Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

How Symantec can do Patch Management, the BEST one

Created: 14 May 2011 • Updated: 14 Mar 2012 | 14 comments
Pascal KOTTE's picture
19 Agree
0 Disagree
+19 19 Votes
Login to vote

As I propose @Ratingen Field enablement for Symantec partners last February 2011:

Symantec should provide a "ready to use" set of Jobs, or better, a customizable Workflow for PATCH MANAGEMENT, 3 step cycle:

  1. TEST
  2. PILOT

With full automation.


- Download automatically (custom shedule) any patch with minimum of (custom number) missing.

- Create one Policy per Bulletin, preactivated to a customisable TEST target (test/pilot machines)

- After auto-rebooting the TEST machines, and detect correctly back to service: Send a notification email to a customisable emails list "X", with the list of activated bulletin (with a link for each, to the corresponding policy), and a link to the targeted TEST machines list (for remember which they are).

If no problems, no actions, next step will run... after "Y" days (1 business day, or 2).


- After a customizable number of hours/days: add a second "PILOT target" all those patch policies,

- Send an notification email, with the same bulletins list, with the linked policies each: and a remember the list of the PILOT machines added,

- Patch will deploy & ask for a reboot immediately, and propose some delay, but less 5h :)

- Optional: send an email to the primary user (+ owner if AMS) each Pilot machines, just after the correct install, to notify the Patch there, and should notify "X" if any suspect of problem.

If no problems, no actions, next step will run... after "Z" days (2 to 5 business days).


- As you guess already, all "patch managed" machines will receive now.

- A Notification the global deploy run with the list of patches+links to policies, sent to “X”.

- A notification of a report I do not find yet, after (1 week?), like:


Return code

Nb Returns

MS11-023, KB123456

0 (Success)


MS11-023, KB123456

3010 (success)


MS11-023, KB123456

1 (Failure)


MS11-023, KB7890123




(for sure, double or right-clic to get the list od pcs :)

  • And, of course, a monthly NOTIFY review of number of still missing, but only for those associated an active policy,
  • plus a separate notify (Business daily) for the remaining numbers of Bulletin to come ;-)

Nice to have: Being able to deploy one by one, smoother patching

I would like we can select a maximum number of patch, per update interval: like: 1 patch, 1 business day interval, and 2 business days delay next step:

Day 1:

- Patch A: automate select automatically the most critical and larger number of missing, deploy TEST. Mail notify all ok after last reboot = Do NOTHING.

Day 2:

- Patch A: just take a look test machines still able to login in, using few true user machines can be a good idea.

- Patch B: auto-deploy TEST (second critical most number of missing), notify X

Day 3:

- Patch A: Pilot machines auto-deploy, notify users.

- Patch B: TEST PC still boot? (Will be a daily job to check, and going auto-archived emails if Blue screen to get the policy to stop it now!! But only one policy/Bulletin to stop :)

- Patch C: TEST run (hope not only one TEST pc, but if blue screened, quick rebuild and see my other feature request for a quick “repatch”)

Day 4:

- Patch A: no complain from Business Pilot users this day? OK, do nothing.

- Patch B: Pilot machines auto-deploy, notify users. (They will do also an outlook rule to auto-archive… But they should not auto-delete J), you DO nothing.

- Patch C: TEST PC still boot? OK do nothing (except check the patch well there...)

- Patch D: Yes you guess it, and just hope no more 20 patches per month… But you do NOTHING, usually.

Day 5:

- Patch A: auto-deploy all patch managed machine: you do NOTHING…

- Do I must repeat?

Main benefits:

1- You don’t overload your Notification server, the day of 12 Microsoft patches…

2- You don’t spend a week to guess which one was crashing some you machines (hope not all :)

3- You test correctly each patch, not impacting your business,

4- You don’t spend a full day per month to manage your standard patches, so you can takes time to manage none standard one (SP, Commercial Adobe Solutions not patched from Altiris, why some in errors…)

5- …

Main deficits: (always 2 faces a piece of money)

- A lot of internal SPAM. But the daily email your business test users, is “contractual”: if any problem any patch, they will be responsible to notify “IT”. Because, IT can verify if a patch “crash” a system, not if a patch “conflict” and disturb a business software or process.

- For the test PC, this can be not needing a patch some other machines with "Microsoft/Adobe" addition not in your test PC (you do not the job correctly... Make your best) you can have all pilot in blue screen. (less critical than all machines :)

Of course, if more 100 missing on the start, can select 10 per day, instead of only one: But will deploy and create 10 different policies, so we can “deactivate” the 10, and reactivate each separately, to get the problem one.

For the “Targets” we will have to manage: we can use Editable predefined “Filters”, with manual list inside, except the last will simply be “all machines with patch plugin”.

That is the way I will tell Symantec Altiris Patch solution will be the best one!

Tell me if not understanding me, and your feedback are welcome.

Comments 14 CommentsJump to latest comment

Pascal KOTTE's picture

TEST notification

with notification when test computers was restarted automatically, and back correctly online, can be detected automatically from the workflow.

So we can notify: all is ok: we install 5 patches, reboot 5 times, 5 success, and test computers still online: A single daily notification, all patches are ok, computers well restart, if agent Altiris coming back correctly mean the computer should be ok. Nothing to do…

Making a reboot each patch for test machines is not a problem, for PILOT or PROD, we should only limit to the required number... That is not clear into Altiris, if well managed for multiple reboot required.

The problem is to care getting test machines population significant enough to get all needed patches wink


As we can detect., all is OK, auto-reboot, see machine back to live: Also forcing a none required reboot, after last update, to check TEST machines, still able to reboot and auto-login a standard TEST user. We should be able to detect when a "patch" is not going well: and auto-deactivate the corresponding policy, not going "live" production before manual "re-activation".

With the detailed report of the problems: install error code, machine reboot not coming back to "live"... In a separate email, for asking an ACTION. Not nothing to do this time. crying

But, at least, not going to freeze all PILOT, or worst, full PRODUCTION machines, because the guy should read the notification, was in holiday, make one more auto-trashbin-rule in Outlook, should not... cheeky

~Pascal @ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

Login to vote
Pascal KOTTE's picture

In this scenario: 1 question: What's happen if some machines in production need a patch, not any TEST machines need ?

  • You make bad choice in test machine, and you must add the significant software on the existing TEST machines, or, add 1 machine your TEST population.
  • You will detect those with an additionnal report: weekly notification: Missing patches, not associated active (or not active yet) policy !

Do I answer well?

~Pascal @ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

Login to vote
GTDendo's picture

Looks great. I would love to see something like this.

Login to vote
gwoodman's picture

This sounds great.. have anyone exactly implement this process and will share the jobs?smiley

Login to vote
MaRRuT@CC's picture

LiveUpdate Administrator can do that =) and it's free!

Login to vote
Pascal KOTTE's picture

That's new? Liveupdate admin do the pach for windows, Microsoft software like office, Adobe, Oracle, Firefox, google, and so on ???

~Pascal @ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

Login to vote
Pascal KOTTE's picture

A bulletin can integrate multiple "updates":

- We never know if the TEST, and/or the PILOT group of machines are significant or not...

We need for being notified (build a report) if a "more than X" (depends we are talking servers = 0, desktop = 1 or 2), missing updates in production, was not deployed into the TEST and/or PILOT steps.

That is a tricky report, but possible with Patch Altiris.

~Pascal @ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

Login to vote
Pascal KOTTE's picture

For those reading "What's new" PPT from Symantec, you notice under CMS or SMS suites, both are talking about "Patch automation".

So it was looking like this feature request integrated latest 7.5.

But it is not. Don't search for it.

~Pascal @ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

Login to vote
AndyN's picture

Hi Pascal,

The new Patch Automation in 7.5 is in the new Workflow Store accessible through the Workflow designer.

Login to vote
Ludovic Ferre's picture

Hi Andy,

Doesn't the workflow store point back here to Connect? This was the state of affair a few month back (when it first made it to the Workflow store).

Also, is this a full patch automation toolkit or the Zero Day Patch?

Ludovic FERRÉ
Principal Remote Product Specialist

Login to vote
TGiles's picture

Yes the Workflow Store points back to specifically designed page that's hosted on Connect. I'm not aware of any Patch Automation toolkit being made available at this time.

Login to vote
Richard_Combes's picture

The zero day patch workflow is avaialable to download in the workflow solution center. This allows you to automatically download and stage patch policys based on criteria, such as the patch vendor, the target and the severity.

e.g auto stage all critical java patches to servers as soon as available

Workflow sends you an email when it has scheduled a patch based on this criteria. It will also send you an email each time it runs and no patches have been scheduled

Ive used it, it works well

I suspect we are looking to extend it to a model like Pascals later

Login to vote
Pascal KOTTE's picture

Hello Richie, Andy, Ludo: Thanks a lot your messages and answers. I will correct my other negative feedback about this feature was not available all the same announced in "What's new into 7.5" Symantec presentation. Glad to see it was existing in fact, I feel better & will try of course ;) 

~Pascal @ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

Login to vote
Pascal KOTTE's picture

Here the link from Solution Center ;)

ZERO day patch Workflow

IF any body get play with it; and compare the Ludovic tool

So we can talk about those; thanks to share with us :)

~Pascal @ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

Login to vote