Patch Management Group

As several others have posted in the past the windows assessment scan for patch management kicks off at the same for all our servers and triggers alarms in our vmware environment.  Our server environment is 80% virtualized and as such impacts our virtual hosts.  We have the same issue with Inventory as well.  The standard solution is to create separate assessment scan policies with different start times applied to groups of systems to manually stagger the workload.

This is fine but it is less than ideal if the filters happen to overlap or, and more importantly, some systems are left without a scan policy.

Has anyone come up with a creative solution that is less manual and more dynamic?  I'm thinking along the lines of 4 (or so) dynamic filters that takes all windows servers with the software update plug-in and drops the first 25% in Filter #1, the next 25% in Filter #2, etc.  

Hoping not to reinvent the wheel if someone's already figured this out.

I know for inventory the aexruncontrol.exe can be used to randomize the inventory job and I'll probably end up doing that for our systems (someone posted a way to hack NS7 to do this) but again in a time when most folks are going virtual you'd think that randomization would have been baked into the product.  Any Symantec engineers out there know if this is in the works?

 

Thanks in advance for any ideas

Try using the first character of the system's guid to build the target filters. It should be random. Something like: Select c.guid From inv_aex_ac_identification c Where Left(c.guid,1) in([0-3])

You could also possibly not use the built in schedule, but instead build a task with a random sleep() call in it that executes the segment scam using the same parameters add the automated scan. the tasks would ask kick off at the same time, but the actual scan start time would be randomized on each system. Not familiar with the inventory if esx and vms, but maybe you could leverage vm host info to distribute the task amongst guests on various hosts...

Some of my customers use this method or use mac address. You just need to find out an easy identifier that has an even spread throughout the nodes being targeted.

This seems to work out fairly well if I use the the characters 0-9 and A-F (queries pasted below divided into 4 groups).  

Seems ResourceGuid is limited to the hex character map (so no 'G', 'H', 'I', etc).

Going to give this a shot - I may divide by 2 instead just to cut the pie further (we have 400 servers mostly located in two main sites) but I like this as it is a "run once" type effort.  

 

I would be curious to see the script to generate this as I'm unsure of the following:

1. VBScript/Powershell/Batch?  
2. Would it be as simple as executing the aexpatchutil /I command or does the built-in assessment task perform other functions as well?

Thanks for the replies, this is great.

I've settled on the following template which used the default assessment scan target (all systems with software update plug-in installed) as the base query then uses the GUID query listed above to divide the systems into 8 groups.

Remarkably the groups are very evenly divided so it worked out great.

I then attached each of these filters to a clones of the assessment scan and kicked them off at different intervals every 4 hours (starting at :00, :07, :15, :22, :30, etc).

 

Glad it helped. The guid is random and assigned by the smp which is why it was so evenly distributed. Honestly not sure on the details of the assessment scan,I think it does do something other than just running aexpatchutil, but not 100%.