, the 'Incremental download' setting is enabled, for that will help the PMImport run more effectively.

2. Delete the scheduled run of the PMImport until the process is under 24 hours, or schedule to run twice a week, for the import tasks will be queued and back up on the SMP, and that can cause performance issues.

3. If you are on PM 7.1 SP2; review the PointFixes found on KM: TECH185667, for these two PF's will help with performance. Note:these PF's were implemented as part of PM 7.1 SP2 MP1 upgrade.

4. Review the report for Running Tasks found on KM: HOWTO54534, for there may be hung tasks that are overburdening the SMP.

5. Review the SSE Tool found on KM: HOWTO60787 (SSETools.zip), for this helps to view general health of the SMP and the database.

If you have any further concerns following these checks; you will want to contact support, for a review of the environment on WebEx would be best.

Thank you,

Joshua

HighTower's picture

oi_son, what version of the SMP are you running?  Do you have MP1 installed?

Or, if Josh or Roman were able to help you resolve this can you mark one or more of their replies as the solution?

Thanks!