Client Management Suite

Ok - yet again after scanning a random machine with MS baseline analyser it shows the machine is missing 7 hotfixes. The NS reports shows it as missing 1 hotfix, but fails to install this hotfix. I sincerly hope that 7.1 Patch management is a helluva lot better than this nonsense....this software just cannot be trusted. I'm considering asking the company to revert to WSUS if this app doesn't get better.... I'm using latest version of 7.0 (i know 7.1 is out but cant update at the moment.....and... is it really any better)

may you provide a list of hotfixes that MS baseline analyser finds to be applicable (but not NS)?

Do you have more details on hotfix installation failure?

See attached.

Attachment(s)

patch issue.doc   305 KB 1 version

1) Altiris\Symantec has always been focused on core security updates. MS Baseline Security Analyser finds all updates. For example, the Malicious Software Removeal Tool is considered an update, not a security fix. So MBSA will say it's missing, and Altiris won't. Service packs were another example of this.

2) Why is the patch that is applicable failing?

3) Starting with 7.0 you could patch Adobe and with 7.1 SP1 there are a ton of 3rd party applications that can be patched. AFAIK, this is not availalbe in WSUS.

4) IMO Altiris has better reporting, but you've had some complaints about that (or the lack of customization options open to you).

5) Adding another application and architecture, even if it shares resources, adds complexity where you don't need too, as long as you understand the limitations and workarounds of the existing software.

In the end, as the solution provider it's up to you to recommend to the customer why you choose the solution you find best. I'm loathe to blaim one software over the other, because if my "holy grail" solution ever fails to work, I'm the one left holding the bag.

I'm sure the WSUS thing has been hashed out a million times, but I'll say this:

1. Altiris Patch Management 7.1 SP1 includes support for 20 or so third-party vendors, vendors whose applications have security vulnerabilities that are just as severe (and as commonly exploited) as Microsoft's, if not moreso (Java/browser vulnerabilities are kind of popular).
2. Altiris Patch Management 7.1 SP1 includes full support for all Microsoft patches, with the exception of the Drivers classification
3. If you don't like the reporting in Altiris, you will hate it in WSUS.  Seriously.  I've managed both, and it's useless.
4. WSUS does not have management integration.  If you see a computer in WSUS (Tool A), you must record the data somehow (Tool B -- maybe it's a tool, maybe it's a spreadsheet, maybe it's an e-mail) to the system which will remediate the issue (Tool C -- which might be a nickname for the new guy at your Level I Support Team).  Can WSUS tell you if a computer is online?  Can WSUS force a computer to report patch status immediately?  Can WSUS respect maintenance windows?

WSUS is really lacking.  There are a few things I appreciate about it, namely the ability to reboot only if no user is logged on, something I wish Altiris had available for the Software Update settings policy.

So, short answer: yes, MBSA is going to find missing patches.  One reason, as has been mentioned, is that 7.0 does not have the full support for all Microsoft patches like 7.1 SP1 does.  Another reason is that Microsoft and Altiris use different detection methods -- MBSA just wants to see the files (.cab's, .msi's, etc) on the computer, Altiris wants to see the patch as installed (detailed file/registry scans).

Please note that System Centre Updates Publisher 2011 now extends the capabilities of WSUS by enabling patches of 3rd party applications, e.g. Adobe, Mozilla, etc as well as custom internal line of business applications.