Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

XP EOL - how are you handling?

Created: 20 Mar 2014 | 15 comments

Ok so with XP EOL coming up in 18 days... how are you handling the patching after this?

We are migrating to windows 7 at a slow rate due to hardware, vendors and the sort... many issues... but were going..

but for time being a section of our company is paying for patches (something like $200 per machine???)

anyway.. we will be given the files to which I will have to setup as SWD... no biggie.

Question comes here...
how do you handle say reboot message?

we do not force reboot machines but use the message every 2hrs that machine needs to be rebooted.... so now if I do a SWD... ok I can push it as software.. but patch wont pickup that patch installed and pending reboot? or will it? I am testing this now in a VM. I uninstalled MS14-013/15 from my vm, rebooted, disabled polices for those 2 so they wont go out... then installed via explorer.. did not reboot and waiting to see if i get a message... doubtful.

I need to come up with a way for a reminder and only if patches installed. I could do a packaged message for after installing to show that message but not sure..

so how are you handing these things???

Operating Systems:

Comments 15 CommentsJump to latest comment

andykn101's picture

Software Delivery will do reboots and messages but we don't bother for patching. We automatically turn off most PCs every night and reboot nearly all the remainder every week.
 

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

TeleFragger's picture

so im looking.. how does one have it add messages? the only thing I can think of is for me to create a message box via wisescript and have that popup after....

dont care about the reboots as we will not force reboots as we cant... 

Did we help you? Please Mark As Solution those posts which resolve your problem,

andykn101's picture

Sorry, I think Software Management only gives a message, not configurable, if you use the Advanced Options of the Software in a Policy to select On Success: Restart.

Can you not power PCs off at night to effect the reboot?
 

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

TeleFragger's picture

now we cant force a reboot of the computers as we are in a laboratory environment. Due to this a scientist may have something running for days, weeks, months... so we keep the annoying message up. Sometimes they reboot, sometimes they move it off to the side.

Did we help you? Please Mark As Solution those posts which resolve your problem,

TeleFragger's picture

well only 1 reply.. yes I saw where we can do reboots and defer up to 55 days.. not good enough as it will go after that...

so I need to learn a few things by end of next week and how to do this..

1. lets say 1 IE patch comes out and we get them through our paid support. I know right now I would need to take all versions of the .exe (IE6-11) and create a software package in the catalog. so I would have a total of 6 softtware catalog items. 

2. determine how to deploy them.... qchain.exe??? ( never used it )

3. determine if software complaince report will even report on xp after the support days (gonna post a new topic)

4. if report does then there are my targets but if not create an IE filter for each versions and target that way and just apply even if they have the patch

5. figure out a method to prompt for reboot so im thinking to package a wisescript .exe to deploy. Issue with this is each of my swd policies would be to deploy the IE patch then the custom reboot prompt. Great unless you have 4 patches... IE and 3 x OS patches then need it to only run 1 reboot message not 4 of them.....

so still not sure how I am going to do this that is why I started this thread but I guess most everyone is either not worried about it or off of xp... 

Did we help you? Please Mark As Solution those posts which resolve your problem,

andykn101's picture

4. You can use Detection rules to doTargeted Inventories for each Patch and/or make sure you get your Applicability rules right so they don't try and download or run where not needed.
 

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

TeleFragger's picture

I havent done detection rules yet... do you have any experience in this? we tried it before but couldnt figure it out. I think it would work good... any reference to docs? im gonna use that funky button called search.. cheeky

Did we help you? Please Mark As Solution those posts which resolve your problem,

andykn101's picture

If you have access to a 7.0 or older 7.1 system Patch Management used to use Detection Rules so there are some examples there. Joel Smith has done an excellent set of How To articles on Software Management:

https://www-secure.symantec.com/connect/articles/s...

For Internet Explorer patches you'd probably be looking for specific versions of IExplore.exe.
 

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

TeleFragger's picture

yes I created a custom inventory to hit the version key in the registry.. now I am getting somewhere..

Did we help you? Please Mark As Solution those posts which resolve your problem,

TeleFragger's picture

Tried the detection rules but it did not work the way I wanted it too... My XP and Win7 box have IE 8 and it said it had both IE 8 and 9 so my current way is working nice where I inventoried in the reg key

Did we help you? Please Mark As Solution those posts which resolve your problem,

cnx_steve's picture

Regarding point 3, Symantec says that PM will not report on XP after EOL is reached:

http://www.symantec.com/business/support/index?pag....

TeleFragger's picture

Yes I saw that while searching like a madman... I did create a custom inventory for reboot status... placed it into the DL section and waiting for approval. once that is done I am going to do an article on my full XP Patch cycle as SWD.

Had to create

IE Custom Inventory

Reboot Status Custom Inventory

Patch specific filters

add patches to catalog

policies per patch file

Reboot message to user that will reboot when they click OK

so more to come...

Did we help you? Please Mark As Solution those posts which resolve your problem,

TeleFragger's picture

ok so I want to run this by anyone and see if anyone saw this.

I went to setup MS14-037 to our machines understanding only Win7 and up will get the patches. (we do not have vista)...

now I know patch is no longer supported so my reply is more of a if anyone saw this and if they knew why time was even spent on this?

we have paid for extended support so we can get the files but I was wondering why Symantec has even bothered to spend any time on this.

First thing I noticed is the files are named with _guid and the policy points to files without that...

I also went and ran the file and it errors out... so bumb files.. just not sure why time spent....

Policy.jpg files.jpg error.jpg

Did we help you? Please Mark As Solution those posts which resolve your problem,

andykn101's picture

They are patches for XP Embedded, still supported until Jan 2016 AFAIK.
 

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

TeleFragger's picture

^^ thank you.. yup we figured that out so I have to still do it my original way which is via swd...

Did we help you? Please Mark As Solution those posts which resolve your problem,