Patch Management Solution

 View Only

  • 1.  Microsoft Group Policy settings for use with Symantec Patch Management

    Posted Apr 25, 2018 03:44 PM

    We are using Symantec Patch Management (8.1) and want to block clients from the ability to update directly from Microsoft. In Microsoft domain Group Policy we have disabled "Configure Automatic updates" and in "Specify intranet Microsoft update service location" we have entered a bogus name so that any attempt to update will dead-end. I'm not sure this is the best method but would like to know what Group Policy settings to configure so that we use the ITMS system exclusively.

    What has prompted this is that in our steps to migrate to Windows 10 we discovered that a computer system network device somehow knew there was an update available and tried to run but errored out, presumeably because we had entered the bogus update location. We have now enabled "do not include drivers with Windows Updates" but we don't want it to even attempt to go out to Microsoft to look.

    Recognizing that Microsoft keeps changing the way it operates and that this is probably a MS issue, is there a recommended set of Group Policy configurations that will help us with utilizing Symantec exclusively?

    Thanks for any help.



  • 2.  RE: Microsoft Group Policy settings for use with Symantec Patch Management

    Posted May 10, 2018 12:32 PM

    Ping?



  • 3.  RE: Microsoft Group Policy settings for use with Symantec Patch Management

    Posted May 10, 2018 03:28 PM
    Have you posted on an MS forum too? Might have better luck there as it’s more MS related since the same would happen even if you were using another alternative tool than Altiris, granted others using the SMP may have the same issue and have a solution.


  • 4.  RE: Microsoft Group Policy settings for use with Symantec Patch Management

    Posted May 10, 2018 05:21 PM

    I have not posted on MS because I assumed that there would be documented Symantec information about how GP needs to be configured for its product.

    In XP days we just disabled the Windows Update service and we were good. With Windows 7 and newer, that service needs to be running for any patching to occur but if the system is not redirected it will still look at Microsoft as well. We don't want that so I have just used the configuration item for redirecting to an internal WSUS server and put "doesnotexist" in the location. It has been working for a long time but I am getting ready to retire and I want to make sure that it is the right configuration to hand off to my successors.