Client Management Suite

Is there any document listing Pros'/Cons of using Patch management over WSUS. Out site at the mometn is 200 odd user but we will be adding a few other sites to this so would like to know the main benefits of usng patch management over WSUS in this environemnt.

Joe.

I momentanely prefer Wsus over Altiris Patchmanagement (For Windows).

Cons of Altiris

-Patchmanagement is the slowest Webpage of the whole Solution

-Need more clicks to do read Bulletins, see dependencies and see needed/not needed Percentages, Update Errors, 64/32 Bit, /OS, ect.

-Needing twice the time to do the same things

Pro

- Install Policys use all the nice Altiris Features like Wake Up on Lan, Schedules, Install Window ect ( For Wsus you can make a baseline Install Schedule troug GPO)

We use WSUS now, but everything's manual.  That means our server teams are in every week during our maintenance window.  It also means we can't afford to take down our most important servers except once every quarter.  For that reason, we're looking to move to Altiris so that our updates are approved, assigned, scheduled, monitored, and resolved in the same place.

The same goes for workstations.  Right now, we have to pull a compliance report from WSUS, then manually find the computers in Altiris DS, then send scripts to resolve, then re-run the report, etc.  I hope that by moving to patch management in Altiris, we'll be able to dynamically update filters so that problem computers auto-resolve.  A big problem right now is rolling out XP SP3 and Office 2007 SP2.  (I asked for a report in October and discovered the patch team had not approved it.)  WSUS isn't doing a good job of fully installing such large patches.

WSUS also doesn't have bandwidth management, whereas Altiris does have bandwidth management.  This is important for our sites across slow links.  We're only around a thousand nodes, but with six or seven slow sites, this is a feature that would help.

We could also use bandwidth features to restrict updating over slow connections like wireless or VPN, while still allowing users to upload patch statuses.  Because WSUS uses port 80 (or 443 if you go SSL) for everything, you can't throttle bandwidth and still maintain the status updates.

Reboot management is another area where we'd like additional control.  Altiris has more control for reboot settings than WSUS.

Altiris patch management also uses QChain, which means all applicable updates for a computer can be installed simultaneously and require only a single reboot.  With WSUS, multiple reboots are often required: patch, reboot, get more patches, reboot, repeat even more.  This is somewhat acceptable for workstations, but not even close to acceptable for our servers.  Again, our patch administrators do these manually and we're really looking to save time and reduce the number of outages required per server per patch event.

Having an integrated tool is really part of it.  The ability to pull inventory, find compliance against your policy, and take remediation steps from the same Console is very important to managing patches well.

A downside: I believe some items we currently get through WSUS may not be available through Altiris.  In this case, we need to be more careful that we stage items other than Security Updates properly (Service Packs, Malicious Software Removal Tool,  Feature Packs, etc).  There's also a slight delay in obtaining updates in Altiris, whereas WSUS has them right away.

It's also nice that the Altiris Agent is already installed and I won't have to worry about WSUS communication problems or duplicate SusClientIDs.  Because patch is already within Altiris, I don't need to audit yet another system.  Instead, if it's in Altiris, I know that we see it.

Finally, our Linux guy also does patching.  In addition to our 80 or so Windows servers, he's got 40 or so Linux servers.  I have no visibility on these, and he has no policies or automation.  By pulling this into patch management, we automate another manual process and eliminate another tool to maintain/place to check.

Well put.  We actually run both solutions.  WSUS is in place to give us the early access to patches and because it saves us automating a few items that are not security patches.  The early access allows us to cut a day off of our deployment window.  Altiris doesn't offer non-security patches.  Other than that, we greatly prefer Altiris in a desktop enviroment.  The reboot handling alone is a selling point.

Also,  I was more than pleased a couple of months ago with Microsoft's out of band patch.  Microsoft decided not to release it to WSUS immediately.  For once I had patches in Altiris sooner than WSUS.  I wish it were that way every month.

So a few months back we switched our antivirus solution to Forefront. However, to deploy new virus definisions we had to enable WSUS. I have now noticed at a few minutes after Altiris finishes it's patch cycle and give the user an option to delay the reboot. WSUS will also prompt even though it didn't do any patching. Is there a way around this?

Allegedly, Patch Management 7.1 will have the same coverage in the updates it offers as WSUS, though this functionality won’t be available straight away and isn’t in the beta.  This should include everything available is WSUS, such as service packs, with the exception of drivers.

Correct.  Adobe and third-party patching will also be expanded.  I thought it was live in 7.1 production release, but perhaps it's not there until SP1 if you've heard differently.

Patch Management 7.1 SP1 will contain the support for expanded 3rd party patching.  It is currently slated for an April/May release.