Patch Management Solution

Hello,

I would like to know if there is some automatic way of avoid downloading updates that won't be installed in our environment.

For example, our environment is only formed by Windows Server 2008 server and Windows 8.1 clients.

If I create a Software Update Policy for MS15-009 Bulletin, then I have a lot of updates available (for every IE version out there). After some test I've seen that if I uncheck some of them -the ones that aren't for my environment- the packages are downloaded to my hard disk. This is the first problem.

The second problem is that in some updates I need to know if the file is the right one for my environment or not.

So, finally, I decide to let all of them checked but I would like to know if somewhere in CMS/Patch Management I can specify that only Windows Server 2008 and Windows 8.1 clients are in my environment so only a few files will be downloaded ...

Any idea?

Thanks.

Home > Patch Management > Metadata Import Task

Expand "Vendors and Software", then expand Microsoft, and select and deselect products that make sense for your environment.

For the first problem: You don't need to unselect the unwanted ones one by one while you set up the software update policy. The client machine will download only the updates that are applicable for it. I have personally verified this one a few machines. For eg: I selected the updates for Windows 8.1 in my policy, but that was never downloaded into the C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery folder. So, I don't waste spending time on unselecting the ones that are not required for my environment.

For the second problem:

Run the compliance report by bulletin from this location:

Reports- Software - Patch Management  - Compliance  - Windows Compliance by Bulletin 

Right click a bulletin and select the "Applicable computers by Bulletin". This will open a new window showing the details of the computers, Operating System,Bulletin, Update etc.

Hit Save As, Spreadsheet. Filter the computer names by updates ( X86 or X64), that will give you the information you are looking for.

x HighTower:

Yes, I was doing until I found some problems.

I only maintain Adobe and Microsoft. For Adobe is something "easy" as we only need to check Adobe Reader XI and Adobe Acrobat XI.

For Microsoft, I only want Windows 2008 and 8.1; Internet Explorer; Microsoft Office 2013, Project 2013 and Visio 2013.

The first problem is that when new products are added to this list, they are marked automatically. So I need to check this list every week for example.

The second problem is that some updates for OS or Office aren't in the product itself (for exemple, MDAC, .NET, etc.). And sometimes the "family/category" for an update is not clear.

So, the bulletin list is missing some items that you can get checking for Windows Updates from the OS itself. So, some months ago we decided to check Adobe/Microsoft completely.

x Kesh Man:

Yes, I know that the client machine will download the right ones... The problem is that the server will download all the updates, including the ones for XP, older IE versions, etc. etc.

For the second "problem" I've not explained it very well. I know the option "view applicable". Is the one I'm using right now for deploying patches in my environment.

I was trying to explain that when I have all packages checked for a software bulletin, sometimes is difficult to uncheck patches by name. For example, I'm sure that packages that have "2003" in their name aren't for my environment. But sometimes you need to know the naming schema for patches or similar.

It would be a very good idea to have something like:

- I wan't to import patches for Microsoft/Adobe using the vendors option

- Specify somewhere that I only want to see the ones for Windows 2008/Windows 8.1, so when I create a policy for a bulletin, only the right packages for these 2 platforms are included, downloaded to the server, etc.

My intention is to save disk space in the server, bandwith, etc.

I don't know if this is a feature in new 7.6 version of CMS/Patch Management that I'll need to test ASAP.

Thanks.

Just so you know Microsoft considers Windows 7 and 2008 as essentially the same operating system.  And most of the patches apply to either one (Windows 6.1).  So you'll absolutely get patches that are marked as Windows 7 but are, in fact, applying to your 2008 systems. 

.NET patches are .NET patches.  The entire bundle will download and apply.

You're very concerned about disk space but what are your constraints?  The patches download once from the Internet, stage to your SMP server, and distribute to Package Servers if you have them configured.  I'm patching nearly 8000 computers from XP and 2003 with everything through 2012 including Office and other client-side MS apps and my patch catalog is about 50gb.  Is this a deal breaker?

Also, does your product import really run automatically weekly?  We've been using SMP for a LONG time and I've only ever been able to get that product list to run when I click "Update".

Hello Licenses, 

These guys have pretty much nailed it, but I thought I would toss in some additional info. 

Regarding hard drive management (only for Site & Package Servers): Review the settings for the Windows Patch Remediation Settings > Policy and Package Settings Tab > Package Distribution as outlined on HOWTO56242 - Section 7; configuring the Package Distribution to 'Package Servers automatically with manual prestaging' will help to ensure only needed packages will be replicated to the Site/Package Servers and out to their managed Clients.

Regarding targeting: You may also check the SSE Reports > Solutions > Patch > Patch Filters (TECH227522): This will show a list of all the updates (randomized) and you may right-click > open in new window; view the targeted clients for that update. The Compliance Reports show this in their rendering as outlined in previous comments on this post, but this report helps to view what is targeting as well.

Lastly, you may review which Inclusions/Exclusions you have implemented on the PMImport MetaData > Vendors by importing the report found on HOWTO111054. This report shows each Vendor > Sub-Component > Enabled / Disabled.

Please post any follow up questions and we will be happy to help!