Client Management Suite

I am having an issue with the Windows patching system in Altiris 7.x.  I have machines patching at times and days they are not supposed to be patching and I don't know why.

I have the "default" patching schedule disabled, and have created two new patching schedules oriented around Organizational Units in our Active Directory structure.  Essentially, the schedules are as follows:

1 - IT Groups:  Patch from 5PM to 8AM every Mon-Fri of Week 1

2 - Rest of Domain (except servers): Patch from 5PM to 8AM every Mon-Fri of Week 2

And that's it.  Not a terribly complex setup.  Yet, I am running into situations where people NOT in the IT groups are patching on week 1 rather than week 2, or people are patching at seemingly random times without regard to the schedules.

At first I suspected that it might be an AD organizational issue, that we had people or computers in the wrong groups.  but after doing a throough check on everyone that I know of, NONE were in the wrong group, including myself, as my own machine also patched "out of cycle" one week.

Worse, this month i was prepping the release package of patches early (we always patch one month behind to allow for full testing) and the very evening I released the patch package into the system PCs started patching, even though the scheduled patch weeks weren't for another 2 weeks!

It's gotten so bad that I have had to just turn off all the schedules and basically disable patching until I can figure this out.

Has anyone else seen this problem?

Do you use maintenance windows?  What type of schedule do you use for your maintenance windows (days of week, recurrence, time(s) of day, etc)?  Does your Software Update policy override maintenance windows?

Given:

IT 5p-8a M-F, week 1
Desktops 5p-8a M-F, week 2

And maintenance window (example):
IT 5p-8a any day
Desktops 5p-8a any day

If your Software Update policy does not override (ignore) the maintenance windows, it's possible that it thinks it should use the maintenance windows.  You could try telling your Software Update policy to override (ignore) the maintenance window so that it only happens during the Week 1 and Week 2 schedules you've defined.  If it still happens after updating the policy, you at least know it's not a Maintenance Window issue.

Have you reviewed the diagnostics logs from a computer that has this issue?  It may offer clues as to why an event is happening at a given time.

This similar issue, in regards to patch reboots, may shed some light:
http://www.symantec.com/business/support/index?page=content&id=TECH127411

Doesn't the Patching Policy COMBINE with the Maintenance window?  That is how it was laid out in the instructionals.

Strictly speaking, My Patching Policy is:

IT Group - Mon-Fri of Week 1 starting at 1700 hours

Everyone Else - Mon-Fri of Week 2 starting at 1700 hours

And my Maintenance Window is:

Every Day, 5PM to 8AM.

The way I understand it, these two should combine by Altiris first consulting the Maintenance Window (Every Day, 5PM to 8AM) and then consulting the Patching Policy (But ONLY on Mon-Fri of Week 1 or Week 2 depending on group.)  Is this wrong?  If so, how do I correct it to get that result?

Override the maintenance window.  You could test the theory by following these steps:

1. Put a test computer into its own group
2. Assign a maintenance window that's 24 hrs a day, 7 days a week
3. Assign a patch policy for 3-4 weeks out
4. Approve a new patch
5. See if the computer installs the patch; if so: modify the maintenance window to 1 hr a day, only on X day of the week, and approve another new patch; if the computer does not receive the patch, you know the maintenance window was causing the issue
6. Configure your policy to override maintenance windows, so that the only schedule that matters is the Software Update policy schedule/

How do I then get the Patching Policy to STOP Patching?

The whole "scheduled time" thing only gives a START time, not an END time.  If I override the Maintenance Window, then won't the PCs just keep patching and patching even if it's the middle of the workday?  If that is what will happen then that's NOT an acceptable solution.

Do the patches need to be installed during Week 1 for IT and then during Week 2 for Other Desktops?  Or is it that patches should not be approved for release until Week 1 for IT and until Week 2 for Other desktops?

Can you use the Advanced button to define a 'start' and 'end' date?

I would use these settings.. but maybe that's what you're already doing.

Run
On a schedule
Add schedule
Advanced
Start 1/31/2011 (Monday)
Check the box for End and choose 2/4/2011 (Friday)
Ensure you are NOT overriding maintenance windows, and allow the maintenance window to define the hours used for the patching and reboot.

Wait.  I can't do that on my Update policies.

Just to be clear, when I'm talking Patching Policies, I mean the Policies listed under Settings -> All Settings -> Agents/Plugins -> Software -> Patch Management -> Windows -> <Group name> Software Update Plugin Policies

I do NOT mean the "Policies"  (really just packages of patches) listed under Manage -> Policies -> Software -> Patch Management ->Software Update Policies -> Microsoft (or Adobe)

THOSE policies don't recieve a Schedule, that is supposed to be controlled by the Plugin policy.

Are you saying I need to put a schedule on THOSE too?

Do the patches need to be installed during Week 1 for IT and then during Week 2 for Other Desktops?  Or is it that patches should not be approved for release until Week 1 for IT and until Week 2 for Other desktops?

Both.  Patches should not be released until the specified weeks for the specified groups, and then the systems should ONLY patch during thier specified window, not after or before.

To be clear, I want to have a one-week "window" once a month during which the PCs in the specified groups would receive and install ALL necessary patches from ALL available release packages (or "Software update policies", as they are confusingly called in Altiris).  Once the week is over they will stop patching, and then begin again during the next window, picking up where they left off and completing any leftover patches from the previous month before installing patches from this month's release.

No, not on those, too.  I assumed you needed different settings for different groups of patches.  It's best practice to inherit from the plug-in policy.  Your edit makes clear what you're looking to do.

Your plug-in poliucy should have an Advanced button that gives a start and end date.  I would define the start and end dates.  At the end of a patch period, update the dates for the next month's patching event.

Would this accomplish what you're looking for?

I'd rather not have to be constantly messing around with the policies.  For one, there is always a "lag time" to get all the various clients updated with the plugin policy changes.  For another, there is human error.  Inevitably, I know that I will screw up the dates and then catch hell for it from Management.

I need a bullet-proof scheduling setup that I can just dump patches into and have a guaranteed result come out the other end.

I think I'm going to try just simply disabling the Maintenance window altogether, and see how that goes.

The result of disabling the maintenance window is that your patches can install and reboot at any time during that one week period, which you still have to define each month by selecting the dates.

So basically, you gave me the answer back in your first post (second post in the thread) and I just didn't understand what you were trying to tell me.  Figures.  I'll tell ya, sometimes I just can't help but miss the point.

Thank you for your patience in clarifying this.  You guys are really the best.

Thankfully I've FINALLY gotten approval to go for training for Altiris.  (Yay!)  So hopefully less dumb questions from me in the future. 

Thanks!